FortiOS Log Message Reference v5.0 - Fortinet Docs...
-
Upload
truongkhanh -
Category
Documents
-
view
865 -
download
83
Transcript of FortiOS Log Message Reference v5.0 - Fortinet Docs...
FortiGate Log Message Reference v5.0 Patch Release 10
FortiGate Log Message Reference - FortiOS 5.0.10
March 13, 2015
01-510-112804-20150313
Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and
FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and
other jurisdictions, and other Fortinet names herein may also be registered and/or common law
trademarks of Fortinet. All other product or company names may be trademarks of their
respective owners. Performance and other metrics contained herein were attained in internal
lab tests under ideal conditions, and actual performance and other results may vary.
Network variables, different network environments and other conditions may affect
performance results. Nothing herein represents any binding commitment by Fortinet, and
Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet
enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser
that expressly warrants that the identified product will perform according to certain
expressly-identified performance metrics and, in such event, only the specific
performance metrics expressly identified in such binding written contract shall be binding on
Fortinet. For absolute clarity, any such warranty will be limited to performance in the same
ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features or development, and circumstances may
change such that any forward-looking statements herein are not accurate. Fortinet disclaims in
full any covenants, representations, and guarantees pursuant hereto, whether express or
implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable.
Technical Documentation docs.fortinet.com
Knowledge Base kb.fortinet.com
Customer Service & Support support.fortinet.com
Training Services training.fortinet.com
FortiGuard fortiguard.com
Document Feedback [email protected]
Change Log
Date Change Description
2013-03-20 Initial Release.
2013-09-27 Patch 4 Release.
2014-04-01 Patch 6 Release. Added Variable Event Logs Addendum.
2015-01-16 Patch 9 Release. Complete corrections of all terminology.
2015-03-13 Patch 10 Release. Added new Variable Event Logs.
Page 3
Log Field Name Changes in FortiOS 5.0
4.3 5 4.3 5app_cat appcat pri levelapp_list applist profile_group profilegroup
app_type apptype profile_type profiletypeasset_id assetid quota_exceeded quotaexceeded
asset_name assetname quota_max quotamaxattack_id attackid quota_used quotaused
attack_name attackname rcvd rcvdbytecarrier_ep carrierep rcvd_pkt rcvdpktcat_desc catdesc rem_ip remip
class_desc classdesc rem_port remportconn-mode connmode remote_ip remip
content_type contenttype req_type reqtypedec_spi decspi request_name requestname
dir direction rule_data ruledatadir_disp dirdisp rule_type ruletype
dlp_sensor dlpsensor sent sentbytedst dstip sent_pkt sentpkt
dst_country dstcountry shaper_drop_rcvd shaperdroprcvdbytedst_int dstintf shaper_drop_sent shaperdropsentbyte
dst_port dstport shaper_rcvd_name shaperrcvdnameenc_spi encspi shaper_sent_name shapersentname
end-date enddate src srcipesp_auth espauth src_country srccountry
esp_transform esptransform src_int srcintffilter_type filtertype src_port srcporticmp_code icmpcode start-date startdate
icmp_id icmpid tran_disp trandispicmp_type icmptype tran_ip tranip
incident_serialno incidentserialno tran_port tranportlan_in lanin tran_sip transip
lan_out lanout tran_sport transportloc_ip locip url_type urltype
loc_port locport urlfilter_idx urlfilteridxlocal_ip locip urlfilter_list urlfilterlistlog_id logid voip_proto voipproto
malform_data malformdata vpn_tunnel vpntunnelmalform_desc malformdesc vpn_type vpntype
message msg vuln_cat vulncatmessage_type messagetype vuln_cnt vulncnt
os_family osfamily vuln_id vulnidos_gen osgen vuln_ref vulnref
os_vendor osvendor wan_in waninout_intf outintf wan_out wanoutovrd_id ovrdid wanopt_app_type wanoptapptypeovrd_tbl ovrdtbl xauth_group xauthgroup
perip_drop shaperperipdropbyte xauth_user xauthuserperip_name shaperperipname
Log Field Name Changes in FortiOS 5.0
4.3 5 4.3 5app_cat appcat pri levelapp_list applist profile_group profilegroup
app_type apptype profile_type profiletypeasset_id assetid quota_exceeded quotaexceeded
asset_name assetname quota_max quotamaxattack_id attackid quota_used quotaused
attack_name attackname rcvd rcvdbytecarrier_ep carrierep rcvd_pkt rcvdpktcat_desc catdesc rem_ip remip
class_desc classdesc rem_port remportconn-mode connmode remote_ip remip
content_type contenttype req_type reqtypedec_spi decspi request_name requestname
dir direction rule_data ruledatadir_disp dirdisp rule_type ruletype
dlp_sensor dlpsensor sent sentbytedst dstip sent_pkt sentpkt
dst_country dstcountry shaper_drop_rcvd shaperdroprcvdbytedst_int dstintf shaper_drop_sent shaperdropsentbyte
dst_port dstport shaper_rcvd_name shaperrcvdnameenc_spi encspi shaper_sent_name shapersentname
end-date enddate src srcipesp_auth espauth src_country srccountry
esp_transform esptransform src_int srcintffilter_type filtertype src_port srcporticmp_code icmpcode start-date startdate
icmp_id icmpid tran_disp trandispicmp_type icmptype tran_ip tranip
incident_serialno incidentserialno tran_port tranportlan_in lanin tran_sip transip
lan_out lanout tran_sport transportloc_ip locip url_type urltype
loc_port locport urlfilter_idx urlfilteridxlocal_ip locip urlfilter_list urlfilterlistlog_id logid voip_proto voipproto
malform_data malformdata vpn_tunnel vpntunnelmalform_desc malformdesc vpn_type vpntype
message msg vuln_cat vulncatmessage_type messagetype vuln_cnt vulncnt
os_family osfamily vuln_id vulnidos_gen osgen vuln_ref vulnref
os_vendor osvendor wan_in waninout_intf outintf wan_out wanoutovrd_id ovrdid wanopt_app_type wanoptapptypeovrd_tbl ovrdtbl xauth_group xauthgroup
perip_drop shaperperipdropbyte xauth_user xauthuserperip_name shaperperipname
Page 4
4.3 subtypes 5.0 subtypestraffic allowed forward/local/multicast
webcache-traffic, wanopt-traffic, explicit-proxy-traffic forwardfailed-conn, violation, other forward
event ipsec, sslvpn-user, sslvpn-admin, sslvpn-session vpn
system
dns, dhcp, l2tp/pptp/pppoe router
auth, radius userwireless wirelesswad wadvoip moved to voip logs section
virus infected infectedfilename filenameoversize oversizedscanerror scanerror----- analytics----- switchproto
webfilter content contenturlfilter urlfilterftgd_blk ftgd_blkftgd_allow ftgd_allowftgd_err ftgd_erractivexfilter activexfiltercookiefilter cookiefilterappletfilter appletfilterftgd_quota_counting ftgd_quota_countingftgd_quota ftgd_quota----- ftgd_quota_expired----- webfilter_command_block
ips signature signatureanomaly anomaly
emailfilter msn-hotmail msnyahoo-mail yahoosmtp smtppop3 pop3imap imapcarrier-endpoint-filter endpointfiltermass-mms mms----- google----- mapi
ha, gtp, nac-quarantine, config, notification, perf-historical, forticlient, mms-stats, amc-intf-bypass, admin, ldb-monitor, pattern
Log Subtype Name Changes in FortiOS 5.0
Page 5
netscan discovery discoveryvulnerability vulnerability
dlp dlp dlp----- dlp-docsource
app-ctrl app-ctrl-all app-ctrl-all
content http httpftp ftpsmtp smtppop3 pop3imap imaphttps httpsim-all im-allnntp nntpvoip voipmm1 mm1mm3 mm3mm4 mm4mm7 mm7smtps smtpspop3s pop3simaps imaps
voip ----- voip
Page 6
Page 7
0
Traffic2
Message ID: 000002Message Description: allowed messageType (type): trafficSubtype (subtype): forwardLevel/Severity: notice
Log field Meaning
type traffic
subtype forward
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
status The status of the traffic.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
trandisp Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither(noop).
srcip The source IP.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstname The destination name. This can be a name or an IP address.
dstcountry Destination country.
srccountry Source country.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
tranip The translated IP in NAT mode. For Transparent mode, it is zero.
tranport The translated port number in NAT mode. For Transparent mode, it is zero.
transip The translated source IP in NAT mode. For Transparent mode, it is zero.
transport The translated source port number in NAT mode. For Transparent mode, it is zero.
service The service where the event or activity occurred.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration Time value in seconds.
Page 8
1
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.This number is not globally unique, it is only locally unique within a given firewall policy.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
shaperdropsentbyte Shaper dropped sent bytes.
shaperdroprcvdbyte Shaper dropped received bytes.
shaperperipdropbyte PerIP dropped bytes.
shapersentname The name of the traffic shaper sending the bytes.
shaperrcvdname The name of the traffic shaper receiving the bytes.
shaperperipname The perIP shaper name.
sentpkt The number of sent packets related to the log message.
rcvdpkt The number of received packets related to the log message.
vpn The name of the VPN tunnel used by the traffic.
vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
sessionid Session ID.
appid Application ID.
app The name of the application that triggered the action within the control list. For example, SSL.
appcat The application category that the application is associated with.
applist The name of the application control list that was used to detect and take action.
appact Application action.
user User name.
group The group name.
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
crscore Client Reputation score.
craction Client Reputation action.
Page 9
2
3Message ID: 000003Message Description: violation messageType (type): trafficSubtype (subtype): invalidLevel/Severity: warning
Log field Meaning
type traffic
subtype invalid
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
status The status of the traffic.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstname The destination name. This can be a name or an IP address.
dstcountry Destination country.
srccountry Source country.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
service The service where the event or activity occurred.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration Time value in seconds.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.This number is not globally unique, it is only locally unique within a given firewall policy.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
shaperdropsentbyte Shaper dropped sent bytes.
shaperdroprcvdbyte Shaper dropped received bytes.
shaperperipdropbyte PerIP dropped bytes.
Page 10
3
shapersentname The name of the traffic shaper sending the bytes.
shaperrcvdname The name of the traffic shaper receiving the bytes.
shaperperipname The perIP shaper name.
sentpkt The number of sent packets related to the log message.
rcvdpkt The number of received packets related to the log message.
vpn The name of the VPN tunnel used by the traffic.
vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
sessionid Session ID.
appid Application ID.
app The name of the application that triggered the action within the control list. For example, SSL.
appcat The application category that the application is associated with.
applist The name of the application control list that was used to detect and take action.
appact Application action.
user User name.
group The group name.
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
crscore Client Reputation score.
craction Client Reputation action.
Page 11
4
4Message ID: 000004Message Description: other messageType (type): trafficSubtype (subtype): invalidLevel/Severity: notice
Log field Meaning
type traffic
subtype invalid
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
status The status of the traffic.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstname The destination name. This can be a name or an IP address.
dstcountry Destination country.
srccountry Source country.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
tranip The translated IP in NAT mode. For Transparent mode, it is zero.
tranport The translated port number in NAT mode. For Transparent mode, it is zero.
transip The translated source IP in NAT mode. For Transparent mode, it is zero.
transport The translated source port number in NAT mode. For Transparent mode, it is zero.
service The service where the event or activity occurred.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration Time value in seconds.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.This number is not globally unique, it is only locally unique within a given firewall policy.
sentbyte The number of sent bytes related to the log message.
Page 12
5
rcvdbyte The number of received bytes related to the log message.
shaperdropsentbyte Shaper dropped sent bytes.
shaperdroprcvdbyte Shaper dropped received bytes.
shaperperipdropbyte PerIP dropped bytes.
shapersentname The name of the traffic shaper sending the bytes.
shaperrcvdname The name of the traffic shaper receiving the bytes.
shaperperipname The perIP shaper name.
sentpkt The number of sent packets related to the log message.
rcvdpkt The number of received packets related to the log message.
vpn The name of the VPN tunnel used by the traffic.
vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
sessionid Session ID.
appid Application ID.
app The name of the application that triggered the action within the control list. For example, SSL.
appcat The application category that the application is associated with.
applist The name of the application control list that was used to detect and take action.
appact Application action.
user User name.
group The group name.
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
crscore Client Reputation score.
craction Client Reputation action.
Page 13
6
5Message ID: 000005Message Description: allowed icmp messageType (type): trafficSubtype (subtype): invalidLevel/Severity: notice
Log field Meaning
type traffic
subtype invalid
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
status The status of the traffic.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
trandisp Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither(noop).
srcip The source IP.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstname The destination name. This can be a name or an IP address.
dstcountry Destination country.
srccountry Source country.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
tranip The translated IP in NAT mode. For Transparent mode, it is zero.
tranport The translated port number in NAT mode. For Transparent mode, it is zero.
transip The translated source IP in NAT mode. For Transparent mode, it is zero.
transport The translated source port number in NAT mode. For Transparent mode, it is zero.
service The service where the event or activity occurred.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration Time value in seconds.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.This number is not globally unique, it is only locally unique within a given firewall policy.
Page 14
7
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
shaperdropsentbyte Shaper dropped sent bytes.
shaperdroprcvdbyte Shaper dropped received bytes.
shaperperipdropbyte PerIP dropped bytes.
shapersentname The name of the traffic shaper sending the bytes.
shaperrcvdname The name of the traffic shaper receiving the bytes.
shaperperipname The perIP shaper name.
sentpkt The number of sent packets related to the log message.
rcvdpkt The number of received packets related to the log message.
vpn The name of the VPN tunnel used by the traffic.
vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
sessionid Session ID.
appid Application ID.
app The name of the application that triggered the action within the control list. For example, SSL.
appcat The application category that the application is associated with.
applist The name of the application control list that was used to detect and take action.
appact Application action.
user User name.
group The group name.
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
crscore Client Reputation score.
craction Client Reputation action.
Page 15
8
6Message ID: 000006Message Description: deny internal icmp messageType (type): trafficSubtype (subtype): invalidLevel/Severity: warning
Log field Meaning
type traffic
subtype invalid
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
status The status of the traffic.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstname The destination name. This can be a name or an IP address.
dstcountry Destination country.
srccountry Source country.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
service The service where the event or activity occurred.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration Time value in seconds.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.This number is not globally unique, it is only locally unique within a given firewall policy.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
shaperdropsentbyte Shaper dropped sent bytes.
shaperdroprcvdbyte Shaper dropped received bytes.
shaperperipdropbyte PerIP dropped bytes.
Page 16
9
shapersentname The name of the traffic shaper sending the bytes.
shaperrcvdname The name of the traffic shaper receiving the bytes.
shaperperipname The perIP shaper name.
sentpkt The number of sent packets related to the log message.
rcvdpkt The number of received packets related to the log message.
vpn The name of the VPN tunnel used by the traffic.
vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
sessionid Session ID.
appid Application ID.
app The name of the application that triggered the action within the control list. For example, SSL.
appcat The application category that the application is associated with.
applist The name of the application control list that was used to detect and take action.
appact Application action.
user User name.
group The group name.
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
crscore Client Reputation score.
craction Client Reputation action.
Page 17
10
7Message ID: 000007Message Description: deny external icmp messageType (type): trafficSubtype (subtype): invalidLevel/Severity: warning
Log field Meaning
type traffic
subtype invalid
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
status The status of the traffic.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstname The destination name. This can be a name or an IP address.
dstcountry Destination country.
srccountry Source country.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
service The service where the event or activity occurred.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration Time value in seconds.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.This number is not globally unique, it is only locally unique within a given firewall policy.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
shaperdropsentbyte Shaper dropped sent bytes.
shaperdroprcvdbyte Shaper dropped received bytes.
shaperperipdropbyte PerIP dropped bytes.
Page 18
11
shapersentname The name of the traffic shaper sending the bytes.
shaperrcvdname The name of the traffic shaper receiving the bytes.
shaperperipname The perIP shaper name.
sentpkt The number of sent packets related to the log message.
rcvdpkt The number of received packets related to the log message.
vpn The name of the VPN tunnel used by the traffic.
vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
sessionid Session ID.
appid Application ID.
app The name of the application that triggered the action within the control list. For example, SSL.
appcat The application category that the application is associated with.
applist The name of the application control list that was used to detect and take action.
appact Application action.
user User name.
group The group name.
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
crscore Client Reputation score.
craction Client Reputation action.
Page 19
12
8Message ID: 000008Message Description: WAN optimization trafficType (type): trafficSubtype (subtype): forwardLevel/Severity: notice
Log field Meaning
type traffic
subtype forward
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstname The destination name. This can be a name or an IP address.
dstcountry Destination country.
srccountry Source country.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
wanoptapptype WANOpt app type. One of: web-cache, cifs, tcp, ftp, mapi, http, web-proxy, ftp-proxy.
duration Time value in seconds.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
wanin WAN in.
wanout WAN out.
lanin LAN in.
lanout LAN out.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
Page 20
13
unauthusersource Method used to detect username.
Page 21
14
9Message ID: 000009Message Description: webcache trafficType (type): trafficSubtype (subtype): forwardLevel/Severity: notice
Log field Meaning
type traffic
subtype forward
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstname The destination name. This can be a name or an IP address.
dstcountry Destination country.
srccountry Source country.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
wanoptapptype WANOpt app type. One of: web-cache, cifs, tcp, ftp, mapi, http, web-proxy, ftp-proxy.
duration Time value in seconds.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
wanin WAN in.
wanout WAN out.
lanin LAN in.
lanout LAN out.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
Page 22
15
unauthusersource Method used to detect username.
Page 23
16
10Message ID: 000010Message Description: explicit proxy trafficType (type): trafficSubtype (subtype): forwardLevel/Severity: notice
Log field Meaning
type traffic
subtype forward
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstname The destination name. This can be a name or an IP address.
dstcountry Destination country.
srccountry Source country.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
wanoptapptype WANOpt app type. One of: web-cache, cifs, tcp, ftp, mapi, http, web-proxy, ftp-proxy.
duration Time value in seconds.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
wanin WAN in.
wanout WAN out.
lanin LAN in.
lanout LAN out.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
Page 24
17
unauthusersource Method used to detect username.
Page 25
18
11Message ID: 000011Message Description: failed connection attemptsType (type): trafficSubtype (subtype): invalidLevel/Severity: warning
Log field Meaning
type traffic
subtype invalid
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstname The destination name. This can be a name or an IP address.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
duration Time value in seconds.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
sessionid Session ID.
user User name.
group The group name.
crscore Client Reputation score.
craction Client Reputation action.
Page 26
19
12Message ID: 000012Message Description: multicast allowed messageType (type): trafficSubtype (subtype): multicastLevel/Severity: notice
Log field Meaning
type traffic
subtype multicast
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
status The status of the traffic.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
trandisp Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither(noop).
srcip The source IP.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstname The destination name. This can be a name or an IP address.
dstcountry Destination country.
srccountry Source country.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
tranip The translated IP in NAT mode. For Transparent mode, it is zero.
tranport The translated port number in NAT mode. For Transparent mode, it is zero.
transip The translated source IP in NAT mode. For Transparent mode, it is zero.
transport The translated source port number in NAT mode. For Transparent mode, it is zero.
service The service where the event or activity occurred.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration Time value in seconds.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.This number is not globally unique, it is only locally unique within a given firewall policy.
Page 27
20
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
shaperdropsentbyte Shaper dropped sent bytes.
shaperdroprcvdbyte Shaper dropped received bytes.
shaperperipdropbyte PerIP dropped bytes.
shapersentname The name of the traffic shaper sending the bytes.
shaperrcvdname The name of the traffic shaper receiving the bytes.
shaperperipname The perIP shaper name.
sentpkt The number of sent packets related to the log message.
rcvdpkt The number of received packets related to the log message.
vpn The name of the VPN tunnel used by the traffic.
vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
sessionid Session ID.
appid Application ID.
app The name of the application that triggered the action within the control list. For example, SSL.
appcat The application category that the application is associated with.
applist The name of the application control list that was used to detect and take action.
appact Application action.
user User name.
group The group name.
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
crscore Client Reputation score.
craction Client Reputation action.
Page 28
21
13Message ID: 000013Message Description: traffic forward messageType (type): trafficSubtype (subtype): forwardLevel/Severity: notice
Log field Meaning
type traffic
subtype forward
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
status The status of the traffic.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
trandisp Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither(noop).
srcip The source IP.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstname The destination name. This can be a name or an IP address.
dstcountry Destination country.
srccountry Source country.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
tranip The translated IP in NAT mode. For Transparent mode, it is zero.
tranport The translated port number in NAT mode. For Transparent mode, it is zero.
transip The translated source IP in NAT mode. For Transparent mode, it is zero.
transport The translated source port number in NAT mode. For Transparent mode, it is zero.
service The service where the event or activity occurred.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration Time value in seconds.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.This number is not globally unique, it is only locally unique within a given firewall policy.
Page 29
22
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
shaperdropsentbyte Shaper dropped sent bytes.
shaperdroprcvdbyte Shaper dropped received bytes.
shaperperipdropbyte PerIP dropped bytes.
shapersentname The name of the traffic shaper sending the bytes.
shaperrcvdname The name of the traffic shaper receiving the bytes.
shaperperipname The perIP shaper name.
sentpkt The number of sent packets related to the log message.
rcvdpkt The number of received packets related to the log message.
vpn The name of the VPN tunnel used by the traffic.
vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
sessionid Session ID.
appid Application ID.
app The name of the application that triggered the action within the control list. For example, SSL.
appcat The application category that the application is associated with.
applist The name of the application control list that was used to detect and take action.
appact Application action.
user User name.
group The group name.
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
utmaction The UTM action taken by the system.
filename The name of the file that was transferred.
virus The name of the virus detected.
attack ATTACK
hostname The hostname information.
catdesc The category description.
sender SENDER
recipient RECIPIENT
mailcount MAILCOUNT
Page 30
23
spamcount SPAMCOUNT
dlprule DLP rule.
utmevent The type of UTM event taking place.
utmseverity UTM severity.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
crscore Client Reputation score.
craction Client Reputation action.
Page 31
24
14Message ID: 000014Message Description: traffic local messageType (type): trafficSubtype (subtype): localLevel/Severity: notice
Log field Meaning
type traffic
subtype local
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
status The status of the traffic.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
trandisp Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither(noop).
srcip The source IP.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstname The destination name. This can be a name or an IP address.
dstcountry Destination country.
srccountry Source country.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
tranip The translated IP in NAT mode. For Transparent mode, it is zero.
tranport The translated port number in NAT mode. For Transparent mode, it is zero.
transip The translated source IP in NAT mode. For Transparent mode, it is zero.
transport The translated source port number in NAT mode. For Transparent mode, it is zero.
service The service where the event or activity occurred.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration Time value in seconds.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.This number is not globally unique, it is only locally unique within a given firewall policy.
Page 32
25
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
shaperdropsentbyte Shaper dropped sent bytes.
shaperdroprcvdbyte Shaper dropped received bytes.
shaperperipdropbyte PerIP dropped bytes.
shapersentname The name of the traffic shaper sending the bytes.
shaperrcvdname The name of the traffic shaper receiving the bytes.
shaperperipname The perIP shaper name.
sentpkt The number of sent packets related to the log message.
rcvdpkt The number of received packets related to the log message.
vpn The name of the VPN tunnel used by the traffic.
vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
sessionid Session ID.
appid Application ID.
app The name of the application that triggered the action within the control list. For example, SSL.
appcat The application category that the application is associated with.
applist The name of the application control list that was used to detect and take action.
appact Application action.
user User name.
group The group name.
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
crscore Client Reputation score.
craction Client Reputation action.
Page 33
26
15Message ID: 000015Message Description: start forward messageType (type): trafficSubtype (subtype): forwardLevel/Severity: notice
Log field Meaning
type traffic
subtype forward
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
status The status of the traffic.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
trandisp Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither(noop).
srcip The source IP.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstname The destination name. This can be a name or an IP address.
dstcountry Destination country.
srccountry Source country.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
tranip The translated IP in NAT mode. For Transparent mode, it is zero.
tranport The translated port number in NAT mode. For Transparent mode, it is zero.
transip The translated source IP in NAT mode. For Transparent mode, it is zero.
transport The translated source port number in NAT mode. For Transparent mode, it is zero.
service The service where the event or activity occurred.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration Time value in seconds.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.This number is not globally unique, it is only locally unique within a given firewall policy.
Page 34
27
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
shaperdropsentbyte Shaper dropped sent bytes.
shaperdroprcvdbyte Shaper dropped received bytes.
shaperperipdropbyte PerIP dropped bytes.
shapersentname The name of the traffic shaper sending the bytes.
shaperrcvdname The name of the traffic shaper receiving the bytes.
shaperperipname The perIP shaper name.
sentpkt The number of sent packets related to the log message.
rcvdpkt The number of received packets related to the log message.
vpn The name of the VPN tunnel used by the traffic.
vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
sessionid Session ID.
appid Application ID.
app The name of the application that triggered the action within the control list. For example, SSL.
appcat The application category that the application is associated with.
applist The name of the application control list that was used to detect and take action.
appact Application action.
user User name.
group The group name.
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
crscore Client Reputation score.
craction Client Reputation action.
Page 35
28
16Message ID: 000016Message Description: start local messageType (type): trafficSubtype (subtype): localLevel/Severity: notice
Log field Meaning
type traffic
subtype local
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
status The status of the traffic.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstname The destination name. This can be a name or an IP address.
dstcountry Destination country.
srccountry Source country.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
tranip The translated IP in NAT mode. For Transparent mode, it is zero.
tranport The translated port number in NAT mode. For Transparent mode, it is zero.
transip The translated source IP in NAT mode. For Transparent mode, it is zero.
transport The translated source port number in NAT mode. For Transparent mode, it is zero.
service The service where the event or activity occurred.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration Time value in seconds.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.This number is not globally unique, it is only locally unique within a given firewall policy.
sentbyte The number of sent bytes related to the log message.
Page 36
29
rcvdbyte The number of received bytes related to the log message.
shaperdropsentbyte Shaper dropped sent bytes.
shaperdroprcvdbyte Shaper dropped received bytes.
shaperperipdropbyte PerIP dropped bytes.
shapersentname The name of the traffic shaper sending the bytes.
shaperrcvdname The name of the traffic shaper receiving the bytes.
shaperperipname The perIP shaper name.
sentpkt The number of sent packets related to the log message.
rcvdpkt The number of received packets related to the log message.
vpn The name of the VPN tunnel used by the traffic.
vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
sessionid Session ID.
appid Application ID.
app The name of the application that triggered the action within the control list. For example, SSL.
appcat The application category that the application is associated with.
applist The name of the application control list that was used to detect and take action.
appact Application action.
user User name.
group The group name.
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
crscore Client Reputation score.
craction Client Reputation action.
Page 37
30
Netscan4096
Message ID: 004096Message Description: Network scan performedType (type): utmSubtype (subtype): netscanEvent Type (eventtype): vulnerabilityLevel/Severity: notice
Log field Meaning
type utm
subtype netscan
eventtype vulnerability
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
start GMT epoch time the scan started.
end GMT epoch time the scan ended.
status Scan status: start, stop, pause, resume, complete.
engine Version of the netscan engine.
plugin Version of the netscan plugin.
Page 38
31
4097Message ID: 004097Message Description: Network scan performedType (type): utmSubtype (subtype): netscanEvent Type (eventtype): discoveryLevel/Severity: notice
Log field Meaning
type utm
subtype netscan
eventtype discovery
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
start GMT epoch time the scan started.
end GMT epoch time the scan ended.
status Scan status: start, stop, pause, resume, complete.
engine Version of the netscan engine.
plugin Version of the netscan plugin.
Page 39
32
4098Message ID: 004098Message Description: Netscan vulnerability detectedType (type): utmSubtype (subtype): netscanEvent Type (eventtype): vulnerabilityLevel/Severity: notice
Log field Meaning
type utm
subtype netscan
eventtype vulnerability
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
dstip The destination IP.
vuln Name of the detected vulnerability.
vulncat Category of the detected vulnerability.
vulnid ID of the detected vulnerability.
vulnref Reference to the detected vulnerability in FortiGuard.
severity The priority level of the attack log. Can be info, low, medium, high, or critical.
vulnscore NIST score of the detected vulnerability.
proto Protocol. Either TCP or UDP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
Page 40
33
4099Message ID: 004099Message Description: Netscan OS detectedType (type): utmSubtype (subtype): netscanEvent Type (eventtype): discoveryLevel/Severity: notice
Log field Meaning
type utm
subtype netscan
eventtype discovery
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
dstip The destination IP.
os Operating system name.
osfamily OS family.
osgen OS generation.
osvendor OS vendor.
Page 41
34
4100Message ID: 004100Message Description: Netscan service detectedType (type): utmSubtype (subtype): netscanEvent Type (eventtype): discoveryLevel/Severity: notice
Log field Meaning
type utm
subtype netscan
eventtype discovery
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
dstip The destination IP.
service The service where the event or activity occurred.
proto Protocol. Either TCP or UDP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
Page 42
35
4101Message ID: 004101Message Description: Notification messageType (type): utmSubtype (subtype): netscanEvent Type (eventtype): vulnerabilityLevel/Severity: notice
Log field Meaning
type utm
subtype netscan
eventtype vulnerability
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
Page 43
36
4102Message ID: 004102Message Description: Notification messageType (type): utmSubtype (subtype): netscanEvent Type (eventtype): discoveryLevel/Severity: notice
Log field Meaning
type utm
subtype netscan
eventtype discovery
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
Page 44
37
4103Message ID: 004103Message Description: Netscan number of vulnerabilities detectedType (type): utmSubtype (subtype): netscanEvent Type (eventtype): vulnerabilityLevel/Severity: notice
Log field Meaning
type utm
subtype netscan
eventtype vulnerability
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
dstip The destination IP.
vulncnt Vulnerability count.
Page 45
38
4104Message ID: 004104Message Description: Netscan host detectedType (type): utmSubtype (subtype): netscanEvent Type (eventtype): discoveryLevel/Severity: notice
Log field Meaning
type utm
subtype netscan
eventtype discovery
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
dstip The destination IP.
method The method information.
assetid Asset ID for this host.
assetname Asset definition for this host.
Page 46
39
4105Message ID: 004105Message Description: Netscan port detectedType (type): utmSubtype (subtype): netscanEvent Type (eventtype): discoveryLevel/Severity: notice
Log field Meaning
type utm
subtype netscan
eventtype discovery
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
dstip The destination IP.
proto Protocol. Either TCP or UDP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
Page 47
40
Virus8192
Message ID: 008192Message Description: virus infected blockType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: warning
Log field Meaning
type utm
subtype virus
eventtype infected
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
Page 48
41
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg "File is infected."
Page 49
42
8193Message ID: 008193Message Description: virus infected passType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype infected
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
Page 50
43
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg "File is infected."
Page 51
44
8194Message ID: 008194Message Description: virus infected mime blockType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: warning
Log field Meaning
type utm
subtype virus
eventtype infected
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
Page 52
45
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg "File is infected."
Page 53
46
8195Message ID: 008195Message Description: virus infected mime passType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype infected
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
Page 54
47
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg "File submitted to FortiGuard Analytics."
Page 55
48
8196Message ID: 008196Message Description: virus infected worm blockType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: warning
Log field Meaning
type utm
subtype virus
eventtype infected
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
virus The name of the virus detected.
dtype Dtype.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
Page 56
49
msg "Worm detected."
Page 57
50
8197Message ID: 008197Message Description: virus infected worm monitorType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype infected
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
virus The name of the virus detected.
dtype Dtype.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
Page 58
51
msg "Worm detected."
Page 59
52
8198Message ID: 008198Message Description: virus infected worm mime blockType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: warning
Log field Meaning
type utm
subtype virus
eventtype infected
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
virus The name of the virus detected.
dtype Dtype.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
Page 60
53
from Source identifier.
to Destination identifier.
msg "Worm detected."
Page 61
54
8199Message ID: 008199Message Description: virus infected worm mime monitorType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype infected
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
virus The name of the virus detected.
dtype Dtype.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
Page 62
55
from Source identifier.
to Destination identifier.
msg "Worm detected."
Page 63
56
8448Message ID: 008448Message Description: virus blocked (warning)Type (type): utmSubtype (subtype): virusEvent Type (eventtype): filenameLevel/Severity: warning
Log field Meaning
type utm
subtype virus
eventtype filename
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
filefilter The filter used to identify the affected file.
filetype The filetype of the affected file.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, theFortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
Page 64
57
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
agent Agent.
from Source identifier.
to Destination identifier.
msg "File is blocked."
Page 65
58
8449Message ID: 008449Message Description: virus blocked (notice)Type (type): utmSubtype (subtype): virusEvent Type (eventtype): filenameLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype filename
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
filefilter The filter used to identify the affected file.
filetype The filetype of the affected file.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, theFortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
Page 66
59
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
agent Agent.
from Source identifier.
to Destination identifier.
msg "File is blocked."
Page 67
60
8450Message ID: 008450Message Description: virus blocked mime (warning)Type (type): utmSubtype (subtype): virusEvent Type (eventtype): filenameLevel/Severity: warning
Log field Meaning
type utm
subtype virus
eventtype filename
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
filefilter The filter used to identify the affected file.
filetype The filetype of the affected file.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, theFortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
Page 68
61
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
agent Agent.
from Source identifier.
to Destination identifier.
msg "File is blocked."
Page 69
62
8451Message ID: 008451Message Description: virus blocked mime (notice)Type (type): utmSubtype (subtype): virusEvent Type (eventtype): filenameLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype filename
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
filefilter The filter used to identify the affected file.
filetype The filetype of the affected file.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, theFortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
Page 70
63
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
agent Agent.
from Source identifier.
to Destination identifier.
msg "File is blocked."
Page 71
64
8452Message ID: 008452Message Description: virus blocked commandType (type): utmSubtype (subtype): virusEvent Type (eventtype): filenameLevel/Severity: warning
Log field Meaning
type utm
subtype virus
eventtype filename
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
url The URL address.
user User name.
group The group name.
command Command information.
agent Agent.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
Page 72
65
msg "Command blocked."
Page 73
66
8453Message ID: 008453Message Description: virus interceptedType (type): utmSubtype (subtype): virusEvent Type (eventtype): filenameLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype filename
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
filefilter The filter used to identify the affected file.
filetype The filetype of the affected file.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, theFortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
Page 74
67
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
agent Agent.
from Source identifier.
to Destination identifier.
msg "File is intercepted."
Page 75
68
8454Message ID: 008454Message Description: virus intercepted mimeType (type): utmSubtype (subtype): virusEvent Type (eventtype): filenameLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype filename
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
filefilter The filter used to identify the affected file.
filetype The filetype of the affected file.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, theFortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
Page 76
69
virus The name of the virus detected.
dtype Dtype.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
agent Agent.
from Source identifier.
to Destination identifier.
msg "File is intercepted."
Page 77
70
8455Message ID: 008455Message Description: virus exemptedType (type): utmSubtype (subtype): virusEvent Type (eventtype): filenameLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype filename
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
filefilter The filter used to identify the affected file.
filetype The filetype of the affected file.
file The name of the file.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
Page 78
71
user User name.
group The group name.
agent Agent.
from Source identifier.
to Destination identifier.
msg "File has been exempted."
Page 79
72
8456Message ID: 008456Message Description: virus exempted mimeType (type): utmSubtype (subtype): virusEvent Type (eventtype): filenameLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype filename
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
filefilter The filter used to identify the affected file.
filetype The filetype of the affected file.
file The name of the file.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
Page 80
73
user User name.
group The group name.
agent Agent.
from Source identifier.
to Destination identifier.
msg "File has been exempted."
Page 81
74
8457Message ID: 008457Message Description: mms content checksumType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: warning
Log field Meaning
type utm
subtype virus
eventtype infected
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, theFortiGate unit assumes that they have the same content.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
Page 82
75
group The group name.
agent Agent.
from Source identifier.
to Destination identifier.
msg "Blocked by MMS content checksum."
Page 83
76
8458Message ID: 008458Message Description: mms content checksumType (type): utmSubtype (subtype): virusEvent Type (eventtype): infectedLevel/Severity: warning
Log field Meaning
type utm
subtype virus
eventtype infected
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, theFortiGate unit assumes that they have the same content.
file The name of the file.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
Page 84
77
user User name.
group The group name.
agent Agent.
from Source identifier.
to Destination identifier.
msg "Matched by MMS content checksum."
Page 85
78
8704Message ID: 008704Message Description: oversized blockType (type): utmSubtype (subtype): virusEvent Type (eventtype): oversizeLevel/Severity: warning
Log field Meaning
type utm
subtype virus
eventtype oversize
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
file The name of the file.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
agent Agent.
Page 86
79
from Source identifier.
to Destination identifier.
msg "Size limit exceeded."
Page 87
80
8705Message ID: 008705Message Description: oversized passType (type): utmSubtype (subtype): virusEvent Type (eventtype): oversizeLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype oversize
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
file The name of the file.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
agent Agent.
Page 88
81
from Source identifier.
to Destination identifier.
msg "Size limit exceeded."
Page 89
82
8706Message ID: 008706Message Description: oversized mime blockType (type): utmSubtype (subtype): virusEvent Type (eventtype): oversizeLevel/Severity: warning
Log field Meaning
type utm
subtype virus
eventtype oversize
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
file The name of the file.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
from Source identifier.
Page 90
83
to Destination identifier.
msg "Size limit exceeded."
Page 91
84
8707Message ID: 008707Message Description: oversized mime passType (type): utmSubtype (subtype): virusEvent Type (eventtype): oversizeLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype oversize
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
file The name of the file.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
from Source identifier.
Page 92
85
to Destination identifier.
msg "Size limit exceeded."
Page 93
86
8720Message ID: 008720Message Description: switching protocols blockType (type): utmSubtype (subtype): virusEvent Type (eventtype): switchprotoLevel/Severity: warning
Log field Meaning
type utm
subtype virus
eventtype switchproto
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
from Source identifier.
to Destination identifier.
Page 94
87
agent Agent.
switchproto Protocol change information.
msg "Switching protocols request."
Page 95
88
8721Message ID: 008721Message Description: switching protocols bypassType (type): utmSubtype (subtype): virusEvent Type (eventtype): switchprotoLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype switchproto
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
from Source identifier.
to Destination identifier.
Page 96
89
agent Agent.
switchproto Protocol change information.
msg "Switching protocols request."
Page 97
90
8960Message ID: 008960Message Description: uncompressed nested limit reachedType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype scanerror
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
Page 98
91
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg "File reached uncompressed nested limit."
Page 99
92
8961Message ID: 008961Message Description: uncompressed size limit reachedType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype scanerror
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
Page 100
93
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg "File reached uncompressed size limit."
Page 101
94
8962Message ID: 008962Message Description: archive is encryptedType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: warning
Log field Meaning
type utm
subtype virus
eventtype scanerror
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
Page 102
95
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg "Encrypted archive."
Page 103
96
8963Message ID: 008963Message Description: archive is encryptedType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype scanerror
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
Page 104
97
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg "Encrypted archive."
Page 105
98
8964Message ID: 008964Message Description: archive is corruptedType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: warning
Log field Meaning
type utm
subtype virus
eventtype scanerror
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
Page 106
99
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg "Corrupted archive."
Page 107
100
8965Message ID: 008965Message Description: archive is corruptedType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype scanerror
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
Page 108
101
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg "Corrupted archive."
Page 109
102
8966Message ID: 008966Message Description: multipart archiveType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: warning
Log field Meaning
type utm
subtype virus
eventtype scanerror
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
Page 110
103
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg "Multipart archive."
Page 111
104
8967Message ID: 008967Message Description: multipart archiveType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype scanerror
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
Page 112
105
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg "Multipart archive."
Page 113
106
8968Message ID: 008968Message Description: nested archiveType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: warning
Log field Meaning
type utm
subtype virus
eventtype scanerror
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
Page 114
107
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg "Nested archive."
Page 115
108
8969Message ID: 008969Message Description: nested archiveType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype scanerror
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
Page 116
109
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg "Nested archive."
Page 117
110
8970Message ID: 008970Message Description: archive is oversizedType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: warning
Log field Meaning
type utm
subtype virus
eventtype scanerror
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
Page 118
111
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg "Oversized archive."
Page 119
112
8971Message ID: 008971Message Description: archive is oversizedType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype scanerror
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
Page 120
113
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg "Oversized archive."
Page 121
114
8972Message ID: 008972Message Description: unhandled archive typeType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: warning
Log field Meaning
type utm
subtype virus
eventtype scanerror
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
Page 122
115
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg "Unhandled archive."
Page 123
116
8973Message ID: 008973Message Description: unhandled archive typeType (type): utmSubtype (subtype): virusEvent Type (eventtype): scanerrorLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype scanerror
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
Page 124
117
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg "Unhandled archive."
Page 125
118
9233Message ID: 009233Message Description: FortiGuard analyticsType (type): utmSubtype (subtype): virusEvent Type (eventtype): analyticsLevel/Severity: notice
Log field Meaning
type utm
subtype virus
eventtype analytics
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
status The status of the virus or packet: blocked, passthrough, monitored, analytics.
service The service where the event or activity occurred.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
direction Message direction. One of: N/A, TX, or RX.
file The name of the file.
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the samechecksum, the FortiGate unit assumes that they have the same content.
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file patternblock), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus The name of the virus detected.
dtype Dtype.
Page 126
119
ref URL of the FortiGuard IPS database entry for the attack.
url The URL address.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
agent Agent.
from Source identifier.
to Destination identifier.
sha256 SHA256 hash.
analyticssubmit Whether analytics were submitted or not. Can be false or true.
msg
Page 127
120
Webfilter12288
Message ID: 012288Message Description: Web content banned wordType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): contentLevel/Severity: warning
Log field Meaning
type utm
subtype webfilter
eventtype content
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
Page 128
121
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
agent Agent.
from Source identifier.
to Destination identifier.
banword Banned word flagged in the message.
msg "URL was blocked because it contained banned word(s)."
Page 129
122
12289Message ID: 012289Message Description: Web content MMS banned wordType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): contentLevel/Severity: warning
Log field Meaning
type utm
subtype webfilter
eventtype content
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 130
123
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
direction Message direction. One of: N/A, TX, or RX.
agent Agent.
from Source identifier.
to Destination identifier.
banword Banned word flagged in the message.
msg "Message was blocked because it contained banned word(s)."
Page 131
124
12290Message ID: 012290Message Description: Web content exempt wordType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): contentLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype content
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 132
125
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
agent Agent.
from Source identifier.
to Destination identifier.
banword Banned word flagged in the message.
msg "URL was exempted because it contained exempt word(s)."
Page 133
126
12291Message ID: 012291Message Description: Web content MMS exempt wordType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): contentLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype content
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 134
127
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
direction Message direction. One of: N/A, TX, or RX.
agent Agent.
from Source identifier.
to Destination identifier.
banword Banned word flagged in the message.
msg "Message was exempted because it contained exempt word(s)."
Page 135
128
12292Message ID: 012292Message Description: Web search key wordType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): contentLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype content
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 136
129
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
agent Agent.
from Source identifier.
to Destination identifier.
keyword Flagged or searched keyword.
msg "Message contained a key word in the profile list."
Page 137
130
12293Message ID: 012293Message Description: Web searchType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): contentLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype content
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 138
131
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
agent Agent.
from Source identifier.
to Destination identifier.
keyword Flagged or searched keyword.
msg "Search phrase detected."
Page 139
132
12305Message ID: 012305Message Description: Web content MMS banned wordType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): contentLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype content
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 140
133
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
direction Message direction. One of: N/A, TX, or RX.
agent Agent.
from Source identifier.
to Destination identifier.
banword Banned word flagged in the message.
msg "Message was logged because it contained a banned word."
Page 141
134
12544Message ID: 012544Message Description: URL filter blockType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: warning
Log field Meaning
type utm
subtype webfilter
eventtype urlfilter
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
urlfilteridx URL filter index.
urlfilterlist URL filter list name.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
Page 142
135
dstintf The destination interface.
service The service where the event or activity occurred.
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
msg "URL was blocked because it is in the URL filter list."
Page 143
136
12545Message ID: 012545Message Description: URL filter exemptType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: information
Log field Meaning
type utm
subtype webfilter
eventtype urlfilter
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
urlfilteridx URL filter index.
urlfilterlist URL filter list name.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
Page 144
137
dstintf The destination interface.
service The service where the event or activity occurred.
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
msg "URL was exempted because it is in the URL filter list."
Page 145
138
12546Message ID: 012546Message Description: URL filter allowType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: information
Log field Meaning
type utm
subtype webfilter
eventtype urlfilter
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
urlfilteridx URL filter index.
urlfilterlist URL filter list name.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
Page 146
139
dstintf The destination interface.
service The service where the event or activity occurred.
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
msg "URL was allowed because it is in the URL filter list."
Page 147
140
12547Message ID: 012547Message Description: URL filter invalid hostname (Block/HTTP)Type (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype urlfilter
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
hostname The hostname information.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
sentbyte The number of sent bytes related to the log message.
Page 148
141
rcvdbyte The number of received bytes related to the log message.
msg "The HTTP request contained an invalid domain name."
Page 149
142
12548Message ID: 012548Message Description: URL filter invalid hostname (Block/HTTPS)Type (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype urlfilter
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
hostname The hostname information.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
sentbyte The number of sent bytes related to the log message.
Page 150
143
rcvdbyte The number of received bytes related to the log message.
msg "The certificate for the HTTPS session contained an invalid domain name."
Page 151
144
12549Message ID: 012549Message Description: URL filter invalid hostname (Filter/HTTP)Type (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: information
Log field Meaning
type utm
subtype webfilter
eventtype urlfilter
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
hostname The hostname information.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
sentbyte The number of sent bytes related to the log message.
Page 152
145
rcvdbyte The number of received bytes related to the log message.
msg "The HTTP request contained an invalid domain name. The session has been filtered by IP only."
Page 153
146
12550Message ID: 012550Message Description: URL filter invalid hostname (Filter/HTTPS)Type (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: information
Log field Meaning
type utm
subtype webfilter
eventtype urlfilter
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
hostname The hostname information.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
sentbyte The number of sent bytes related to the log message.
Page 154
147
rcvdbyte The number of received bytes related to the log message.
msg "The certificate for this HTTPS session contained an invalid domain name. The session has been filtered by IP only."
Page 155
148
12553Message ID: 012553Message Description: Server certificate validation failedType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype urlfilter
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
msg "The server certificate validation failed."
Page 156
149
12554Message ID: 012554Message Description: Unknown SSL session IDType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype urlfilter
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
service The service where the event or activity occurred.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
msg "The SSL session was blocked because the session ID was unknown."
Page 157
150
12555Message ID: 012555Message Description: SSL session blocked due to invalid/missing server certificateType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype urlfilter
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
service The service where the event or activity occurred.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
msg "The SSL session was blocked because the server certificate was missing or invalid."
Page 158
151
12556Message ID: 012556Message Description: SSL session ignored due to invalid/missing server certificateType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype urlfilter
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
service The service where the event or activity occurred.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
msg "The SSL session was ignored because the server certificate was missing or invalid."
Page 159
152
12557Message ID: 012557Message Description: FortiGuard service inactiveType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: critical
Log field Meaning
type utm
subtype webfilter
eventtype urlfilter
level critical
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
msg "FortiGuard is enabled in the protection profile but the FortiGuard service is not enabled."
Page 160
153
12558Message ID: 012558Message Description: Rating error occursType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: information
Log field Meaning
type utm
subtype webfilter
eventtype urlfilter
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
urltype URL type. One of: HTTP, HTTPS, FTP, Telnet, mail, phishing.
hostname The hostname information.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
error Error.
url The URL address.
msg "Policy allows URLs when a rating error occurs."
Page 161
154
12559Message ID: 012559Message Description: URL filter passType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: information
Log field Meaning
type utm
subtype webfilter
eventtype urlfilter
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
urlfilteridx URL filter index.
urlfilterlist URL filter list name.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
Page 162
155
dstintf The destination interface.
service The service where the event or activity occurred.
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
msg "URL was passed because it is in the URL filter list."
Page 163
156
12800Message ID: 012800Message Description: FortiGuard webfilter errorType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): ftgd_errLevel/Severity: error
Log field Meaning
type utm
subtype webfilter
eventtype ftgd_err
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 164
157
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
error Error.
msg "A rating error occurred."
Page 165
158
12801Message ID: 012801Message Description: FortiGuard webfilter errorType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): ftgd_errLevel/Severity: warning
Log field Meaning
type utm
subtype webfilter
eventtype ftgd_err
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 166
159
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
error Error.
msg "A rating error occurred."
Page 167
160
12802Message ID: 012802Message Description: Daily fortiguard quota statusType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): ftgd_quotaLevel/Severity: information
Log field Meaning
type utm
subtype webfilter
eventtype ftgd_quota
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
quotaexceeded Quota exceeded: yes or no.
quotatype The quota type, either: time or traffic.
quotaused Quota time used (in seconds).
quotamax Maximum quota time allowed (in seconds).
catdesc The category description.
user User name.
profile The name of the profile that was used to detect and take action.
Page 168
161
13056Message ID: 013056Message Description: FortiGuard webfilter category blockType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): ftgd_blkLevel/Severity: warning
Log field Meaning
type utm
subtype webfilter
eventtype ftgd_blk
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 169
162
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
method The method information.
class The class.
classdesc The class description.
cat The category.
catdesc The category description.
msg "URL belongs to a denied category in policy."
Page 170
163
13057Message ID: 013057Message Description: FortiGuard webfilter category blockType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): ftgd_blkLevel/Severity: warning
Log field Meaning
type utm
subtype webfilter
eventtype ftgd_blk
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 171
164
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
method The method information.
class The class.
classdesc The class description.
cat The category.
catdesc The category description.
msg "URL belongs to a category with warnings enabled."
Page 172
165
13312Message ID: 013312Message Description: FortiGuard webfilter category allowType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): ftgd_allowLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype ftgd_allow
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 173
166
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
method The method information.
class The class.
classdesc The class description.
cat The category.
catdesc The category description.
msg "URL belongs to a allowed category in policy."
Page 174
167
13313Message ID: 013313Message Description: FortiGuard webfilter allowType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): ftgd_allowLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype ftgd_allow
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 175
168
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
method The method information.
class The class.
classdesc The class description.
cat The category.
catdesc The category description.
mode Mode.
ruletype Rule type. One of: Directory, domain, rating, unhandled.
ruledata Rule data.
ovrdtbl Override table name.
ovrdid Override ID.
msg "URL belongs to an override rule."
Page 176
169
13314Message ID: 013314Message Description: FortiGuard webfilter allowType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): ftgd_allowLevel/Severity: information
Log field Meaning
type utm
subtype webfilter
eventtype ftgd_allow
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 177
170
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
method The method information.
class The class.
classdesc The class description.
cat The category.
catdesc The category description.
mode Mode.
ruletype Rule type. One of: Directory, domain, rating, unhandled.
ruledata Rule data.
ovrdtbl Override table name.
ovrdid Override ID.
msg "URL belongs to an override rule."
Page 178
171
13315Message ID: 013315Message Description: FortiGuard webfilter category quota countingType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): ftgd_quota_countingLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype ftgd_quota_counting
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 179
172
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
method The method information.
class The class.
classdesc The class description.
cat The category.
catdesc The category description.
quotatype The quota type, either: time or traffic.
quotaused Quota time used (in seconds).
quotamax Maximum quota time allowed (in seconds).
msg "Webfilter quota has begun counting."
Page 180
173
13316Message ID: 013316Message Description: FortiGuard webfilter category quota expiredType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: warning
Log field Meaning
type utm
subtype webfilter
eventtype urlfilter
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 181
174
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
method The method information.
class The class.
classdesc The class description.
cat The category.
catdesc The category description.
quotatype The quota type, either: time or traffic.
quotaused Quota time used (in seconds).
quotamax Maximum quota time allowed (in seconds).
msg "Webfilter quota for category has expired."
Page 182
175
13317Message ID: 013317Message Description: URL visitedType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): urlfilterLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype urlfilter
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 183
176
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
method The method information.
class The class.
classdesc The class description.
cat The category.
catdesc The category description.
msg "URL has been visited."
Page 184
177
13568Message ID: 013568Message Description: Web script filter ActiveXType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): activexfilterLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype activexfilter
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 185
178
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
count Number of packets.
msg "ActiveX script was removed."
Page 186
179
13573Message ID: 013573Message Description: Web script filter cookieType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): cookiefilterLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype cookiefilter
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 187
180
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
msg "Cookie was removed."
Page 188
181
13584Message ID: 013584Message Description: Web script filter appletType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): appletfilterLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype appletfilter
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 189
182
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
count Number of packets.
msg "Java applet was removed."
Page 190
183
13601Message ID: 013601Message Description: Web cookie filterType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): cookiefilterLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype cookiefilter
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 191
184
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
count Number of packets.
filtertype The script filter type. Can be: N/A, jscript, javascript, vbscript, or unknown.
msg "Cookie was removed entirely."
Page 192
185
13602Message ID: 013602Message Description: Web referer filterType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): cookiefilterLevel/Severity: notice
Log field Meaning
type utm
subtype webfilter
eventtype cookiefilter
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 193
186
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
count Number of packets.
filtertype The script filter type. Can be: N/A, jscript, javascript, vbscript, or unknown.
msg "Referer was removed from request."
Page 194
187
13603Message ID: 013603Message Description: Command blockedType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): webfilter_command_blockLevel/Severity: warning
Log field Meaning
type utm
subtype webfilter
eventtype webfilter_command_block
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
hostname The hostname information.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
service The service where the event or activity occurred.
reqtype The request type, either direct or referral.
Page 195
188
msg "Command blocked."
Page 196
189
13616Message ID: 013616Message Description: Content type blockedType (type): utmSubtype (subtype): webfilterEvent Type (eventtype): contentLevel/Severity: warning
Log field Meaning
type utm
subtype webfilter
eventtype content
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
initiator The initiator name.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
Page 197
190
hostname The hostname information.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
reqtype The request type, either direct or referral.
url The URL address.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
agent Agent.
from Source identifier.
to Destination identifier.
contenttype Content type.
msg "Blocked by HTTP Header Content Type."
Page 198
191
IPS16384
Message ID: 016384Message Description: attack signature (tcp/udp)Type (type): utmSubtype (subtype): ipsEvent Type (eventtype): signatureLevel/Severity: alert
Log field Meaning
type utm
subtype ips
eventtype signature
level alert
date The date at which the log was recorded.
time The time at which the log was recorded.
severity The priority level of the attack log. Can be info, low, medium, high, or critical.
srcip The source IP.
dstip The destination IP.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
custom Custom field.
sessionid Session ID.
status The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count Number of packets.
attackname Attack name.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
Page 199
192
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
attackid The identification number of the attack log message.
sensor Sensor.
ref URL of the FortiGuard IPS database entry for the attack.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
incidentserialno Incident serial number.
Page 200
193
16385Message ID: 016385Message Description: attack signature (icmp)Type (type): utmSubtype (subtype): ipsEvent Type (eventtype): signatureLevel/Severity: alert
Log field Meaning
type utm
subtype ips
eventtype signature
level alert
date The date at which the log was recorded.
time The time at which the log was recorded.
severity The priority level of the attack log. Can be info, low, medium, high, or critical.
srcip The source IP.
dstip The destination IP.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
custom Custom field.
sessionid Session ID.
status The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count Number of packets.
attackname Attack name.
icmpid The source port of the ICMP message.
icmptype The type of ICMP message.
icmpcode The destination port of the ICMP message.
attackid The identification number of the attack log message.
Page 201
194
sensor Sensor.
ref URL of the FortiGuard IPS database entry for the attack.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
incidentserialno Incident serial number.
Page 202
195
16386Message ID: 016386Message Description: attack signature (others)Type (type): utmSubtype (subtype): ipsEvent Type (eventtype): signatureLevel/Severity: alert
Log field Meaning
type utm
subtype ips
eventtype signature
level alert
date The date at which the log was recorded.
time The time at which the log was recorded.
severity The priority level of the attack log. Can be info, low, medium, high, or critical.
srcip The source IP.
dstip The destination IP.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
custom Custom field.
sessionid Session ID.
status The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count Number of packets.
attackname Attack name.
attackid The identification number of the attack log message.
sensor Sensor.
ref URL of the FortiGuard IPS database entry for the attack.
user User name.
Page 203
196
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
incidentserialno Incident serial number.
Page 204
197
18432Message ID: 018432Message Description: attack anomaly (tcp/udp)Type (type): utmSubtype (subtype): ipsEvent Type (eventtype): anomalyLevel/Severity: alert
Log field Meaning
type utm
subtype ips
eventtype anomaly
level alert
date The date at which the log was recorded.
time The time at which the log was recorded.
severity The priority level of the attack log. Can be info, low, medium, high, or critical.
srcip The source IP.
dstip The destination IP.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
custom Custom field.
sessionid Session ID.
status The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count Number of packets.
attackname Attack name.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
attackid The identification number of the attack log message.
sensor Sensor.
Page 205
198
ref URL of the FortiGuard IPS database entry for the attack.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
incidentserialno Incident serial number.
Page 206
199
18433Message ID: 018433Message Description: attack anomaly (icmp)Type (type): utmSubtype (subtype): ipsEvent Type (eventtype): anomalyLevel/Severity: alert
Log field Meaning
type utm
subtype ips
eventtype anomaly
level alert
date The date at which the log was recorded.
time The time at which the log was recorded.
severity The priority level of the attack log. Can be info, low, medium, high, or critical.
srcip The source IP.
dstip The destination IP.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
custom Custom field.
sessionid Session ID.
status The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count Number of packets.
attackname Attack name.
icmpid The source port of the ICMP message.
icmptype The type of ICMP message.
icmpcode The destination port of the ICMP message.
attackid The identification number of the attack log message.
Page 207
200
sensor Sensor.
ref URL of the FortiGuard IPS database entry for the attack.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
incidentserialno Incident serial number.
Page 208
201
18434Message ID: 018434Message Description: attack anomaly (others)Type (type): utmSubtype (subtype): ipsEvent Type (eventtype): anomalyLevel/Severity: alert
Log field Meaning
type utm
subtype ips
eventtype anomaly
level alert
date The date at which the log was recorded.
time The time at which the log was recorded.
severity The priority level of the attack log. Can be info, low, medium, high, or critical.
srcip The source IP.
dstip The destination IP.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
custom Custom field.
sessionid Session ID.
status The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count Number of packets.
attackname Attack name.
attackid The identification number of the attack log message.
sensor Sensor.
ref URL of the FortiGuard IPS database entry for the attack.
user User name.
Page 209
202
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
incidentserialno Incident serial number.
Page 210
203
Spam20480
Message ID: 020480Message Description: antispam smtp (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): smtpLevel/Severity: notice
Log field Meaning
type utm
subtype spam
eventtype smtp
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
Page 211
204
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
Page 212
205
20481Message ID: 020481Message Description: antispam smtp (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): smtpLevel/Severity: notice
Log field Meaning
type utm
subtype spam
eventtype smtp
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 213
206
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
banword Banned word flagged in the message.
subject Subject.
Page 214
207
20482Message ID: 020482Message Description: antispam pop3 (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): pop3Level/Severity: notice
Log field Meaning
type utm
subtype spam
eventtype pop3
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 215
208
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
Page 216
209
20483Message ID: 020483Message Description: antispam pop3 (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): pop3Level/Severity: notice
Log field Meaning
type utm
subtype spam
eventtype pop3
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 217
210
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
banword Banned word flagged in the message.
Page 218
211
20484Message ID: 020484Message Description: antispam imap (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): imapLevel/Severity: notice
Log field Meaning
type utm
subtype spam
eventtype imap
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 219
212
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
Page 220
213
20485Message ID: 020485Message Description: antispam endpoint filter (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): endpointfilterLevel/Severity: warning
Log field Meaning
type utm
subtype spam
eventtype endpointfilter
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 221
214
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
Page 222
215
20486Message ID: 020486Message Description: antispam endpoint filter (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): endpointfilterLevel/Severity: notice
Log field Meaning
type utm
subtype spam
eventtype endpointfilter
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 223
216
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
Page 224
217
20487Message ID: 020487Message Description: antispam endpoint filter (mm7 warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): endpointfilterLevel/Severity: warning
Log field Meaning
type utm
subtype spam
eventtype endpointfilter
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 225
218
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
agent Agent.
Page 226
219
20488Message ID: 020488Message Description: antispam endpoint filter (mm7 notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): endpointfilterLevel/Severity: notice
Log field Meaning
type utm
subtype spam
eventtype endpointfilter
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 227
220
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
agent Agent.
Page 228
221
20489Message ID: 020489Message Description: antispam endpoint filter (mm1 warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): endpointfilterLevel/Severity: warning
Log field Meaning
type utm
subtype spam
eventtype endpointfilter
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 229
222
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
direction The direction of the message. Either tx or rx.
agent Agent.
Page 230
223
20490Message ID: 020490Message Description: antispam endpoint filter (mm1 notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): endpointfilterLevel/Severity: notice
Log field Meaning
type utm
subtype spam
eventtype endpointfilter
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 231
224
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
direction The direction of the message. Either tx or rx.
agent Agent.
Page 232
225
20491Message ID: 020491Message Description: antispam imap banned-word (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): imapLevel/Severity: notice
Log field Meaning
type utm
subtype spam
eventtype imap
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 233
226
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
banword Banned word flagged in the message.
subject Subject.
Page 234
227
20492Message ID: 020492Message Description: antispam MM1 flood detection (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mmsLevel/Severity: warning
Log field Meaning
type utm
subtype spam
eventtype mms
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 235
228
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
direction The direction of the message. Either tx or rx.
agent Agent.
Page 236
229
20493Message ID: 020493Message Description: antispam MM1 flood detection (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mmsLevel/Severity: notice
Log field Meaning
type utm
subtype spam
eventtype mms
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 237
230
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
direction The direction of the message. Either tx or rx.
agent Agent.
Page 238
231
20494Message ID: 020494Message Description: antispam MM4 flood detection (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mmsLevel/Severity: warning
Log field Meaning
type utm
subtype spam
eventtype mms
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 239
232
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
Page 240
233
20495Message ID: 020495Message Description: antispam MM4 flood detection (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mmsLevel/Severity: notice
Log field Meaning
type utm
subtype spam
eventtype mms
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 241
234
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
Page 242
235
20496Message ID: 020496Message Description: antispam MM1 duplicate detection (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mmsLevel/Severity: warning
Log field Meaning
type utm
subtype spam
eventtype mms
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 243
236
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
direction The direction of the traffic: incoming, outgoing, or N/A.
agent Agent.
Page 244
237
20497Message ID: 020497Message Description: antispam MM1 duplicate detection (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mmsLevel/Severity: notice
Log field Meaning
type utm
subtype spam
eventtype mms
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 245
238
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
direction The direction of the traffic: incoming, outgoing, or N/A.
agent Agent.
Page 246
239
20498Message ID: 020498Message Description: antispam MM4 duplicate detection (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mmsLevel/Severity: warning
Log field Meaning
type utm
subtype spam
eventtype mms
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 247
240
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
Page 248
241
20499Message ID: 020499Message Description: antispam MM4 duplicate detection (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mmsLevel/Severity: notice
Log field Meaning
type utm
subtype spam
eventtype mms
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 249
242
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
Page 250
243
20500Message ID: 020500Message Description: antispam msn hotmail (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): msnLevel/Severity: information
Log field Meaning
type utm
subtype spam
eventtype msn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 251
244
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
subject Subject.
size The size of the message/attachments.
cc Alternate destination addresses.
attachment Email attachment.
Page 252
245
20501Message ID: 020501Message Description: antispam yahoo mail (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): yahooLevel/Severity: information
Log field Meaning
type utm
subtype spam
eventtype yahoo
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 253
246
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
subject Subject.
size The size of the message/attachments.
cc Alternate destination addresses.
attachment Email attachment.
Page 254
247
20502Message ID: 020502Message Description: antispam gmail (notice)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): googleLevel/Severity: information
Log field Meaning
type utm
subtype spam
eventtype google
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 255
248
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
subject Subject.
size The size of the message/attachments.
cc Alternate destination addresses.
attachment Email attachment.
Page 256
249
20503Message ID: 020503Message Description: antispam smtp general (info)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): smtpLevel/Severity: information
Log field Meaning
type utm
subtype spam
eventtype smtp
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 257
250
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
banword Banned word flagged in the message.
subject Subject.
size The size of the message/attachments.
cc Alternate destination addresses.
attachment Email attachment.
Page 258
251
20504Message ID: 020504Message Description: antispam pop3 general (info)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): pop3Level/Severity: information
Log field Meaning
type utm
subtype spam
eventtype pop3
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 259
252
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
banword Banned word flagged in the message.
subject Subject.
size The size of the message/attachments.
cc Alternate destination addresses.
attachment Email attachment.
Page 260
253
20505Message ID: 020505Message Description: antispam imap general (info)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): imapLevel/Severity: information
Log field Meaning
type utm
subtype spam
eventtype imap
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 261
254
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
banword Banned word flagged in the message.
subject Subject.
size The size of the message/attachments.
cc Alternate destination addresses.
attachment Email attachment.
Page 262
255
20506Message ID: 020506Message Description: antispam mapi (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mapiLevel/Severity: information
Log field Meaning
type utm
subtype spam
eventtype mapi
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 263
256
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
subject Subject.
size The size of the message/attachments.
Page 264
257
20507Message ID: 020507Message Description: antispam mapi (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mapiLevel/Severity: notice
Log field Meaning
type utm
subtype spam
eventtype mapi
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 265
258
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
banword Banned word flagged in the message.
Page 266
259
20508Message ID: 020508Message Description: antispam mapi (warning)Type (type): utmSubtype (subtype): spamEvent Type (eventtype): mapiLevel/Severity: notice
Log field Meaning
type utm
subtype spam
eventtype mapi
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
Page 267
260
profiletype The type of profile responsible for the UTM action taken.
status The status of the email message. One of: exempted, blocked, or detected.
from Source identifier.
to Destination identifier.
tracker Tracker ID.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
subject Subject.
size The size of the message/attachments.
Page 268
0
DLP24576
Message ID: 024576Message Description: DLP log (Warning)Type (type): utmSubtype (subtype): dlpEvent Type (eventtype): dlpLevel/Severity: warning
Log field Meaning
type utm
subtype dlp
eventtype dlp
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
filteridx The filter index.
dlpextra Extra DLP information.
filtertype DLP filter type. One of the following: credit-card, ssn, regexp, file-size, file-type, watermark, encrypted, none.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
epoch Epoch.
eventid Serial number.
user User name.
group The group name.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
Page 269
1
dstintf The destination interface.
service The service where the event or activity occurred.
filetype The filetype of the affected file.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
hostname The hostname information.
url The URL address.
from Source identifier.
to Destination identifier.
subject Subject.
file The name of the file.
action Action taken by the FortiGate unit. One of the following: log-only, block, exempt, ban, ban sender, quarantine ip, quarantineinterface.
profile The name of the profile that was used to detect and take action.
Page 270
2
24577Message ID: 024577Message Description: DLP log (Notice)Type (type): utmSubtype (subtype): dlpEvent Type (eventtype): dlpLevel/Severity: notice
Log field Meaning
type utm
subtype dlp
eventtype dlp
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
filteridx The filter index.
dlpextra Extra DLP information.
filtertype DLP filter type. One of the following: credit-card, ssn, regexp, file-size, file-type, watermark, encrypted, none.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
sessionid Session ID.
epoch Epoch.
eventid Serial number.
user User name.
group The group name.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
service The service where the event or activity occurred.
filetype The filetype of the affected file.
sentbyte The number of sent bytes related to the log message.
Page 271
3
rcvdbyte The number of received bytes related to the log message.
hostname The hostname information.
url The URL address.
from Source identifier.
to Destination identifier.
subject Subject.
file The name of the file.
action Action taken by the FortiGate unit. One of the following: log-only, block, exempt, ban, ban sender, quarantine ip, quarantineinterface.
profile The name of the profile that was used to detect and take action.
Page 272
4
24578Message ID: 024578Message Description: DLP fingerprint document source (Notice)Type (type): utmSubtype (subtype): dlpEvent Type (eventtype): dlp-docsourceLevel/Severity: notice
Log field Meaning
type utm
subtype dlp
eventtype dlp-docsource
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sensitivity The sensitivity of the DLP sensor.
docsource The fingerprinted document's source.
dlpextra Extra DLP information.
Page 273
5
24579Message ID: 024579Message Description: DLP fingerprint document source (Error)Type (type): utmSubtype (subtype): dlpEvent Type (eventtype): dlp-docsourceLevel/Severity: warning
Log field Meaning
type utm
subtype dlp
eventtype dlp-docsource
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sensitivity The sensitivity of the DLP sensor.
docsource The fingerprinted document's source.
dlpextra Extra DLP information.
Page 274
6
Application Control28672
Message ID: 028672Message Description: application control im-basic logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: information
Log field Meaning
type utm
subtype app-ctrl
eventtype app-ctrl-all
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
kind The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,response, video, ssh.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
direction The direction of the traffic: incoming, outgoing, or N/A.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
Page 275
7
dstintf The destination interface.
srcuser The source user.
dstuser The destination user.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
applist The name of the application control list that was used to detect and take action.
apptype The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
Page 276
8
28673Message ID: 028673Message Description: application control im logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: notice
Log field Meaning
type utm
subtype app-ctrl
eventtype app-ctrl-all
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
kind The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,response, video, ssh.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
direction The direction of the traffic: incoming, outgoing, or N/A.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
srcuser The source user.
dstuser The destination user.
Page 277
9
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
applist The name of the application control list that was used to detect and take action.
apptype The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
status The status of the traffic. One of: request, cancel, accept, fail, download, stop, start, end, timeout, blocked, succeeded,failed, authentication-required, pass, block.
Page 278
10
28674Message ID: 028674Message Description: application control im(chat message count) logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: information
Log field Meaning
type utm
subtype app-ctrl
eventtype app-ctrl-all
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
kind The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,response, video, ssh.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
direction The direction of the traffic: incoming, outgoing, or N/A.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
srcuser The source user.
dstuser The destination user.
Page 279
11
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
applist The name of the application control list that was used to detect and take action.
apptype The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
count Number of packets.
Page 280
12
28675Message ID: 028675Message Description: application control im(file) logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: information
Log field Meaning
type utm
subtype app-ctrl
eventtype app-ctrl-all
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
kind The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,response, video, ssh.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
direction The direction of the traffic: incoming, outgoing, or N/A.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
srcuser The source user.
dstuser The destination user.
Page 281
13
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
applist The name of the application control list that was used to detect and take action.
apptype The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
status The status of the traffic. One of: request, cancel, accept, fail, download, stop, start, end, timeout, blocked, succeeded,failed, authentication-required, pass, block.
filename The name of the file that was transferred.
filesize File size.
immsg IM message content.
Page 282
14
28676Message ID: 028676Message Description: application control im(chat) logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: notice
Log field Meaning
type utm
subtype app-ctrl
eventtype app-ctrl-all
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
kind The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,response, video, ssh.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
direction The direction of the traffic: incoming, outgoing, or N/A.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
srcuser The source user.
dstuser The destination user.
Page 283
15
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
applist The name of the application control list that was used to detect and take action.
apptype The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
count Number of packets.
content Traffic content.
Page 284
16
28677Message ID: 028677Message Description: application control im(chat blocked) logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: notice
Log field Meaning
type utm
subtype app-ctrl
eventtype app-ctrl-all
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
kind The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,response, video, ssh.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
direction The direction of the traffic: incoming, outgoing, or N/A.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
srcuser The source user.
dstuser The destination user.
Page 285
17
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
applist The name of the application control list that was used to detect and take action.
apptype The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
count Number of packets.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
req The request information.
Page 286
18
28678Message ID: 028678Message Description: application control im-block logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: notice
Log field Meaning
type utm
subtype app-ctrl
eventtype app-ctrl-all
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
kind The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,response, video, ssh.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
direction The direction of the traffic: incoming, outgoing, or N/A.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
srcuser The source user.
dstuser The destination user.
Page 287
19
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
applist The name of the application control list that was used to detect and take action.
apptype The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
Page 288
20
28688Message ID: 028688Message Description: application control (voip basic) logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: information
Log field Meaning
type utm
subtype app-ctrl
eventtype app-ctrl-all
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
kind The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,response, video, ssh.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
direction The direction of the traffic: incoming, outgoing, or N/A.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
srcuser The source user.
dstuser The destination user.
Page 289
21
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
applist The name of the application control list that was used to detect and take action.
apptype The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
status The status of the traffic. One of: request, cancel, accept, fail, download, stop, start, end, timeout, blocked, succeeded,failed, authentication-required, pass, block.
Page 290
22
28689Message ID: 028689Message Description: application control (sccp call blocked) logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: information
Log field Meaning
type utm
subtype app-ctrl
eventtype app-ctrl-all
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
kind The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,response, video, ssh.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
direction The direction of the traffic: incoming, outgoing, or N/A.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
srcuser The source user.
dstuser The destination user.
Page 291
23
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
applist The name of the application control list that was used to detect and take action.
apptype The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
status The status of the traffic. One of: request, cancel, accept, fail, download, stop, start, end, timeout, blocked, succeeded,failed, authentication-required, pass, block.
phone The phone information or number.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
Page 292
24
28690Message ID: 028690Message Description: application control (sip block) logType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: notice
Log field Meaning
type utm
subtype app-ctrl
eventtype app-ctrl-all
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
kind The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,response, video, ssh.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
direction The direction of the traffic: incoming, outgoing, or N/A.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
srcuser The source user.
dstuser The destination user.
Page 293
25
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
applist The name of the application control list that was used to detect and take action.
apptype The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
count Number of packets.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
req The request information.
Page 294
26
28704Message ID: 028704Message Description: application control ips log (pass)Type (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: information
Log field Meaning
type utm
subtype app-ctrl
eventtype app-ctrl-all
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
attackid The identification number of the attack log message.
user User name.
group The group name.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
dstname The destination name. This can be a name or an IP address.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
Page 295
27
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
applist The name of the application control list that was used to detect and take action.
apptype The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
count Number of packets.
hostname The hostname information.
url The URL address.
message Log message information.
Page 296
28
28705Message ID: 028705Message Description: application control ips log (block)Type (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: warning
Log field Meaning
type utm
subtype app-ctrl
eventtype app-ctrl-all
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
attackid The identification number of the attack log message.
user User name.
group The group name.
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
dstname The destination name. This can be a name or an IP address.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet.
Page 297
29
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
applist The name of the application control list that was used to detect and take action.
apptype The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
count Number of packets.
hostname The hostname information.
url The URL address.
message Log message information.
Page 298
30
28706Message ID: 028706Message Description: application control ips log (reset)Type (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: warning
Log field Meaning
type utm
subtype app-ctrl
eventtype app-ctrl-all
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
attackid The identification number of the attack log message.
user User name.
group The group name.
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
dstname The destination name. This can be a name or an IP address.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet.
Page 299
31
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
applist The name of the application control list that was used to detect and take action.
apptype The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
count Number of packets.
hostname The hostname information.
url The URL address.
message Log message information.
Page 300
32
28720Message ID: 028720Message Description: application control ssh filterType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: notice
Log field Meaning
type utm
subtype app-ctrl
eventtype app-ctrl-all
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
group The group name.
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
kind The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,response, video, ssh.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
direction The direction of the traffic: incoming, outgoing, or N/A.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
srcuser The source user.
dstuser The destination user.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
Page 301
33
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
applist The name of the application control list that was used to detect and take action.
apptype The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
Page 302
34
28721Message ID: 028721Message Description: application control ssh filter blockType (type): utmSubtype (subtype): app-ctrlEvent Type (eventtype): app-ctrl-allLevel/Severity: warning
Log field Meaning
type utm
subtype app-ctrl
eventtype app-ctrl-all
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
group The group name.
osname Name of the device's OS.
osversion Version number (if available) of the device's OS.
unauthuser Unauthenticated user name.
unauthusersource Method used to detect username.
kind The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,response, video, ssh.
profiletype The type of profile responsible for the UTM action taken.
profile The name of the profile that was used to detect and take action.
direction The direction of the traffic: incoming, outgoing, or N/A.
srcip The source IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstip The destination IP.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
dstintf The destination interface.
srcuser The source user.
dstuser The destination user.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header thatidentifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
Page 303
35
service The service where the event or activity occurred.
policyid The ID number of the firewall policy that applies to the session or packet.
custom Custom field.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use anidentity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. Thisnumber is not globally unique, it is only locally unique within a given firewall policy.
sessionid Session ID.
applist The name of the application control list that was used to detect and take action.
apptype The type of application that triggered the action within the control list.
app The name of the application that triggered the action within the control list. For example, SSL.
action The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
Page 304
36
Event20099
Message ID: 020099Message Description: interface statistics changeType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
status Status. Either UP or DOWN.
msg "Interface (interface name) was turned (up / down)."
Page 305
37
32001Message ID: 032001Message Description: successful admin login attemptType (type): eventSubtype (subtype): systemLevel/Severity: information
Logfield
Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action The action that was taken by the system.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit, long-header,unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
profile The name of the profile that was used to detect and take action.
msg "Administrator (name) logged in successfully from (source)."
Page 306
38
32003Message ID: 032003Message Description: successful admin logout attemptType (type): eventSubtype (subtype): systemLevel/Severity: information
Logfield
Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action The action that was taken by the system.
status Status. Either success or error.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit, long-header,unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
profile The name of the profile that was used to detect and take action.
msg "Administrator (name) logged out successfully from (source)." "Administrator (name) timed out on (source)."
Page 307
39
32142Message ID: 032142Message Description: automatic config backupType (type): eventSubtype (subtype): systemLevel/Severity: notice
Logfield
Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action The action that was taken by the system.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit, long-header,unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
profile The name of the profile that was used to detect and take action.
msg "Automatic configuration backup to Management Station succeeded."
Page 308
40
37120Message ID: 037120Message Description: negotiate IPsec phase 1 notifType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
xauthresult XAuth result. Either XAUTH authentication successful, or XAUTH authentication failed.
msg "negotiate IPsec phase 1."
Page 309
41
37121Message ID: 037121Message Description: negotiate IPsec phase 1 errorType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
xauthresult XAuth result. Either XAUTH authentication successful, or XAUTH authentication failed.
msg "negotiate IPsec phase 1."
Page 310
42
37122Message ID: 037122Message Description: negotiate IPsec phase 2 notifType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
role Role - either responder or initiator.
esptransform ESP transform information. One of: ESP_NULL, ESP_DES, ESP_3DES, ESP_AES.
espauth ESP authentication information. One of: no authentication, HMAC_SHA1, HMAC_MD5, HMAC_SHA256.
msg "negotiate IPsec phase 2."
Page 311
43
37123Message ID: 037123Message Description: negotiate IPsec phase 2 errorType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
role Role - either responder or initiator.
esptransform ESP transform information. One of: ESP_NULL, ESP_DES, ESP_3DES, ESP_AES.
espauth ESP authentication information. One of: no authentication, HMAC_SHA1, HMAC_MD5, HMAC_SHA256.
msg "negotiate IPsec phase 2."
Page 312
44
37124Message ID: 037124Message Description: IPsec phase 1 errorType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errorreason Error reason. One of the following: invalid certificate, invalid SA payload, probable preshared key mismatch, peer SA proposalnot match local policy, peer notification, not enough key material for tunnel, encapsulation mode mismatch, no matchinggateway for new request, aggressive vs main mode mismatch for new request
Page 313
45
peernotif Peer notification information. One of the following: NOT-APPLICABLE, INVALID-PAYLOAD-TYPE, DOI-NOT-SUPPORTED,SITUATION-NOT-SUPPORTED, INVALID-COOKIE, INVALID-MAJOR-VERSION, INVALID-MINOR-VERSION,INVALID-EXCHANGE-TYPE, INVALID-FLAGS, INVALID-MESSAGE-ID, INVALID-PROTOCOL-ID, INVALID-SPI,INVALID-TRANSFORM-ID, ATTRIBUTES-NOT-SUPPORTED, NO-PROPOSAL-CHOSEN, BAD-PROPOSAL-SYNTAX,PAYLOAD-MALFORMED, INVALID-KEY-INFORMATION, INVALID-ID-INFORMATION, INVALID-CERT-ENCODING,INVALID-CERTIFICATE, BAD-CERT-REQUEST-SYNTAX, INVALID-CERT-AUTHORITY, INVALID-HASH-INFORMATION,AUTHENTICATION-FAILED, INVALID-SIGNATURE, ADDRESS-NOTIFICATION, NOTIFY-SA-LIFETIME,CERTIFICATE-UNAVAILABLE, UNSUPPORTED-EXCHANGE-TYPE, UNEQUAL-PAYLOAD-LENGTHS, CONNECTED,RESPONDER-LIFETIME, REPLAY-STATUS, INITIAL-CONTACT, R-U-THERE, R-U-THERE-ACK, HEARTBEAT,RETRY-LIMIT-REACHED
msg "IPsec phase 1 error."
Page 314
46
37125Message ID: 037125Message Description: IPsec phase 2 errorType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errorreason Error reason. One of the following: invalid certificate, invalid SA payload, probable preshared key mismatch, peer SA proposalnot match local policy, peer notification, not enough key material for tunnel, encapsulation mode mismatch, no matchinggateway for new request, aggressive vs main mode mismatch for new request
msg "IPsec phase 2 error."
Page 315
47
37126Message ID: 037126Message Description: IPsec no state errorType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errorreason Error reason. One of the following: invalid certificate, invalid SA payload, probable preshared key mismatch, peer SA proposalnot match local policy, peer notification, not enough key material for tunnel, encapsulation mode mismatch, no matchinggateway for new request, aggressive vs main mode mismatch for new request
msg "IPsec no state error."
Page 316
48
37127Message ID: 037127Message Description: progress IPsec phase 1 notifType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
init Initiator: either local or remote.
mode Mode. One of: aggressive, main, quick, xauth, xauth_client.
direction Direction, either outbound or inbound.
stage Stage number.
role Role - either responder or initiator.
result Result. One of: ERROR, OK, DONE, PENDING.
msg "progress IPsec phase 1."
Page 317
49
37128Message ID: 037128Message Description: progress IPsec phase 1 errorType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
init Initiator: either local or remote.
mode Mode. One of: aggressive, main, quick, xauth, xauth_client.
direction Direction, either outbound or inbound.
stage Stage number.
role Role - either responder or initiator.
result Result. One of: ERROR, OK, DONE, PENDING.
msg "progress IPsec phase 1."
Page 318
50
37129Message ID: 037129Message Description: progress IPsec phase 2 notifType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
init Initiator: either local or remote.
mode Mode. One of: aggressive, main, quick, xauth, xauth_client.
direction Direction, either outbound or inbound.
stage Stage number.
role Role - either responder or initiator.
result Result. One of: ERROR, OK, DONE, PENDING.
msg "progress IPsec phase 2."
Page 319
51
37130Message ID: 037130Message Description: progress IPsec phase 2 errorType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
init Initiator: either local or remote.
mode Mode. One of: aggressive, main, quick, xauth, xauth_client.
direction Direction, either outbound or inbound.
stage Stage number.
role Role - either responder or initiator.
result Result. One of: ERROR, OK, DONE, PENDING.
msg "progress IPsec phase 2."
Page 320
52
37131Message ID: 037131Message Description: IPsec ESP notifType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errornum ESP error information. One of the following: Invalid ESP packet detected (HMAC validation failed)., Invalid ESP packetdetected (invalid padding)., Invalid ESP packet detected (invalid padding length)., Invalid ESP packet detected (replayedpacket)., Invalid ESP packet detected (payload not aligned)., Invalid ESP packet detected (wrong cipher key size)., InvalidESP packet detected (no space)., Invalid ESP packet detected (invalid padding)., Invalid ESP packet detected (ASIC error).,Invalid ESP packet detected (unsupported protocol)., Invalid ESP packet detected (truncated header)., Received ESP packetwith unknown SPI.
spi IPsec Security Parameter Index.
seq Sequence number.
msg "IPsec ESP."
Page 321
53
37132Message ID: 037132Message Description: IPsec ESP errorType (type): eventSubtype (subtype): vpnLevel/Severity: critical
Log field Meaning
type event
subtype vpn
level critical
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errornum ESP error information. One of the following: Invalid ESP packet detected (HMAC validation failed)., Invalid ESP packetdetected (invalid padding)., Invalid ESP packet detected (invalid padding length)., Invalid ESP packet detected (replayedpacket)., Invalid ESP packet detected (payload not aligned)., Invalid ESP packet detected (wrong cipher key size)., InvalidESP packet detected (no space)., Invalid ESP packet detected (invalid padding)., Invalid ESP packet detected (ASIC error).,Invalid ESP packet detected (unsupported protocol)., Invalid ESP packet detected (truncated header)., Received ESP packetwith unknown SPI.
spi IPsec Security Parameter Index.
seq Sequence number.
msg "IPsec ESP."
Page 322
54
37133Message ID: 037133Message Description: install IPsec SAType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
role Role - either responder or initiator.
inspi In SPI.
outspi Out SPI.
msg "install IPsec SA."
Page 323
55
37134Message ID: 037134Message Description: delete IPsec phase 1 SAType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
msg "delete IPsec phase 1 SA."
Page 324
56
37135Message ID: 037135Message Description: delete IPsec phase 2 SAType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
encspi Enc SPI.
decspi Dec SPI.
msg "delete IPsec phase 2 SA."
Page 325
57
37136Message ID: 037136Message Description: IPsec DPD failureType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
msg "IPsec DPD failure."
Page 326
58
37137Message ID: 037137Message Description: IPsec connection failureType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
msg "IPsec connection failure."
Page 327
59
37138Message ID: 037138Message Description: IPsec connection status changeType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
tunnelip The tunnel IP address.
tunnelid The tunnel ID.
tunneltype "ipsec"
duration Time value in seconds.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
nextstat Next stat number.
tunnel Tunnel name.
msg "IPsec connection status change."
Page 328
60
37139Message ID: 037139Message Description: IPsec connection status changeType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
phase2name Phase 2 name.
msg "IPsec phase 2 status change."
Page 329
61
37140Message ID: 037140Message Description: auto-IPsec statusType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg "auto-IPsec status."
Page 330
62
37141Message ID: 037141Message Description: IPsec tunnel statisticsType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
xauthuser The name of the XAuth user.
xauthgroup The name of the Xauthentication group.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
tunnelip The tunnel IP address.
tunnelid The tunnel ID.
tunneltype "ipsec"
duration Time value in seconds.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
nextstat Next stat number.
tunnel Tunnel name.
msg "IPsec tunnel statistics."
Page 331
63
37184Message ID: 037184Message Description: negotiate IPsec phase 1 notifType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
peernotif Peer notification information. One of the following: NOT-APPLICABLE, INVALID-PAYLOAD-TYPE, DOI-NOT-SUPPORTED,SITUATION-NOT-SUPPORTED, INVALID-COOKIE, INVALID-MAJOR-VERSION, INVALID-MINOR-VERSION,INVALID-EXCHANGE-TYPE, INVALID-FLAGS, INVALID-MESSAGE-ID, INVALID-PROTOCOL-ID, INVALID-SPI,INVALID-TRANSFORM-ID, ATTRIBUTES-NOT-SUPPORTED, NO-PROPOSAL-CHOSEN, BAD-PROPOSAL-SYNTAX,PAYLOAD-MALFORMED, INVALID-KEY-INFORMATION, INVALID-ID-INFORMATION, INVALID-CERT-ENCODING,INVALID-CERTIFICATE, BAD-CERT-REQUEST-SYNTAX, INVALID-CERT-AUTHORITY, INVALID-HASH-INFORMATION,AUTHENTICATION-FAILED, INVALID-SIGNATURE, ADDRESS-NOTIFICATION, NOTIFY-SA-LIFETIME,CERTIFICATE-UNAVAILABLE, UNSUPPORTED-EXCHANGE-TYPE, UNEQUAL-PAYLOAD-LENGTHS, CONNECTED,RESPONDER-LIFETIME, REPLAY-STATUS, INITIAL-CONTACT, R-U-THERE, R-U-THERE-ACK, HEARTBEAT,RETRY-LIMIT-REACHED
msg "negotiate IPsec phase 1."
Page 332
64
37185Message ID: 037185Message Description: negotiate IPsec phase 1 errorType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
peernotif Peer notification information. One of the following: NOT-APPLICABLE, INVALID-PAYLOAD-TYPE, DOI-NOT-SUPPORTED,SITUATION-NOT-SUPPORTED, INVALID-COOKIE, INVALID-MAJOR-VERSION, INVALID-MINOR-VERSION,INVALID-EXCHANGE-TYPE, INVALID-FLAGS, INVALID-MESSAGE-ID, INVALID-PROTOCOL-ID, INVALID-SPI,INVALID-TRANSFORM-ID, ATTRIBUTES-NOT-SUPPORTED, NO-PROPOSAL-CHOSEN, BAD-PROPOSAL-SYNTAX,PAYLOAD-MALFORMED, INVALID-KEY-INFORMATION, INVALID-ID-INFORMATION, INVALID-CERT-ENCODING,INVALID-CERTIFICATE, BAD-CERT-REQUEST-SYNTAX, INVALID-CERT-AUTHORITY, INVALID-HASH-INFORMATION,AUTHENTICATION-FAILED, INVALID-SIGNATURE, ADDRESS-NOTIFICATION, NOTIFY-SA-LIFETIME,CERTIFICATE-UNAVAILABLE, UNSUPPORTED-EXCHANGE-TYPE, UNEQUAL-PAYLOAD-LENGTHS, CONNECTED,RESPONDER-LIFETIME, REPLAY-STATUS, INITIAL-CONTACT, R-U-THERE, R-U-THERE-ACK, HEARTBEAT,RETRY-LIMIT-REACHED
msg "negotiate IPsec phase 1."
Page 333
65
37186Message ID: 037186Message Description: negotiate IPsec phase 2 notifType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
role Role - either responder or initiator.
esptransform ESP transform information. One of: ESP_NULL, ESP_DES, ESP_3DES, ESP_AES.
espauth ESP authentication information. One of: no authentication, HMAC_SHA1, HMAC_MD5, HMAC_SHA256.
msg "negotiate IPsec phase 2."
Page 334
66
37187Message ID: 037187Message Description: negotiate IPsec phase 2 errorType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
role Role - either responder or initiator.
esptransform ESP transform information. One of: ESP_NULL, ESP_DES, ESP_3DES, ESP_AES.
espauth ESP authentication information. One of: no authentication, HMAC_SHA1, HMAC_MD5, HMAC_SHA256.
msg "negotiate IPsec phase 2."
Page 335
67
37188Message ID: 037188Message Description: IPsec phase 1 errorType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errorreason Error reason. One of the following: invalid certificate, invalid SA payload, probable preshared key mismatch, peer SA proposalnot match local policy, peer notification, not enough key material for tunnel, encapsulation mode mismatch, no matchinggateway for new request, aggressive vs main mode mismatch for new request
msg "IPsec phase 1 error."
Page 336
68
37189Message ID: 037189Message Description: IPsec phase 2 errorType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errorreason Error reason. One of the following: invalid certificate, invalid SA payload, probable preshared key mismatch, peer SA proposalnot match local policy, peer notification, not enough key material for tunnel, encapsulation mode mismatch, no matchinggateway for new request, aggressive vs main mode mismatch for new request
msg "IPsec phase 2 error."
Page 337
69
37190Message ID: 037190Message Description: IPsec not state errorType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errorreason Error reason. One of the following: invalid certificate, invalid SA payload, probable preshared key mismatch, peer SA proposalnot match local policy, peer notification, not enough key material for tunnel, encapsulation mode mismatch, no matchinggateway for new request, aggressive vs main mode mismatch for new request
msg "IPsec no state error."
Page 338
70
37191Message ID: 037191Message Description: progress IPsec phase 1 notifType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
init Initiator: either local or remote.
exch Exchange. One of: SA_INIT, AUTH, CREATE_CHILD.
direction Direction, either outbound or inbound.
role Role - either responder or initiator.
result Result. One of: ERROR, OK, DONE, PENDING.
version "IKEv2"
msg "progress IPsec phase 1."
Page 339
71
37192Message ID: 037192Message Description: progress IPsec phase 1 errorType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
init Initiator: either local or remote.
exch Exchange. One of: SA_INIT, AUTH, CREATE_CHILD.
direction Direction, either outbound or inbound.
role Role - either responder or initiator.
result Result. One of: ERROR, OK, DONE, PENDING.
version "IKEv2"
msg "progress IPsec phase 1."
Page 340
72
37193Message ID: 037193Message Description: progress IPsec phase 2 notifType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
init Initiator: either local or remote.
exch Exchange. One of: SA_INIT, AUTH, CREATE_CHILD.
direction Direction, either outbound or inbound.
role Role - either responder or initiator.
result Result. One of: ERROR, OK, DONE, PENDING.
version "IKEv2"
msg "progress IPsec phase 2."
Page 341
73
37194Message ID: 037194Message Description: progress IPsec phase 2 errorType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
init Initiator: either local or remote.
exch Exchange. One of: SA_INIT, AUTH, CREATE_CHILD.
direction Direction, either outbound or inbound.
role Role - either responder or initiator.
result Result. One of: ERROR, OK, DONE, PENDING.
version "IKEv2"
msg "progress IPsec phase 2."
Page 342
74
37195Message ID: 037195Message Description: IPsec ESP notifType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errornum ESP error information. One of the following: Invalid ESP packet detected (HMAC validation failed)., Invalid ESP packet detected(invalid padding)., Invalid ESP packet detected (invalid padding length)., Invalid ESP packet detected (replayed packet)., InvalidESP packet detected (payload not aligned)., Invalid ESP packet detected (wrong cipher key size)., Invalid ESP packet detected(no space)., Invalid ESP packet detected (invalid padding)., Invalid ESP packet detected (ASIC error)., Invalid ESP packetdetected (unsupported protocol)., Invalid ESP packet detected (truncated header)., Received ESP packet with unknown SPI.
spi IPsec Security Parameter Index.
seq Sequence number.
msg "IPsec ESP."
Page 343
75
37196Message ID: 037196Message Description: IPsec ESP errorType (type): eventSubtype (subtype): vpnLevel/Severity: critical
Log field Meaning
type event
subtype vpn
level critical
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
errornum ESP error information. One of the following: Invalid ESP packet detected (HMAC validation failed)., Invalid ESP packet detected(invalid padding)., Invalid ESP packet detected (invalid padding length)., Invalid ESP packet detected (replayed packet)., InvalidESP packet detected (payload not aligned)., Invalid ESP packet detected (wrong cipher key size)., Invalid ESP packet detected(no space)., Invalid ESP packet detected (invalid padding)., Invalid ESP packet detected (ASIC error)., Invalid ESP packetdetected (unsupported protocol)., Invalid ESP packet detected (truncated header)., Received ESP packet with unknown SPI.
spi IPsec Security Parameter Index.
seq Sequence number.
msg "IPsec ESP."
Page 344
76
37197Message ID: 037197Message Description: install IPsec SAType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
role Role - either responder or initiator.
inspi In SPI.
outspi Out SPI.
msg "install IPsec SA."
Page 345
77
37198Message ID: 037198Message Description: delete IPsec phase 1 SAType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
msg "delete IPsec phase 1 SA."
Page 346
78
37199Message ID: 037199Message Description: delete IPsec phase 2 SAType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
encspi Enc SPI.
decspi Dec SPI.
msg "delete IPsec phase 2 SA."
Page 347
79
37200Message ID: 037200Message Description: IPsec DPD failureType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
msg "IPsec DPD failure."
Page 348
80
37201Message ID: 037201Message Description: IPsec connection failureType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
msg "IPsec connection failure."
Page 349
81
37202Message ID: 037202Message Description: IPsec connection status changeType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
tunnelip The tunnel IP address.
tunnelid The tunnel ID.
tunneltype "ipsec"
duration Time value in seconds.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
nextstat Next stat number.
tunnel Tunnel name.
msg "IPsec connection status change."
Page 350
82
37203Message ID: 037203Message Description: IPsec connection status changeType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
phase2name Phase 2 name.
msg "IPsec phase 2 status change."
Page 351
83
37204Message ID: 037204Message Description: IPsec tunnel statisticsType (type): eventSubtype (subtype): vpnLevel/Severity: notice
Log field Meaning
type event
subtype vpn
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip The remote IP address.
locip The local IP address.
remport Remote port.
locport Local port.
outintf Outward interface.
cookies Cookies.
user User name.
group The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
tunnelip The tunnel IP address.
tunnelid The tunnel ID.
tunneltype "ipsec"
duration Time value in seconds.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
nextstat Next stat number.
tunnel Tunnel name.
msg "IPsec tunnel statistics."
Page 352
84
37888Message ID: 037888Message Description: HA group deleteType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
hagroup HA group.
msg "HA group is deleted."
Page 353
85
37889Message ID: 037889Message Description: Virtual cluster deleteType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
vcluster Virtual cluster.
msg "Virtual cluster is deleted."
Page 354
86
37890Message ID: 037890Message Description: Virtual cluster move vdomType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
fromvcluster Source virtual cluster.
tovcluster Destination virtual cluster.
vdname VDOM name.
msg "Virtual cluster's vdom is removed."
Page 355
87
37891Message ID: 037891Message Description: Virtual cluster add vdomType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
tovcluster Destination virtual cluster.
vdname VDOM name.
msg "Virtual cluster's vdom is added."
Page 356
88
37892Message ID: 037892Message Description: Virtual cluster move member stateType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
harole HA role: either master or slave.
vcluster Virtual cluster.
vclusterstate Virtual cluster state. One of: init, helo, work, standby.
vclustermember Virtual cluster member.
hostname The hostname information.
sn Serial number.
msg "Virtual cluster's member state moved."
Page 357
89
37893Message ID: 037893Message Description: Virtual cluster detect member deadType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
hagroup HA group.
vcluster Virtual cluster.
msg "Virtual cluster detected member dead."
Page 358
90
37894Message ID: 037894Message Description: Virtual cluster detect member joinType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
hagroup HA group.
vcluster Virtual cluster.
msg "Virtual cluster detected member join."
Page 359
91
37895Message ID: 037895Message Description: Virtual cluster add HA device (interface)Type (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
vcluster Virtual cluster.
devintfname The name of the device's interface.
msg "Virtual cluster add HA device."
Page 360
92
37896Message ID: 037896Message Description: Virtual cluster delete HA device (interface)Type (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
vcluster Virtual cluster.
devintfname The name of the device's interface.
msg "Virtual cluster delete HA device (interface)."
Page 361
93
37897Message ID: 037897Message Description: HA device (interface) readyType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
harole HA role: either master or slave.
devintfname The name of the device's interface.
msg "HA device (interface) ready."
Page 362
94
37898Message ID: 037898Message Description: HA device (interface) failType (type): eventSubtype (subtype): systemLevel/Severity: warning
Log field Meaning
type event
subtype system
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
harole HA role: either master or slave.
devintfname The name of the device's interface.
msg "HA device (interface) fail."
Page 363
95
37899Message ID: 037899Message Description: HA device (interface) peerinfoType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
harole HA role: either master or slave.
devintfname The name of the device's interface.
msg "HA device (interface) peerinfo."
Page 364
96
37900Message ID: 037900Message Description: Heartbeat device (interface) deleteType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
devintfname The name of the device's interface.
msg "Heartbeat device (interface) delete."
Page 365
97
37901Message ID: 037901Message Description: Heartbeat device (interface) downType (type): eventSubtype (subtype): systemLevel/Severity: critical
Log field Meaning
type event
subtype system
level critical
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
harole HA role: either master or slave.
hbdnreason Heartbeat down reason: either linkfail or neighbor-info-lost.
devintfname The name of the device's interface.
msg "Heartbeat device (interface) down."
Page 366
98
37902Message ID: 037902Message Description: Heartbeat device (interface) upType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
harole HA role: either master or slave.
devintfname The name of the device's interface.
msg "Heartbeat device (interface) up."
Page 367
99
37903Message ID: 037903Message Description: The sync status with the masterType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
synctype Sync type. Either configurations or external-files.
syncstatus Sync status. Either out-of-sync or in-sync.
msg "The sync status with the master."
Page 368
100
37904Message ID: 037904Message Description: HA activity reportType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
ip HA IP.
haprio HA priority.
activity HA activity message.
msg "HA activity report."
Page 369
101
38031Message ID: 038031Message Description: Authentication messageType (type): eventSubtype (subtype): userLevel/Severity: notice
Log field Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
src The source IP of the traffic.
server The name or IP address of the server.
action FSSO-polling-logon
status success
reason Reason.
msg "FSSO-polling-logon event from <device>: user <username> logged on <ip address>."
Page 370
102
38032Message ID: 038032Message Description: Authentication messageType (type): eventSubtype (subtype): userLevel/Severity: notice
Log field Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
src The source IP of the traffic.
server The name or IP address of the server.
action FSSO-polling-logoff
status success
reason Reason.
msg "FSSO-polling-logoff event from <device>: user <username> logged on <ip address>."
Page 371
103
38033Message ID: 038033Message Description: Authentication messageType (type): eventSubtype (subtype): userLevel/Severity: notice
Log field Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
user User name.
server The name or IP address of the server.
action FSSO-polling-AD-server
msg "FSSO-polling-AD-server status changes: <description>."
Page 372
104
38400Message ID: 038400Message Description: The system successfully sent a notification messageType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
from Source identifier.
to Destination identifier.
service The service where the event or activity occurred.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
dst The destination IP of the traffic.
dport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
nftype Notification type. One of: bword, file_block, carrier_ep_bwl, flood, dupe, alert, mms_checksum, virus.
virus The name of the virus detected.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
count Number of packets.
duration Time value in seconds.
msg "Successfully sent a notification message."
Page 373
105
38401Message ID: 038401Message Description: The system was unable to send a notification messageType (type): eventSubtype (subtype): systemLevel/Severity: warning
Log field Meaning
type event
subtype system
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
from Source identifier.
to Destination identifier.
service The service where the event or activity occurred.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
dst The destination IP of the traffic.
dport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
nftype Notification type. One of: bword, file_block, carrier_ep_bwl, flood, dupe, alert, mms_checksum, virus.
virus The name of the virus detected.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
count Number of packets.
duration Time value in seconds.
msg "Unable to send a notification message."
Page 374
106
38402Message ID: 038402Message Description: The system was unable to resolve an MMSC hostnameType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
hostname The hostname information.
service The service where the event or activity occurred.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
profilevd Profile VDOM.
msg "Unable to resolve hostname."
Page 375
107
38656Message ID: 038656Message Description: RADIUS protocol error reportType (type): eventSubtype (subtype): userLevel/Severity: notice
Log field Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count Number of packets.
duration Time value in seconds.
msg Message.
Page 376
108
38657Message ID: 038657Message Description: RADIUS profile error reportType (type): eventSubtype (subtype): userLevel/Severity: notice
Log field Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count Number of packets.
duration Time value in seconds.
msg Message.
Page 377
109
38658Message ID: 038658Message Description: RADIUS context error reportType (type): eventSubtype (subtype): userLevel/Severity: notice
Log field Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count Number of packets.
duration Time value in seconds.
msg Message.
Page 378
110
38659Message ID: 038659Message Description: RADIUS missing stop packet reportType (type): eventSubtype (subtype): userLevel/Severity: notice
Log field Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count Number of packets.
duration Time value in seconds.
msg Message.
Page 379
111
38660Message ID: 038660Message Description: RADIUS accounting event reportType (type): eventSubtype (subtype): userLevel/Severity: information
Log field Meaning
type event
subtype user
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count Number of packets.
duration Time value in seconds.
msg Message.
Page 380
112
38661Message ID: 038661Message Description: RADIUS other dynamic profile reportType (type): eventSubtype (subtype): userLevel/Severity: information
Log field Meaning
type event
subtype user
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
count Number of packets.
duration Time value in seconds.
msg Message.
Page 381
113
38662Message ID: 038662Message Description: RADIUS protocol errors occurredType (type): eventSubtype (subtype): userLevel/Severity: notice
Log field Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
carrierep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message.This field will always display N/A in the FortiOS interface.
ip IP address.
rssokey RSSO key.
msg Message.
acctstat Accounting state. One of: Start, Stop, Interim-Update, Accounting-On, Accounting-Off.
reason Reason.
Page 382
114
38663Message ID: 038663Message Description: RADIUS start or interim-update packet received with missing or invalid profilespecifiedType (type): eventSubtype (subtype): userLevel/Severity: notice
Log field Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
carrierep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message.This field will always display N/A in the FortiOS interface.
ip IP address.
rssokey RSSO key.
msg Message.
acctstat Accounting state. One of: Start, Stop, Interim-Update, Accounting-On, Accounting-Off.
reason Reason.
Page 383
115
38664Message ID: 038664Message Description: RADIUS no context found for userType (type): eventSubtype (subtype): userLevel/Severity: notice
Log field Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
carrierep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message.This field will always display N/A in the FortiOS interface.
ip IP address.
rssokey RSSO key.
msg Message.
Page 384
116
38665Message ID: 038665Message Description: RADIUS stop packet was missedType (type): eventSubtype (subtype): userLevel/Severity: notice
Log field Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
carrierep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message.This field will always display N/A in the FortiOS interface.
ip IP address.
rssokey RSSO key.
msg Message.
acctstat Accounting state. One of: Start, Stop, Interim-Update, Accounting-On, Accounting-Off.
reason Reason.
Page 385
117
38666Message ID: 038666Message Description: RADIUS accounting eventType (type): eventSubtype (subtype): userLevel/Severity: notice
Log field Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
carrierep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message.This field will always display N/A in the FortiOS interface.
ip IP address.
rssokey RSSO key.
msg Message.
acctstat Accounting state. One of: Start, Stop, Interim-Update, Accounting-On, Accounting-Off.
reason Reason.
Page 386
118
38667Message ID: 038667Message Description: RADIUS other dynamic profile eventType (type): eventSubtype (subtype): userLevel/Severity: information
Log field Meaning
type event
subtype user
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
carrierep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message.This field will always display N/A in the FortiOS interface.
ip IP address.
rssokey RSSO key.
msg Message.
acctstat Accounting state. One of: Start, Stop, Interim-Update, Accounting-On, Accounting-Off.
reason Reason.
count Number of packets.
Page 387
119
39424Message ID: 039424Message Description: SSL tunnel establishedType (type): eventSubtype (subtype): vpnLevel/Severity: information
Log field Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "tunnel-up"
tunneltype "ssl-web"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg "SSL tunnel established."
Page 388
120
39425Message ID: 039425Message Description: SSL tunnel shutdownType (type): eventSubtype (subtype): vpnLevel/Severity: information
Log field Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "tunnel-down"
tunneltype "ssl-web"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
duration Time value in seconds.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
msg "SSL tunnel established."
Page 389
121
39426Message ID: 039426Message Description: SSL user failed to log inType (type): eventSubtype (subtype): vpnLevel/Severity: information
Log field Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "ssl-login-fail"
tunneltype "ssl-web"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg "SSL user failed to log in."
Page 390
122
39936Message ID: 039936Message Description: SSL web tunnel statisticsType (type): eventSubtype (subtype): vpnLevel/Severity: information
Log field Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "tunnel-stats"
tunneltype "ssl-web"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
nextstats Next statistics.
duration Time value in seconds.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg "SSL web tunnel statistics."
Page 391
123
39937Message ID: 039937Message Description: SSL web application blockedType (type): eventSubtype (subtype): vpnLevel/Severity: warning
Log field Meaning
type event
subtype vpn
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "ssl-web-deny"
tunneltype "ssl-web"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
apptype The type of application that triggered the action within the control list.
msg "SSL web application blocked."
Page 392
124
39938Message ID: 039938Message Description: SSL web application activatedType (type): eventSubtype (subtype): vpnLevel/Severity: information
Log field Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "ssl-web-pass"
tunneltype "ssl-web"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
apptype The type of application that triggered the action within the control list.
msg "SSL web application activated."
Page 393
125
39939Message ID: 039939Message Description: SSL web application timeoutType (type): eventSubtype (subtype): vpnLevel/Severity: information
Log field Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "ssl-web-timeout"
tunneltype "ssl-web"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
apptype The type of application that triggered the action within the control list.
msg "SSL web application timeout."
Page 394
126
39940Message ID: 039940Message Description: SSL web application closedType (type): eventSubtype (subtype): vpnLevel/Severity: information
Log field Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "ssl-web-close"
tunneltype "ssl-web"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
apptype The type of application that triggered the action within the control list.
msg "SSL web application closed."
Page 395
127
39941Message ID: 039941Message Description: SSL system busyType (type): eventSubtype (subtype): vpnLevel/Severity: information
Log field Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "ssl-sys-busy"
tunneltype "ssl-web"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg "SSL system busy."
Page 396
128
39942Message ID: 039942Message Description: SSL new SSL certification verification successType (type): eventSubtype (subtype): vpnLevel/Severity: information
Log field Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "ssl-cert"
tunneltype "ssl"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg "SSL new SSL certification verification success."
Page 397
129
39943Message ID: 039943Message Description: SSL new connectionType (type): eventSubtype (subtype): vpnLevel/Severity: debug
Log field Meaning
type event
subtype vpn
level debug
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "ssl-new-con"
tunneltype "ssl"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg "SSL new connection."
Page 398
130
39944Message ID: 039944Message Description: SSL alertsType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "ssl-alert"
tunneltype "ssl"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
alert Alert information.
desc Description.
msg "SSL alerts."
Page 399
131
39945Message ID: 039945Message Description: SSL exit failType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "ssl-exit-fail"
tunneltype "ssl"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg "SSL exit fail."
Page 400
132
39946Message ID: 039946Message Description: SSL exit errorType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "ssl-exit-error"
tunneltype "ssl"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg "SSL exit error."
Page 401
133
39947Message ID: 039947Message Description: SSL tunnel establishedType (type): eventSubtype (subtype): vpnLevel/Severity: information
Log field Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "tunnel-up"
tunneltype "ssl-tunnel"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg "SSL tunnel established."
Page 402
134
39948Message ID: 039948Message Description: SSL tunnel shutdownType (type): eventSubtype (subtype): vpnLevel/Severity: information
Log field Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "tunnel-down"
tunneltype "ssl-tunnel"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
duration Time value in seconds.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg "SSL tunnel established."
Page 403
135
39949Message ID: 039949Message Description: SSL tunnel statisticsType (type): eventSubtype (subtype): vpnLevel/Severity: information
Log field Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "tunnel-stats"
tunneltype "ssl-tunnel"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
nextstats Next statistics.
duration Time value in seconds.
sentbyte The number of sent bytes related to the log message.
rcvdbyte The number of received bytes related to the log message.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg "SSL tunnel statistics."
Page 404
136
39950Message ID: 039950Message Description: SSL tunnel unknown tagType (type): eventSubtype (subtype): vpnLevel/Severity: information
Log field Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "ssl-tunnel-unknown-tag"
tunneltype "ssl-tunnel"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg "SSL tunnel unknown tag."
Page 405
137
39951Message ID: 039951Message Description: SSL tunnel errorType (type): eventSubtype (subtype): vpnLevel/Severity: error
Log field Meaning
type event
subtype vpn
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "ssl-tunnel-error"
tunneltype "ssl-tunnel"
tunnelid The tunnel ID.
remip The remote IP address.
tunnelip The tunnel IP address.
user User name.
group The group name.
dsthost Destination host.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
msg "SSL tunnel error."
Page 406
138
40704Message ID: 040704Message Description: System performanceType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "perf-stats"
cpu CPU usage.
mem Memory usage.
totalsession Total IP sessions.
msg "Performance statistics."
Page 407
139
40960Message ID: 040960Message Description: web proxy forward server errorType (type): eventSubtype (subtype): wadLevel/Severity: notice
Log field Meaning
type event
subtype wad
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
fwservername Forward server name.
addrtype Address type, either IP or FQDN.
ip IP address.
fqdn Domain name.
port Port number.
msg Message. Either "Failed to connect to forward server" or "Successfully connected to forward server".
Page 408
140
41216Message ID: 041216Message Description: GTP forwardType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile The name of the profile that was used to detect and take action.
status GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version Version.
msgtype Message type.
from Source identifier.
to Destination identifier.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum Sequence number.
tunnelidx Tunnel index.
imsi IMSI.
msisdn The MSISDN information.
apn APN.
selection Selection: apns-vrf, ms-apn-no-vrf, net-apn-no-vrf.
cgsn CGSN.
ugsn UGSN.
nsapi NSAPI.
linkednsapi Linked NSAPI.
imeisv IMEISV.
rattype Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
rai RAI.
uli ULI.
Page 409
141
endusraddress End user address.
headerteid Header TEID.
Page 410
142
41217Message ID: 041217Message Description: GTP DenyType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile The name of the profile that was used to detect and take action.
status GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version Version.
msgtype Message type.
from Source identifier.
to Destination identifier.
denycause Denial cause. One of: packet-sanity, invalid-reserved-field, reserved-msg, out-state-msg, reserved-ie, out-state-ie,invalid-msg-length, invalid-ie-length, miss-mandatory-ie, ip-policy, non-ip-policy, sgsn-not-authorized, sgsn-no-handover,ggsn-not-authorized, invalid-seq-num, msg-filter, apn-filter, imsi-filter, adv-policy-filter, unknown-gtp-version
ietype IE type.
dtlexp Detailed explanation. One of the following:none, ie-is-missing, invalid-ie-length, no-tunnel-exists, hteid-is-zero, response-hteid-doesnt-match-request,payload-teid-is-zero, invalid-tid, header-seq-num-is-missing, expired-echo-response, expired-create-response,expired-update-response, expired-delete-response,invalid-mcc-mnc, neither-hteid-nor-cteid-exists,cant-have-both-hteid-and-cteid, malformed-extension-header, expired-create-session-response,expired-create-bearer-response,expired-create-indirect-tunnel-response, expired-modified-bearer-response,expired-update-bearer-response, expired-delete-session-response, expired-delete-beaerer-response,expired-delete-indirect-tunnel-response, expired-release-access-bearer-response, cause-value-should-be-isr-deactivation,imsi-shouldnt-exist, fteid-shouldnt-exist, cant-have-both-ebi-and-lbi, invalid-eps-bearer-id, malformed-piggybacked-msg,malformed-p-flag, malformed-t-flag
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum Sequence number.
tunnelidx Tunnel index.
imsi IMSI.
Page 411
143
msisdn The MSISDN information.
apn APN.
selection Selection: apns-vrf, ms-apn-no-vrf, net-apn-no-vrf.
cgsn CGSN.
ugsn UGSN.
nsapi NSAPI.
linkednsapi Linked NSAPI.
imeisv IMEISV.
rattype Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
rai RAI.
uli ULI.
endusraddress End user address.
headerteid Header TEID.
Page 412
144
41218Message ID: 041218Message Description: GTP Rate LimitType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile The name of the profile that was used to detect and take action.
status GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version Version.
msgtype Message type.
from Source identifier.
to Destination identifier.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum Sequence number.
tunnelidx Tunnel index.
imsi IMSI.
msisdn The MSISDN information.
apn APN.
selection Selection: apns-vrf, ms-apn-no-vrf, net-apn-no-vrf.
cgsn CGSN.
ugsn UGSN.
nsapi NSAPI.
linkednsapi Linked NSAPI.
imeisv IMEISV.
rattype Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
rai RAI.
uli ULI.
Page 413
145
endusraddress End user address.
headerteid Header TEID.
Page 414
146
41219Message ID: 041219Message Description: GTP State InvalidType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile The name of the profile that was used to detect and take action.
status GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version Version.
msgtype Message type.
from Source identifier.
to Destination identifier.
dtlexp Detailed explanation. One of the following:none, ie-is-missing, invalid-ie-length, no-tunnel-exists, hteid-is-zero, response-hteid-doesnt-match-request,payload-teid-is-zero, invalid-tid, header-seq-num-is-missing, expired-echo-response, expired-create-response,expired-update-response, expired-delete-response,invalid-mcc-mnc, neither-hteid-nor-cteid-exists,cant-have-both-hteid-and-cteid, malformed-extension-header, expired-create-session-response,expired-create-bearer-response,expired-create-indirect-tunnel-response, expired-modified-bearer-response,expired-update-bearer-response, expired-delete-session-response, expired-delete-beaerer-response,expired-delete-indirect-tunnel-response, expired-release-access-bearer-response, cause-value-should-be-isr-deactivation,imsi-shouldnt-exist, fteid-shouldnt-exist, cant-have-both-ebi-and-lbi, invalid-eps-bearer-id, malformed-piggybacked-msg,malformed-p-flag, malformed-t-flag
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum Sequence number.
tunnelidx Tunnel index.
imsi IMSI.
msisdn The MSISDN information.
apn APN.
selection Selection: apns-vrf, ms-apn-no-vrf, net-apn-no-vrf.
cgsn CGSN.
Page 415
147
ugsn UGSN.
nsapi NSAPI.
linkednsapi Linked NSAPI.
imeisv IMEISV.
rattype Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
rai RAI.
uli ULI.
endusraddress End user address.
headerteid Header TEID.
Page 416
148
41220Message ID: 041220Message Description: GTP Tunnel LimitType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile The name of the profile that was used to detect and take action.
status GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version Version.
msgtype Message type.
from Source identifier.
to Destination identifier.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum Sequence number.
tunnelidx Tunnel index.
imsi IMSI.
msisdn The MSISDN information.
apn APN.
selection Selection: apns-vrf, ms-apn-no-vrf, net-apn-no-vrf.
cgsn CGSN.
ugsn UGSN.
nsapi NSAPI.
linkednsapi Linked NSAPI.
imeisv IMEISV.
rattype Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
rai RAI.
uli ULI.
Page 417
149
endusraddress End user address.
headerteid Header TEID.
Page 418
150
41221Message ID: 041221Message Description: GTP Traffic AccountType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile The name of the profile that was used to detect and take action.
status GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version Version.
csgsn CSGSN.
cggsn CGGSN.
usgsn USGSN.
uggsn UGGSN.
csgsnteid CSGSN TEID.
cggsnteid CSGSN TEID.
usgsnteid USGSN TEID.
uggsnteid UGGSN TEID.
tunnelidx Tunnel index.
duration Time value in seconds.
cpkts C-packets.
cbytes C-bytes.
upkts U-packets.
ubytes U-bytes.
tunnelidx Tunnel index.
imsi IMSI.
msisdn The MSISDN information.
apn APN.
selection Selection: apns-vrf, ms-apn-no-vrf, net-apn-no-vrf.
Page 419
151
cgsn CGSN.
ugsn UGSN.
nsapi NSAPI.
linkednsapi Linked NSAPI.
imeisv IMEISV.
rattype Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
rai RAI.
uli ULI.
endusraddress End user address.
Page 420
152
41222Message ID: 041222Message Description: GTP User DataType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile The name of the profile that was used to detect and take action.
status GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version Version.
tunnelidx Tunnel index.
from Source identifier.
to Destination identifier.
endusraddress End user address.
imsi IMSI.
msisdn The MSISDN information.
apn APN.
userdata User data.
Page 421
153
41223Message ID: 041223Message Description: GTPv2 ForwardType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile The name of the profile that was used to detect and take action.
status GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version Version.
msgtype Message type.
from Source identifier.
to Destination identifier.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum Sequence number.
tunnelidx Tunnel index.
imsi IMSI.
msisdn The MSISDN information.
imeisv IMEISV.
snetwork Serving network.
rattype Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
selection Selection: apns-vrf, ms-apn-no-vrf, net-apn-no-vrf.
apn APN.
endusraddress End user address.
headerteid Header TEID.
cpaddr Sender IP address for control plane.
cpteid Sender TEID for control plane.
Page 422
154
41224Message ID: 041224Message Description: GTPv2 DenyType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile The name of the profile that was used to detect and take action.
status GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version Version.
msgtype Message type.
from Source identifier.
to Destination identifier.
denycause Denial cause. One of: packet-sanity, invalid-reserved-field, reserved-msg, out-state-msg, reserved-ie, out-state-ie,invalid-msg-length, invalid-ie-length, miss-mandatory-ie, ip-policy, non-ip-policy, sgsn-not-authorized, sgsn-no-handover,ggsn-not-authorized, invalid-seq-num, msg-filter, apn-filter, imsi-filter, adv-policy-filter, unknown-gtp-version
ietype IE type.
dtlexp Detailed explanation. One of the following:none, ie-is-missing, invalid-ie-length, no-tunnel-exists, hteid-is-zero, response-hteid-doesnt-match-request,payload-teid-is-zero, invalid-tid, header-seq-num-is-missing, expired-echo-response, expired-create-response,expired-update-response, expired-delete-response,invalid-mcc-mnc, neither-hteid-nor-cteid-exists,cant-have-both-hteid-and-cteid, malformed-extension-header, expired-create-session-response,expired-create-bearer-response,expired-create-indirect-tunnel-response, expired-modified-bearer-response,expired-update-bearer-response, expired-delete-session-response, expired-delete-beaerer-response,expired-delete-indirect-tunnel-response, expired-release-access-bearer-response, cause-value-should-be-isr-deactivation,imsi-shouldnt-exist, fteid-shouldnt-exist, cant-have-both-ebi-and-lbi, invalid-eps-bearer-id, malformed-piggybacked-msg,malformed-p-flag, malformed-t-flag
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum Sequence number.
tunnelidx Tunnel index.
imsi IMSI.
Page 423
155
msisdn The MSISDN information.
imeisv IMEISV.
snetwork Serving network.
rattype Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
selection Selection: apns-vrf, ms-apn-no-vrf, net-apn-no-vrf.
apn APN.
endusraddress End user address.
headerteid Header TEID.
cpaddr Sender IP address for control plane.
cpteid Sender TEID for control plane.
Page 424
156
41225Message ID: 041225Message Description: GTPv2 Rate LimitType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile The name of the profile that was used to detect and take action.
status GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version Version.
msgtype Message type.
from Source identifier.
to Destination identifier.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum Sequence number.
tunnelidx Tunnel index.
imsi IMSI.
msisdn The MSISDN information.
imeisv IMEISV.
snetwork Serving network.
rattype Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
selection Selection: apns-vrf, ms-apn-no-vrf, net-apn-no-vrf.
apn APN.
endusraddress End user address.
headerteid Header TEID.
cpaddr Sender IP address for control plane.
cpteid Sender TEID for control plane.
Page 425
157
41226Message ID: 041226Message Description: GTPv2 State InvalidType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile The name of the profile that was used to detect and take action.
status GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version Version.
msgtype Message type.
from Source identifier.
to Destination identifier.
dtlexp Detailed explanation. One of the following:none, ie-is-missing, invalid-ie-length, no-tunnel-exists, hteid-is-zero, response-hteid-doesnt-match-request,payload-teid-is-zero, invalid-tid, header-seq-num-is-missing, expired-echo-response, expired-create-response,expired-update-response, expired-delete-response,invalid-mcc-mnc, neither-hteid-nor-cteid-exists,cant-have-both-hteid-and-cteid, malformed-extension-header, expired-create-session-response,expired-create-bearer-response,expired-create-indirect-tunnel-response, expired-modified-bearer-response,expired-update-bearer-response, expired-delete-session-response, expired-delete-beaerer-response,expired-delete-indirect-tunnel-response, expired-release-access-bearer-response, cause-value-should-be-isr-deactivation,imsi-shouldnt-exist, fteid-shouldnt-exist, cant-have-both-ebi-and-lbi, invalid-eps-bearer-id, malformed-piggybacked-msg,malformed-p-flag, malformed-t-flag
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum Sequence number.
tunnelidx Tunnel index.
imsi IMSI.
msisdn The MSISDN information.
imeisv IMEISV.
snetwork Serving network.
rattype Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
Page 426
158
selection Selection: apns-vrf, ms-apn-no-vrf, net-apn-no-vrf.
apn APN.
endusraddress End user address.
headerteid Header TEID.
cpaddr Sender IP address for control plane.
cpteid Sender TEID for control plane.
Page 427
159
41227Message ID: 041227Message Description: GTPv2 Tunnel LimitType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile The name of the profile that was used to detect and take action.
status GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version Version.
msgtype Message type.
from Source identifier.
to Destination identifier.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
seqnum Sequence number.
tunnelidx Tunnel index.
imsi IMSI.
msisdn The MSISDN information.
imeisv IMEISV.
snetwork Serving network.
rattype Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
selection Selection: apns-vrf, ms-apn-no-vrf, net-apn-no-vrf.
apn APN.
endusraddress End user address.
headerteid Header TEID.
cpaddr Sender IP address for control plane.
cpteid Sender TEID for control plane.
Page 428
160
41228Message ID: 041228Message Description: GTP Traffic AccountType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
profile The name of the profile that was used to detect and take action.
status GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version Version.
cpdladdr Down-link IP address for control plane.
cpdlisraddr Secondary down-link IP address for control plane, for ISR cases.
cpuladdr Up-link IP address for control plane.
cpdlteid Down-link TEID for control plane.
cpdlisrteid Secondary down-link TEID for control plane, for ISR cases.
cpulteid Up-link TEID for control plane.
tunnelidx Tunnel index.
duration Time value in seconds.
cpkts C-packets.
cbytes C-bytes.
upkts U-packets.
ubytes U-bytes.
imsi IMSI.
msisdn The MSISDN information.
apn APN.
selection Selection: apns-vrf, ms-apn-no-vrf, net-apn-no-vrf.
imeisv IMEISV.
rattype Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
endusraddress End user address.
Page 429
161
snetwork Serving network.
Page 430
162
41984Message ID: 041984Message Description: Certificate LoadType (type): eventSubtype (subtype): vpnLevel/Severity: information
Logfield
Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "info"
user User name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
certtype Certificate type. One of: CA, CRL, Local, Remote.
msg "A certificate is loaded."
Page 431
163
41985Message ID: 041985Message Description: Certificate RemovalType (type): eventSubtype (subtype): vpnLevel/Severity: information
Logfield
Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "info"
user User name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
certtype Certificate type. One of: CA, CRL, Local, Remote.
msg "A certificate is removed."
Page 432
164
41986Message ID: 041986Message Description: Certificate RegeneratedType (type): eventSubtype (subtype): vpnLevel/Severity: information
Logfield
Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "info"
status "success"
user User name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
certtype Certificate type. One of: CA, CRL, Local, Remote.
msg "A certificate is regenerated."
Page 433
165
41987Message ID: 041987Message Description: Certificate UpdatedType (type): eventSubtype (subtype): vpnLevel/Severity: information
Log field Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "info"
status "success"
name Certificate name.
method The method information.
certtype Certificate type. One of: CA, CRL, Local, Remote.
msg "A certificate is updated."
Page 434
166
41988Message ID: 041988Message Description: SSL Setting UpdatedType (type): eventSubtype (subtype): vpnLevel/Severity: information
Logfield
Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "info"
user User name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
msg "User changed SSL setting."
Page 435
167
41989Message ID: 041989Message Description: Certificate ErrorType (type): eventSubtype (subtype): vpnLevel/Severity: information
Logfield
Meaning
type event
subtype vpn
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action "info"
user User name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
certtype Certificate type. One of: CA, CRL, Local, Remote.
msg "Certificate is invalid."
Page 436
168
43008Message ID: 043008Message Description: Authentication succeededType (type): eventSubtype (subtype): userLevel/Severity: notice
Logfield
Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
dstip The destination IP.
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
group The group name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action Action. One of the following: authentication, FSSO-auth, FSSO-logon, FSSO-logoff, NTLM-auth.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason Reason.
msg Message.
Page 437
169
43009Message ID: 043009Message Description: Authentication failedType (type): eventSubtype (subtype): userLevel/Severity: notice
Logfield
Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
dstip The destination IP.
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
group The group name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action Action. One of the following: authentication, FSSO-auth, FSSO-logon, FSSO-logoff, NTLM-auth.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason Reason.
msg Message.
Page 438
170
43010Message ID: 043010Message Description: Authentication locked outType (type): eventSubtype (subtype): userLevel/Severity: warning
Logfield
Meaning
type event
subtype user
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
dstip The destination IP.
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
group The group name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action Action. One of the following: authentication, FSSO-auth, FSSO-logon, FSSO-logoff, NTLM-auth.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason Reason.
msg Message.
Page 439
171
43011Message ID: 043011Message Description: Authentication timed outType (type): eventSubtype (subtype): userLevel/Severity: notice
Logfield
Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
dstip The destination IP.
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
group The group name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action Action. One of the following: authentication, FSSO-auth, FSSO-logon, FSSO-logoff, NTLM-auth.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason Reason.
msg Message.
Page 440
172
43012Message ID: 043012Message Description: FSSO authentication succeededType (type): eventSubtype (subtype): userLevel/Severity: notice
Logfield
Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
dstip The destination IP.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the nextlevel protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
adgroup The name of the AD group.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action Action. One of the following: authentication, FSSO-auth, FSSO-logon, FSSO-logoff, NTLM-auth.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason Reason.
msg Message.
Page 441
173
43013Message ID: 043013Message Description: FSSO authentication failedType (type): eventSubtype (subtype): userLevel/Severity: notice
Logfield
Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
dstip The destination IP.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the nextlevel protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
adgroup The name of the AD group.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action Action. One of the following: authentication, FSSO-auth, FSSO-logon, FSSO-logoff, NTLM-auth.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason Reason.
msg Message.
Page 442
174
43014Message ID: 043014Message Description: FSSO log onType (type): eventSubtype (subtype): userLevel/Severity: notice
Log field Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
user User name.
server The name or IP address of the server.
action Action. One of the following: authentication, FSSO-auth, FSSO-logon, FSSO-logoff, NTLM-auth.
msg Message.
Page 443
175
43015Message ID: 043015Message Description: FSSO log offType (type): eventSubtype (subtype): userLevel/Severity: notice
Log field Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
user User name.
server The name or IP address of the server.
action Action. One of the following: authentication, FSSO-auth, FSSO-logon, FSSO-logoff, NTLM-auth.
msg Message.
Page 444
176
43016Message ID: 043016Message Description: NTLM authentication succeededType (type): eventSubtype (subtype): userLevel/Severity: notice
Logfield
Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
dstip The destination IP.
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
adgroup The name of the AD group.
group The group name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action Action. One of the following: authentication, FSSO-auth, FSSO-logon, FSSO-logoff, NTLM-auth.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason Reason.
msg Message.
Page 445
177
43017Message ID: 043017Message Description: NTLM authentication failedType (type): eventSubtype (subtype): userLevel/Severity: notice
Logfield
Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
dstip The destination IP.
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
adgroup The name of the AD group.
group The group name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action Action. One of the following: authentication, FSSO-auth, FSSO-logon, FSSO-logoff, NTLM-auth.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason Reason.
msg Message.
Page 446
178
43018Message ID: 043018Message Description: FortiGuard override failedType (type): eventSubtype (subtype): userLevel/Severity: warning
Log field Meaning
type event
subtype user
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
dstip The destination IP.
initiator The initiator name.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason Reason.
msg Message.
Page 447
179
43019Message ID: 043019Message Description: FortiGuard override failedType (type): eventSubtype (subtype): userLevel/Severity: warning
Log field Meaning
type event
subtype user
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
dstip The destination IP.
initiator The initiator name.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason Reason.
msg Message.
Page 448
180
43020Message ID: 043020Message Description: FortiGuard override succeededType (type): eventSubtype (subtype): userLevel/Severity: notice
Log field Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
dstip The destination IP.
initiator The initiator name.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason Reason.
scope Scope information. One of: user, user_group, ip, profile, unhandled.
scopedata Scope data.
ruletype Rule type. One of: Directory, domain, rating, unhandled.
ruledata Rule data.
offsite Offsite allowed, either yes or no.
expiry Expiry information.
oldwprof Old Webfilter profile name.
newwprof New Webfilter profile name.
msg Message.
Page 449
181
43021Message ID: 043021Message Description: Endpoint checking eventType (type): eventSubtype (subtype): userLevel/Severity: notice
Logfield
Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
dstip The destination IP.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
msg Message.
Page 450
182
43022Message ID: 043022Message Description: Endpoint license distributionType (type): eventSubtype (subtype): userLevel/Severity: notice
Logfield
Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
dstip The destination IP.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
msg Message.
Page 451
183
43023Message ID: 043023Message Description: Endpoint detectionType (type): eventSubtype (subtype): userLevel/Severity: notice
Logfield
Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
dstip The destination IP.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
msg Message.
Page 452
184
43024Message ID: 043024Message Description: Endpoint detectionType (type): eventSubtype (subtype): userLevel/Severity: notice
Logfield
Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
dstip The destination IP.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
msg Message.
Page 453
185
43025Message ID: 043025Message Description: Authentication succeededType (type): eventSubtype (subtype): userLevel/Severity: notice
Logfield
Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
dstip The destination IP.
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
group The group name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action Action. One of the following: authentication, FSSO-auth, FSSO-logon, FSSO-logoff, NTLM-auth.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason Reason.
msg Message.
Page 454
186
43026Message ID: 043026Message Description: Authentication failedType (type): eventSubtype (subtype): userLevel/Severity: notice
Logfield
Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
dstip The destination IP.
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
group The group name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action Action. One of the following: authentication, FSSO-auth, FSSO-logon, FSSO-logoff, NTLM-auth.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason Reason.
msg Message.
Page 455
187
43027Message ID: 043027Message Description: Authentication timed outType (type): eventSubtype (subtype): userLevel/Severity: notice
Logfield
Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
dstip The destination IP.
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
group The group name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action Action. One of the following: authentication, FSSO-auth, FSSO-logon, FSSO-logoff, NTLM-auth.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason Reason.
msg Message.
Page 456
188
43028Message ID: 043028Message Description: Authentication failedType (type): eventSubtype (subtype): userLevel/Severity: notice
Logfield
Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
dstip The destination IP.
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
group The group name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action Action. One of the following: authentication, FSSO-auth, FSSO-logon, FSSO-logoff, NTLM-auth.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason Reason.
msg Message.
Page 457
189
43029Message ID: 043029Message Description: FortiGuard override succeededType (type): eventSubtype (subtype): userLevel/Severity: notice
Log field Meaning
type event
subtype user
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
dstip The destination IP.
initiator The initiator name.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason Reason.
scope Scope information. One of: user, user_group, ip, profile, unhandled.
scopedata Scope data.
ruletype Rule type. One of: Directory, domain, rating, unhandled.
ruledata Rule data.
offsite Offsite allowed, either yes or no.
expiry Expiry information.
oldwprof Old Webfilter profile name.
newwprof New Webfilter profile name.
msg Message.
Page 458
190
43030Message ID: 043030Message Description: FortiGuard override failedType (type): eventSubtype (subtype): userLevel/Severity: warning
Log field Meaning
type event
subtype user
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
dstip The destination IP.
initiator The initiator name.
status Authentication status. One of: success, failure, timed_out, locked_out.
reason Reason.
msg Message.
Page 459
191
43264Message ID: 043264Message Description: MMS StatisticsType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
proto MMS protocol: MM1, MM3, MM4, or MM7.
infected Number of infected messages.
suspicious Number of suspicious messages.
scanned Number of scanned messages.
intercepted Number of intercepted messages.
blocked Number of blocked messages.
checksum Number of content checksum blocked messages.
duration Time value in seconds.
Page 460
192
43520Message ID: 043520Message Description: wireless system activityType (type): eventSubtype (subtype): wirelessLevel/Severity: notice
Log field Meaning
type event
subtype wireless
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
msg Message.
Page 461
193
43521Message ID: 043521Message Description: wireless rogue AP activityType (type): eventSubtype (subtype): wirelessLevel/Severity: notice
Log field Meaning
type event
subtype wireless
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
onwire Will display NO or 0.
ssid The service set identifier.
bssid The basic service set identifier.
aptype AP type.
rate The data rate number.
radioband Radio band.
channel The channel number.
action The action that was taken by the system.
manuf Manufacturer.
securitymode Security mode.
rssi RSSI.
Noise Noise.
live Live.
age Age.
detectionmethod Method of detection: N/A, sta, mac adjacency, sta and mac adjacency.
stamac Station MAC.
apscan WTP that scanned the station.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
stacount STA count.
snclosest Serial number of physical AP which is closest to the rogue AP.
radioiddetected ID of the radio on physical AP which is closest to the rogue AP.
Page 462
194
msg Message.
Page 463
195
43522Message ID: 043522Message Description: physical AP activityType (type): eventSubtype (subtype): wirelessLevel/Severity: notice
Log field Meaning
type event
subtype wireless
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sn Serial number.
ap Physical AP name.
approfile AP profile.
ip IP address.
meshmode Mesh mode: non-mesh, mesh ap, mesh root ap, mesh branch/leaf ap.
snmeshparent Serial number of physical AP which is the mesh parent of this mesh branch/leaf AP.
action The action that was taken by the system.
reason Reason.
msg Message.
Page 464
196
43524Message ID: 043524Message Description: wireless client activityType (type): eventSubtype (subtype): wirelessLevel/Severity: notice
Log field Meaning
type event
subtype wireless
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sn Serial number.
ap Physical AP name.
vap Virtual AP name.
ssid The service set identifier.
user User name.
group The group name.
mac Client MAC address.
ip IP address.
channel The channel number.
radioband Radio band.
security Security type: open, wep64, wep128, wpa-psk, wpa-radius, wpa, wpa2, wpa2-auto.
action The action that was taken by the system.
reason Reason.
msg Message.
Page 465
197
43525Message ID: 043525Message Description: wireless rogue AP activity (on-wire)Type (type): eventSubtype (subtype): wirelessLevel/Severity: warning
Log field Meaning
type event
subtype wireless
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
onwire Will display YES or 1.
ssid The service set identifier.
bssid The basic service set identifier.
aptype AP type.
rate The data rate number.
onwire On wire: either yes or no.
radioband Radio band.
channel The channel number.
action The action that was taken by the system.
manuf Manufacturer.
securitymode Security mode.
rssi RSSI.
Noise Noise.
live Live.
age Age.
detectionmethod Method of detection: N/A, sta, mac adjacency, sta and mac adjacency.
stamac Station MAC.
apscan WTP that scanned the station.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
stacount STA count.
snclosest Serial number of physical AP which is closest to the rogue AP.
Page 466
198
radioiddetected ID of the radio on physical AP which is closest to the rogue AP.
msg Message.
Page 467
199
43526Message ID: 043526Message Description: physical AP radio activityType (type): eventSubtype (subtype): wirelessLevel/Severity: notice
Log field Meaning
type event
subtype wireless
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sn Serial number.
ap Physical AP name.
ip IP address.
radioid Radio ID.
configcountry Config country.
opercountry Operating country.
cfgtxpower Config TX power.
opertxpower Operating TX power.
radioband Radio band.
action The action that was taken by the system.
msg Message.
Page 468
200
43527Message ID: 043527Message Description: wireless rogue AP status configType (type): eventSubtype (subtype): wirelessLevel/Severity: notice
Log field Meaning
type event
subtype wireless
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
ssid The service set identifier.
bssid The basic service set identifier.
apstatus AP status.
msg Message.
Page 469
201
43528Message ID: 043528Message Description: physical AP radio activityType (type): eventSubtype (subtype): wirelessLevel/Severity: error
Log field Meaning
type event
subtype wireless
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sn Serial number.
ap Physical AP name.
ip IP address.
radioid Radio ID.
configcountry Config country.
opercountry Operating country.
cfgtxpower Config TX power.
opertxpower Operating TX power.
radioband Radio band.
action The action that was taken by the system.
msg Message.
Page 470
202
43529Message ID: 043529Message Description: wireless client load balancingType (type): eventSubtype (subtype): wirelessLevel/Severity: notice
Log field Meaning
type event
subtype wireless
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sn Serial number.
ap Physical AP name.
vap Virtual AP name.
ssid The service set identifier.
mac Client MAC address.
radioband Radio band.
stacount STA count.
action The action that was taken by the system.
reason Reason.
msg Message.
Page 471
203
43530Message ID: 043530Message Description: wl-bridge-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: notice
Log field Meaning
type event
subtype wireless
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
age Age.
channel The channel number.
rssi RSSI.
frametype Frame type.
ds Distribution system directory.
bssid The basic service set identifier.
seq Sequence number.
encrypt Encryption status of the packet.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
msg Message.
Page 472
204
43531Message ID: 043531Message Description: bc-deauth-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: notice
Log field Meaning
type event
subtype wireless
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
age Age.
channel The channel number.
rssi RSSI.
frametype Frame type.
ds Distribution system directory.
bssid The basic service set identifier.
seq Sequence number.
encrypt Encryption status of the packet.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
msg Message.
Page 473
205
43532Message ID: 043532Message Description: null-pbresp-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: notice
Log field Meaning
type event
subtype wireless
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
age Age.
channel The channel number.
rssi RSSI.
frametype Frame type.
ds Distribution system directory.
bssid The basic service set identifier.
seq Sequence number.
encrypt Encryption status of the packet.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
msg Message.
Page 474
206
43533Message ID: 043533Message Description: invalid-OUI-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: notice
Log field Meaning
type event
subtype wireless
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
age Age.
channel The channel number.
rssi RSSI.
frametype Frame type.
ds Distribution system directory.
bssid The basic service set identifier.
seq Sequence number.
encrypt Encryption status of the packet.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
invalidmac The MAC address with invalid OUI.
msg Message.
Page 475
207
43534Message ID: 043534Message Description: long-dur-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: notice
Log field Meaning
type event
subtype wireless
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
age Age.
channel The channel number.
rssi RSSI.
frametype Frame type.
ds Distribution system directory.
bssid The basic service set identifier.
seq Sequence number.
encrypt Encryption status of the packet.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
dur Duration of the last threatening packed captured from TA.
msg Message.
Page 476
208
43535Message ID: 043535Message Description: weak-wepiv-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: notice
Log field Meaning
type event
subtype wireless
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
age Age.
channel The channel number.
rssi RSSI.
frametype Frame type.
ds Distribution system directory.
bssid The basic service set identifier.
seq Sequence number.
encrypt Encryption status of the packet.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
weakwepiv Weak WEP IV.
msg Message.
Page 477
209
43536Message ID: 043536Message Description: wl-bridge-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: error
Log field Meaning
type event
subtype wireless
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
age Age.
channel The channel number.
rssi RSSI.
frametype Frame type.
ds Distribution system directory.
bssid The basic service set identifier.
seq Sequence number.
encrypt Encryption status of the packet.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
msg Message.
Page 478
210
43537Message ID: 043537Message Description: bc-deauth-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: error
Log field Meaning
type event
subtype wireless
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
age Age.
channel The channel number.
rssi RSSI.
frametype Frame type.
ds Distribution system directory.
bssid The basic service set identifier.
seq Sequence number.
encrypt Encryption status of the packet.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
msg Message.
Page 479
211
43538Message ID: 043538Message Description: null-pbresp-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: error
Log field Meaning
type event
subtype wireless
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
age Age.
channel The channel number.
rssi RSSI.
frametype Frame type.
ds Distribution system directory.
bssid The basic service set identifier.
seq Sequence number.
encrypt Encryption status of the packet.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
msg Message.
Page 480
212
43539Message ID: 043539Message Description: invalid-OUI-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: error
Log field Meaning
type event
subtype wireless
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
age Age.
channel The channel number.
rssi RSSI.
frametype Frame type.
ds Distribution system directory.
bssid The basic service set identifier.
seq Sequence number.
encrypt Encryption status of the packet.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
invalidmac The MAC address with invalid OUI.
msg Message.
Page 481
213
43540Message ID: 043540Message Description: long-dur-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: error
Log field Meaning
type event
subtype wireless
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
age Age.
channel The channel number.
rssi RSSI.
frametype Frame type.
ds Distribution system directory.
bssid The basic service set identifier.
seq Sequence number.
encrypt Encryption status of the packet.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
dur Duration of the last threatening packed captured from TA.
msg Message.
Page 482
214
43541Message ID: 043541Message Description: weak-wepiv-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: error
Log field Meaning
type event
subtype wireless
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
age Age.
channel The channel number.
rssi RSSI.
frametype Frame type.
ds Distribution system directory.
bssid The basic service set identifier.
seq Sequence number.
encrypt Encryption status of the packet.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
weakwepiv Weak WEP IV.
msg Message.
Page 483
215
43542Message ID: 043542Message Description: eapol-packet-floodType (type): eventSubtype (subtype): wirelessLevel/Severity: notice
Log field Meaning
type event
subtype wireless
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
eapoltype EAPOL packet type: eapol-start, eapol-logoff, eapol-succ, eapol-fail, eapol-pre-succ, eapol-pre-fail.
eapolcnt EAPOL packet count.
msg Message.
Page 484
216
43543Message ID: 043543Message Description: eapol-packet-floodType (type): eventSubtype (subtype): wirelessLevel/Severity: notice
Log field Meaning
type event
subtype wireless
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
eapoltype EAPOL packet type: eapol-start, eapol-logoff, eapol-succ, eapol-fail, eapol-pre-succ, eapol-pre-fail.
eapolcnt EAPOL packet count.
msg Message.
Page 485
217
43544Message ID: 043544Message Description: mgmt-flood-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: notice
Log field Meaning
type event
subtype wireless
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
age Age.
channel The channel number.
rssi RSSI.
frametype Frame type.
ds Distribution system directory.
bssid The basic service set identifier.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
mgmtcnt The count of unauthorized client flooding mgmt frames.
msg Message.
Page 486
218
43545Message ID: 043545Message Description: mgmt-flood-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: error
Log field Meaning
type event
subtype wireless
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
age Age.
channel The channel number.
rssi RSSI.
frametype Frame type.
ds Distribution system directory.
bssid The basic service set identifier.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
mgmtcnt The count of unauthorized client flooding mgmt frames.
msg Message.
Page 487
219
43546Message ID: 043546Message Description: spoofed-deauth-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: notice
Log field Meaning
type event
subtype wireless
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
age Age.
channel The channel number.
rssi RSSI.
frametype Frame type.
ds Distribution system directory.
bssid The basic service set identifier.
seq Sequence number.
encrypt Encryption status of the packet.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
msg Message.
Page 488
220
43548Message ID: 043548Message Description: asleep-attack-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: notice
Log field Meaning
type event
subtype wireless
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
age Age.
channel The channel number.
rssi RSSI.
frametype Frame type.
ds Distribution system directory.
bssid The basic service set identifier.
seq Sequence number.
encrypt Encryption status of the packet.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
msg Message.
Page 489
221
43549Message ID: 043549Message Description: asleep-attack-detectType (type): eventSubtype (subtype): wirelessLevel/Severity: error
Log field Meaning
type event
subtype wireless
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action The action that was taken by the system.
threattype WIDS threat type.
live Live.
age Age.
channel The channel number.
rssi RSSI.
frametype Frame type.
ds Distribution system directory.
bssid The basic service set identifier.
seq Sequence number.
encrypt Encryption status of the packet.
tamac Transmitter MAC address. Shows "Receiver" if none.
manuf Manufacturer.
sndetected Serial number of physical AP which detected the rogue AP.
radioiddetected ID of the radio on physical AP which detected the rogue AP.
msg Message.
Page 490
222
43776Message ID: 043776Message Description: NAC quarantine event logType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
srcip The source IP.
dstip The destination IP.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
service The service where the event or activity occurred.
action Action. One of: ban-ip, ban-interface, ban-src-dst-ip.
user User name.
group The group name.
policyid The ID number of the firewall policy that applies to the session or packet.
bannedsrc Banned source: IPS, DOS, SLP, or AV.
bannedrule Banned rule/reason.
sensor Sensor.
Page 491
223
44288Message ID: 044288Message Description: dns responseType (type): eventSubtype (subtype): routerLevel/Severity: information
Log field Meaning
type event
subtype router
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
policyid The ID number of the firewall policy that applies to the session or packet.
srcip The source IP.
dstip The destination IP.
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
user User name.
group The group name.
dnsname DNS name.
dnsip DNS IP address(es).
Page 492
224
44544Message ID: 044544Message Description: config path msgType (type): eventSubtype (subtype): systemLevel/Severity: information
Logfield
Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action Action. One of: add, edit, delete, clear, move, rename, clone, abort.
cfgtid Config transaction ID.
cfgpath Config path.
msg Config message.
Page 493
225
44545Message ID: 044545Message Description: config obj msgType (type): eventSubtype (subtype): systemLevel/Severity: information
Logfield
Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action Action. One of: add, edit, delete, clear, move, rename, clone, abort.
cfgtid Config transaction ID.
cfgpath Config path.
cfgobj Config object.
msg Config message.
Page 494
226
44546Message ID: 044546Message Description: config attr msgType (type): eventSubtype (subtype): systemLevel/Severity: information
Logfield
Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action Action. One of: add, edit, delete, clear, move, rename, clone, abort.
cfgtid Config transaction ID.
cfgpath Config path.
cfgattr Config attributes.
msg Config message.
Page 495
227
44547Message ID: 044547Message Description: config obj attr msgType (type): eventSubtype (subtype): systemLevel/Severity: information
Logfield
Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action Action. One of: add, edit, delete, clear, move, rename, clone, abort.
cfgtid Config transaction ID.
cfgpath Config path.
cfgobj Config object.
cfgattr Config attributes.
msg Config message.
Page 496
0
45056Message ID: 045056Message Description: forticlient license exceed msgType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action. One of: add, close, upgrade.
status Status. Either success or error.
licenselimit Maximum FortiClient license number.
reason Reason.
repeat Repeat times of the action.
msg "FortiClient license maximum has been reached."
Page 497
1
45057Message ID: 045057Message Description: add forticlient connection msgType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action. One of: add, close, upgrade.
status Status. Either success or error.
licenselimit Maximum FortiClient license number.
licenseused Current FortiClient connection number.
usedfortype Connection for the type.
connectiontype Type of connection. One of: ipsec, sslvpn, nac, wanopt, test.
count Number of connections affected by the action.
user User name.
ip Source IP address.
name Name of connection.
forticlientid Unique FortiClient ID.
msg "Add a FortiClient connection."
Page 498
2
45058Message ID: 045058Message Description: close forticlient connection msgType (type): eventSubtype (subtype): systemLevel/Severity: information
Log field Meaning
type event
subtype system
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action. One of: add, close, upgrade.
status Status. Either success or error.
licenselimit Maximum FortiClient license number.
licenseused Current FortiClient connection number.
usedfortype Connection for the type.
connectiontype Type of connection. One of: ipsec, sslvpn, nac, wanopt, test.
count Number of connections affected by the action.
user User name.
ip Source IP address.
name Name of connection.
forticlientid Unique FortiClient ID.
msg "Close a FortiClient connection."
Page 499
3
45059Message ID: 045059Message Description: upgrade forticlient license msgType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action. One of: add, close, upgrade.
status Status. Either success or error.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove asetting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B(IP address is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
user User name.
licenselimit Maximum FortiClient license number.
msg "FortiClient license has been upgraded."
Page 500
4
45060Message ID: 045060Message Description: upgrade forticlient license failed msgType (type): eventSubtype (subtype): systemLevel/Severity: error
Logfield
Meaning
type event
subtype system
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action Action. One of: add, close, upgrade.
status Status. Either success or error.
ui The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP addressis 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
user User name.
reason Reason.
msg "Failed to upgrade FortiClient license."
Page 501
5
45100Message ID: 045100Message Description: FortiClient registration fail msgType (type): eventSubtype (subtype): systemLevel/Severity: warning
Log field Meaning
type event
subtype system
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
hostname The hostname information.
ip HA IP.
forticlientid Unique FortiClient ID.
interface Interface information.
msg "FortiClient registration failed."
Page 502
6
45101Message ID: 045101Message Description: FortiClient registration succeed msgType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
hostname The hostname information.
ip HA IP.
forticlientid Unique FortiClient ID.
interface Interface information.
msg "FortiClient registration succeeded."
Page 503
7
45102Message ID: 045102Message Description: FortiClient registration renew msgType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
hostname The hostname information.
ip HA IP.
forticlientid Unique FortiClient ID.
interface Interface information.
msg "FortiClient registration renewed."
Page 504
8
45103Message ID: 045103Message Description: FortiClient registration block msgType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
forticlientid Unique FortiClient ID.
msg "FortiClient registration blocked."
Page 505
9
45104Message ID: 045104Message Description: FortiClient registration unblock msgType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
forticlientid Unique FortiClient ID.
msg "FortiClient registration unblocked."
Page 506
10
45105Message ID: 045105Message Description: FortiClient registration de-register msgType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
forticlientid Unique FortiClient ID.
msg "FortiClient registration de-registered."
Page 507
11
45106Message ID: 045106Message Description: FortiClient registration license upgrade msgType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
msg "FortiClient registration license upgraded."
Page 508
12
45107Message ID: 045107Message Description: FortiClient configuration distribute msgType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
hostname The hostname information.
ip HA IP.
forticlientid Unique FortiClient ID.
interface Interface information.
msg "FortiClient configuration distributed."
Page 509
13
45108Message ID: 045108Message Description: FortiClient unregister msgType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
hostname The hostname information.
ip HA IP.
forticlientid Unique FortiClient ID.
interface Interface information.
msg "FortiClient unregistered."
Page 510
14
45109Message ID: 045109Message Description: FortiClient logoff msgType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
hostname The hostname information.
ip HA IP.
forticlientid Unique FortiClient ID.
interface Interface information.
msg "FortiClient logged off."
Page 511
15
45110Message ID: 045110Message Description: FortiClient disable SYNC_WITH_FGT msgType (type): eventSubtype (subtype): systemLevel/Severity: notice
Log field Meaning
type event
subtype system
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
user User name.
hostname The hostname information.
ip HA IP.
forticlientid Unique FortiClient ID.
interface Interface information.
msg "FortiClient SYNC_WITH_FGT disabled."
Page 512
16
48009Message ID: 048009Message Description: SSL decryption failureType (type): eventSubtype (subtype): wadLevel/Severity: error
Log field Meaning
type event
subtype wad
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action 'close'.
sessionid Session ID.
policyid The ID number of the firewall policy that applies to the session or packet.
src The source IP of the traffic.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dst The destination IP of the traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
reason Reason.
msg 'SSL decryption failure'.
Page 513
17
48023Message ID: 048023Message Description: SSL Alert receivedType (type): eventSubtype (subtype): wadLevel/Severity: error
Log field Meaning
type event
subtype wad
level error
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
action 'receive'
sessionid Session ID.
policyid The ID number of the firewall policy that applies to the session or packet.
src The source IP of the traffic.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dst The destination IP of the traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
alert Alert information.
desc Description.
msg 'SSL Alert received'.
Page 514
18
Content32768
Message ID: 032768Message Description: content http logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): HTTPLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype HTTP
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
infection Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IPblacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus The name of the virus detected.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client The internal IP address of the FortiGate unit.
server The name or IP address of the server.
Page 515
19
rcvdbyte The number of received bytes related to the log message.
sentbyte The number of sent bytes related to the log message.
dlpsensor DLP sensor name.
method The method information.
hostname The hostname information.
url The URL address.
cat The category.
catdesc The category description.
Page 516
20
32769Message ID: 032769Message Description: content https logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): HTTPSLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype HTTPS
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
infection Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IPblacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus The name of the virus detected.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client The internal IP address of the FortiGate unit.
server The name or IP address of the server.
rcvdbyte The number of received bytes related to the log message.
sentbyte The number of sent bytes related to the log message.
dlpsensor DLP sensor name.
Page 517
21
method The method information.
hostname The hostname information.
url The URL address.
cat The category.
catdesc The category description.
Page 518
22
32770Message ID: 032770Message Description: content smtp logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): SMTPLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype SMTP
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
infection Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IPblacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus The name of the virus detected.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client The internal IP address of the FortiGate unit.
server The name or IP address of the server.
rcvdbyte The number of received bytes related to the log message.
sentbyte The number of sent bytes related to the log message.
dlpsensor DLP sensor name.
Page 519
23
to Destination identifier.
from Source identifier.
subject Subject.
attachment Email attachment.
Page 520
24
32771Message ID: 032771Message Description: content smtps logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): SMTPSLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype SMTPS
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
infection Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IPblacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus The name of the virus detected.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client The internal IP address of the FortiGate unit.
server The name or IP address of the server.
rcvdbyte The number of received bytes related to the log message.
sentbyte The number of sent bytes related to the log message.
dlpsensor DLP sensor name.
Page 521
25
to Destination identifier.
from Source identifier.
subject Subject.
attachment Email attachment.
Page 522
26
32772Message ID: 032772Message Description: content pop3 logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): POP3Level/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype POP3
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
infection Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IPblacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus The name of the virus detected.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client The internal IP address of the FortiGate unit.
server The name or IP address of the server.
rcvdbyte The number of received bytes related to the log message.
sentbyte The number of sent bytes related to the log message.
dlpsensor DLP sensor name.
Page 523
27
to Destination identifier.
from Source identifier.
subject Subject.
attachment Email attachment.
Page 524
28
32773Message ID: 032773Message Description: content pop3s logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): POP3SLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype POP3S
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
infection Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IPblacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus The name of the virus detected.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client The internal IP address of the FortiGate unit.
server The name or IP address of the server.
rcvdbyte The number of received bytes related to the log message.
sentbyte The number of sent bytes related to the log message.
dlpsensor DLP sensor name.
Page 525
29
to Destination identifier.
from Source identifier.
subject Subject.
attachment Email attachment.
Page 526
30
32774Message ID: 032774Message Description: content imap logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): IMAPLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype IMAP
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
infection Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IPblacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus The name of the virus detected.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client The internal IP address of the FortiGate unit.
server The name or IP address of the server.
rcvdbyte The number of received bytes related to the log message.
sentbyte The number of sent bytes related to the log message.
dlpsensor DLP sensor name.
Page 527
31
to Destination identifier.
from Source identifier.
subject Subject.
attachment Email attachment.
Page 528
32
32775Message ID: 032775Message Description: content imaps logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): IMAPSLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype IMAPS
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
infection Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IPblacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus The name of the virus detected.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client The internal IP address of the FortiGate unit.
server The name or IP address of the server.
rcvdbyte The number of received bytes related to the log message.
sentbyte The number of sent bytes related to the log message.
dlpsensor DLP sensor name.
Page 529
33
to Destination identifier.
from Source identifier.
subject Subject.
attachment Email attachment.
Page 530
34
32776Message ID: 032776Message Description: content ftp logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): FTPLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype FTP
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
infection Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IPblacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus The name of the virus detected.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client The internal IP address of the FortiGate unit.
server The name or IP address of the server.
rcvdbyte The number of received bytes related to the log message.
sentbyte The number of sent bytes related to the log message.
dlpsensor DLP sensor name.
Page 531
35
ftpcmd The related FTP command: NONE, USER, PASS, ACCT, STOR, RETR, QUIT.
file The name of the file.
Page 532
36
32777Message ID: 032777Message Description: content nntp logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): NNTPLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype NNTP
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
dlpsensor DLP sensor name.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
infection Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IPblacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus The name of the virus detected.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client The internal IP address of the FortiGate unit.
server The name or IP address of the server.
rcvdbyte The number of received bytes related to the log message.
sentbyte The number of sent bytes related to the log message.
Page 533
37
32778Message ID: 032778Message Description: content mm1 logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): MM1Level/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype MM1
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
infection Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IPblacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus The name of the virus detected.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client The internal IP address of the FortiGate unit.
server The name or IP address of the server.
rcvdbyte The number of received bytes related to the log message.
sentbyte The number of sent bytes related to the log message.
to Destination identifier.
Page 534
38
from Source identifier.
subject Subject.
direction Message direction. One of: N/A, TX, or RX.
Page 535
39
32779Message ID: 032779Message Description: content mm3 logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): MM3Level/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype MM3
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
infection Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IPblacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus The name of the virus detected.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client The internal IP address of the FortiGate unit.
server The name or IP address of the server.
rcvdbyte The number of received bytes related to the log message.
sentbyte The number of sent bytes related to the log message.
dlpsensor DLP sensor name.
Page 536
40
to Destination identifier.
from Source identifier.
subject Subject.
Page 537
41
32780Message ID: 032780Message Description: content mm4 logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): MM4Level/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype MM4
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
infection Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IPblacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus The name of the virus detected.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client The internal IP address of the FortiGate unit.
server The name or IP address of the server.
rcvdbyte The number of received bytes related to the log message.
sentbyte The number of sent bytes related to the log message.
dlpsensor DLP sensor name.
Page 538
42
to Destination identifier.
from Source identifier.
subject Subject.
Page 539
43
32781Message ID: 032781Message Description: content mm7 logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): MM7Level/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype MM7
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
infection Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IPblacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus The name of the virus detected.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
client The internal IP address of the FortiGate unit.
server The name or IP address of the server.
rcvdbyte The number of received bytes related to the log message.
sentbyte The number of sent bytes related to the log message.
to Destination identifier.
Page 540
44
from Source identifier.
subject Subject.
Page 541
45
32782Message ID: 032782Message Description: IM chat summaryType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype im-all
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr The local IP address.
raddr The remote IP address.
local The local user.
Page 542
46
remote The remote user.
messages Message number.
startdate Local start date.
enddate Local end date.
Page 543
47
32783Message ID: 032783Message Description: IM chat messageType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype im-all
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr The local IP address.
raddr The remote IP address.
local The local user.
Page 544
48
remote The remote user.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction Direction, either outbound or inbound.
messages Message number.
content Traffic content.
Page 545
49
32784Message ID: 032784Message Description: IM file transferType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype im-all
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr The local IP address.
raddr The remote IP address.
local The local user.
Page 546
50
remote The remote user.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction Direction, either outbound or inbound.
status The status of the traffic.
filename The name of the file that was transferred.
filesize File size.
msg Message.
Page 547
51
32785Message ID: 032785Message Description: IM photo sharingType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype im-all
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr The local IP address.
raddr The remote IP address.
local The local user.
Page 548
52
remote The remote user.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction Direction, either outbound or inbound.
status The status of the traffic.
Page 549
53
32786Message ID: 032786Message Description: IM photo transferType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype im-all
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr The local IP address.
raddr The remote IP address.
local The local user.
Page 550
54
remote The remote user.
direction Direction, either outbound or inbound.
connmode Connection mode.
Page 551
55
32787Message ID: 032787Message Description: IM voice chatType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype im-all
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr The local IP address.
raddr The remote IP address.
local The local user.
Page 552
56
remote The remote user.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction Direction, either outbound or inbound.
status The status of the traffic.
Page 553
57
32788Message ID: 032788Message Description: IM virusType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype im-all
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr The local IP address.
raddr The remote IP address.
local The local user.
Page 554
58
remote The remote user.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction Direction, either outbound or inbound.
filename The name of the file that was transferred.
virus The name of the virus detected.
heuristic Heuristic information.
Page 555
59
32789Message ID: 032789Message Description: IM file oversizeType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype im-all
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr The local IP address.
raddr The remote IP address.
local The local user.
Page 556
60
remote The remote user.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction Direction, either outbound or inbound.
filename The name of the file that was transferred.
Page 557
61
32790Message ID: 032790Message Description: IM file blockType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype im-all
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr The local IP address.
raddr The remote IP address.
local The local user.
Page 558
62
remote The remote user.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction Direction, either outbound or inbound.
filename The name of the file that was transferred.
Page 559
63
32791Message ID: 032791Message Description: IM file exemptType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype im-all
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr The local IP address.
raddr The remote IP address.
local The local user.
Page 560
64
remote The remote user.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction Direction, either outbound or inbound.
filename The name of the file that was transferred.
Page 561
65
32792Message ID: 032792Message Description: IM DLP (information)Type (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype im-all
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr The local IP address.
raddr The remote IP address.
local The local user.
Page 562
66
remote The remote user.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction Direction, either outbound or inbound.
filename The name of the file that was transferred.
filesize File size.
Page 563
67
32793Message ID: 032793Message Description: IM DLP (warning)Type (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: warning
Log field Meaning
type utm
subtype contentlog
eventtype im-all
level warning
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr The local IP address.
raddr The remote IP address.
local The local user.
Page 564
68
remote The remote user.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction Direction, either outbound or inbound.
filename The name of the file that was transferred.
filesize File size.
Page 565
69
32794Message ID: 032794Message Description: VOIP SIP logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): VOIPLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype VOIP
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status The status of the traffic.
srcip The source IP.
Page 566
70
dstip The destination IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
direction Direction, either outbound or inbound.
duration Time value in seconds.
from Source identifier.
to Destination identifier.
Page 567
71
32795Message ID: 032795Message Description: SCCP registerType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): VOIPLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype VOIP
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status The status of the traffic.
phone The phone information or number.
Page 568
72
srcip The source IP.
from Source identifier.
to Destination identifier.
Page 569
73
32796Message ID: 032796Message Description: SCCP unregisterType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): VOIPLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype VOIP
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status The status of the traffic.
phone The phone information or number.
Page 570
74
srcip The source IP.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
Page 571
75
32797Message ID: 032797Message Description: SCCP call blockType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): VOIPLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype VOIP
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status The status of the traffic.
phone The phone information or number.
Page 572
76
srcip The source IP.
reason The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
from Source identifier.
to Destination identifier.
Page 573
77
32798Message ID: 032798Message Description: SCCP call informationType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): VOIPLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype VOIP
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status The status of the traffic.
phone The phone information or number.
Page 574
78
srcip The source IP.
dstip The destination IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
duration Time value in seconds.
from Source identifier.
to Destination identifier.
Page 575
79
32800Message ID: 032800Message Description: VOIP SIP fuzzing logType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): VOIPLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype VOIP
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifiesthe next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status The status of the traffic.
srcip The source IP.
Page 576
80
dstip The destination IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
direction Direction, either outbound or inbound.
duration Time value in seconds.
messagetype Message type: either request or response.
requestname Request name.
malformdesc Malform description, which explains the issue with the VOIP traffic.
malformdata Malform data.
line Content line.
column Content column.
from Source identifier.
to Destination identifier.
Page 577
81
32801Message ID: 032801Message Description: IM video chatType (type): utmSubtype (subtype): contentlogEvent Type (eventtype): im-allLevel/Severity: information
Log field Meaning
type utm
subtype contentlog
eventtype im-all
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
clogver Content log version.
epoch Epoch.
eventid Serial number.
cstatus The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,im_photo_share_stop, im_photo_xfer, voip, error.
sessionid Session ID.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
policyid The ID number of the firewall policy that applies to the session or packet.
indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-basedpolicy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globallyunique, it is only locally unique within a given firewall policy.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr The local IP address.
raddr The remote IP address.
local The local user.
Page 578
82
remote The remote user.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction Direction, either outbound or inbound.
status The status of the traffic.
Page 579
83
VoIP44032
Message ID: 044032Message Description: SIP logType (type): utmSubtype (subtype): voipEvent Type (eventtype): voipLevel/Severity: information
Log field Meaning
type utm
subtype voip
eventtype voip
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sessionid Session ID.
epoch Epoch.
eventid Serial number.
srcip The source IP.
dstip The destination IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
voipproto VOIP application protocol. Can be either sip or sccp.
Page 580
84
kind Kind of message: register, unregister, call, call-info, call-block.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status Status: start, end, timeout, blocked, succeeded, failed, authentication-required.
duration Time value in seconds.
direction Direction, either outbound or inbound.
callid Call ID.
from Source identifier.
to Destination identifier.
Page 581
85
44033Message ID: 044033Message Description: SIP block logType (type): utmSubtype (subtype): voipEvent Type (eventtype): voipLevel/Severity: notice
Log field Meaning
type utm
subtype voip
eventtype voip
level notice
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sessionid Session ID.
epoch Epoch.
eventid Serial number.
srcip The source IP.
dstip The destination IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifiesthe next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
voipproto VOIP application protocol. Can be either sip or sccp.
kind Kind of message: register, unregister, call, call-info, call-block.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status Status: start, end, timeout, blocked, succeeded, failed, authentication-required.
Page 582
86
reason Reason: rate-limit, dialog-limit, long-header, unrecognized-form, unknown, block-request, phone, session-close,new-register, invalid-ip, exceed-rate.
duration Time value in seconds.
direction Direction, either outbound or inbound.
messagetype Message type: either request or response.
requestname Request name.
callid Call ID.
count Number of packets.
from Source identifier.
to Destination identifier.
Page 583
87
44034Message ID: 044034Message Description: SIP fuzzing logType (type): utmSubtype (subtype): voipEvent Type (eventtype): voipLevel/Severity: information
Log field Meaning
type utm
subtype voip
eventtype voip
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sessionid Session ID.
epoch Epoch.
eventid Serial number.
srcip The source IP.
dstip The destination IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifiesthe next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
voipproto VOIP application protocol. Can be either sip or sccp.
kind Kind of message: register, unregister, call, call-info, call-block.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
reason Reason: rate-limit, dialog-limit, long-header, unrecognized-form, unknown, block-request, phone, session-close,new-register, invalid-ip, exceed-rate.
Page 584
88
duration Time value in seconds.
direction Direction, either outbound or inbound.
messagetype Message type: either request or response.
requestname Request name.
malformdesc Malform description, which explains the issue with the VOIP traffic.
malformdata Malform data.
line Content line.
column Content column.
Page 585
89
44035Message ID: 044035Message Description: SCCP registerType (type): utmSubtype (subtype): voipEvent Type (eventtype): voipLevel/Severity: information
Log field Meaning
type utm
subtype voip
eventtype voip
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sessionid Session ID.
epoch Epoch.
eventid Serial number.
srcip The source IP.
dstip The destination IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
voipproto VOIP application protocol. Can be either sip or sccp.
kind Kind of message: register, unregister, call, call-info, call-block.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status Status: start, end, timeout, blocked, succeeded, failed, authentication-required.
phone The phone information or number.
Page 586
90
Page 587
91
44036Message ID: 044036Message Description: SCCP unregisterType (type): utmSubtype (subtype): voipEvent Type (eventtype): voipLevel/Severity: information
Log field Meaning
type utm
subtype voip
eventtype voip
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sessionid Session ID.
epoch Epoch.
eventid Serial number.
srcip The source IP.
dstip The destination IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
voipproto VOIP application protocol. Can be either sip or sccp.
kind Kind of message: register, unregister, call, call-info, call-block.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status Status: start, end, timeout, blocked, succeeded, failed, authentication-required.
Page 588
92
reason Reason: rate-limit, dialog-limit, long-header, unrecognized-form, unknown, block-request, phone, session-close, new-register,invalid-ip, exceed-rate.
phone The phone information or number.
Page 589
93
44037Message ID: 044037Message Description: SCCP call blockType (type): utmSubtype (subtype): voipEvent Type (eventtype): voipLevel/Severity: information
Log field Meaning
type utm
subtype voip
eventtype voip
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sessionid Session ID.
epoch Epoch.
eventid Serial number.
srcip The source IP.
dstip The destination IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
voipproto VOIP application protocol. Can be either sip or sccp.
kind Kind of message: register, unregister, call, call-info, call-block.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status Status: start, end, timeout, blocked, succeeded, failed, authentication-required.
Page 590
94
reason Reason: rate-limit, dialog-limit, long-header, unrecognized-form, unknown, block-request, phone, session-close, new-register,invalid-ip, exceed-rate.
phone The phone information or number.
Page 591
95
44038Message ID: 044038Message Description: SCCP call infoType (type): utmSubtype (subtype): voipEvent Type (eventtype): voipLevel/Severity: information
Log field Meaning
type utm
subtype voip
eventtype voip
level information
date The date at which the log was recorded.
time The time at which the log was recorded.
vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
sessionid Session ID.
epoch Epoch.
eventid Serial number.
srcip The source IP.
dstip The destination IP.
srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies thenext level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf The destination interface.
policyid The ID number of the firewall policy that applies to the session or packet.
user User name.
group The group name.
profile The name of the profile that was used to detect and take action.
profiletype The type of profile responsible for the UTM action taken.
voipproto VOIP application protocol. Can be either sip or sccp.
kind Kind of message: register, unregister, call, call-info, call-block.
action Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
status Status: start, end, timeout, blocked, succeeded, failed, authentication-required.
duration Time value in seconds.
Page 592
96
phone The phone information or number.
Page 593
Addendum: Variable Event Logs
All logs below are in the category: Event.
These log messages were not documented in the previous versions of the 5.0 Log Message
Reference due to their variable structure not fitting the format. They will be documented here
instead. This issue is specific to 5.0, and future versions of the LMR will not require an
addendum.
The Format column lists the log fields present in that log message. [s] represents a string of text
or characters. [n] represents a number or value.
ID Severity Subtype Macro Format Description
20001 information system LOG_ID_CLIENT_
DISASSOCIATED
client [s] is disassociated paed log
20002 notice system LOG_ID_DOMAIN_
UNRESOLVABLE
user=system ui=system
action=[s] status=failure
msg="Can't resolve the IP
address of [s]"
The domain name in alert
e-mail.s sender is not
resolvable
20003 notice system LOG_ID_MAIL_SENT_FAIL user=system ui=system
action=alert-email
status=failure count=[n]
msg="Failed to send alert
email from [s] to ([s])"
The alert e-mail send failed
20004 unknown system LOG_ID_POLICY_TOO_BIG user="[s]" ui=[s]
status=failure msg="Policy
[n] is too big for system, it's
installed partially."
Policy is too big
20005 information system LOG_ID_PPP_LINK_UP msg="modem: PPP link is
up"
modemd log
20006 information system LOG_ID_PPP_LINK_DOWN msg="modem: PPP link is
down"
modemd log
20007 critical system 20007 service=kernel
status=failure proto=[n]
src=[n].[n].[n].[n] src_
port=[n] nat=[n].[n].[n].[n]
dst=[n].[n].[n].[n] dst_
port=[n] msg="NAT port is
exhausted."
Socket is exhausted
20011 information system LOG_ID_CLIENT_NEW_
ASSOCIATION
Accepted association from
[s]
paed log
20012 information system LOG_ID_CLIENT_WPA_1X Client [s] does 1X paed log
20013 information system LOG_ID_CLIENT_WPA_SSN Client [s] does WPA paed log
Page 594
20014 warning system LOG_ID_TEST user="admin"
action="login"
status="success"
msg="user admin logged
into the fw - [n]"
test
20015 information system LOG_ID_IEEE802_NEW_
STATION
action=authentication
status=start msg="Client
does 801.1x"
wpad log
20016 information system LOG_ID_MODEM_EXCEED_
REDIAL_COUNT
msg="modem: Redial limit
exceeded... giving up"
modemd log
20017 information system LOG_ID_MODEM_FAIL_TO_
OPEN
msg="modem: unable to
open modem device -
check hardware"
modemd log
20018 critical system LOG_ID_GW_GRP_STATE_
CHANGED
interface="[s]" gw_
group=[n] status=[s] gw_
status=[s] msg="The status
of [s] for gateway group [n]
is [s]"
Gateway group state is
changed
20019 critical system LOG_ID_ROUTE_INFO_
CHANGED
interface="[s]" status=[s]
msg="[s]"
Routing information is changed
because the gateway is
up/down
20021 information system LOG_ID_MAIL_RESENT user=system ui=system
action=alert-email
status=success count=[n]
msg="Resending alert
e-mail with [n] pending
alert(s) from [s] to ([s])"
The alert e-mail resend
20025 notice system LOG_ID_REPORTD_
REPORT_SUCCESS
msg="Report generation
succeeded for layout:[s]."
file="[s]" filesize=[n]
datarange="[s]"
reporttype="[s]"
processtime=[n]
Reporting Complete
20026 error system LOG_ID_REPORTD_
REPORT_FAILURE
msg="[s]" Reporting Failure
20027 warning system LOG_ID_REPORT_DEL_OLD_
REC
msg="Delete old report db
records" datarange="[s]"
Delete old report db records
20031 critical system LOG_ID_RAD_OUT_OF_MEM msg="Interface [s] Out of
memory in [s]:[s]:[n]"
ravdv_iface_set_config() finds a
pointer pointing to a wrong
address
20032 critical system LOG_ID_RAD_NOT_FOUND msg="Interface [s] not
found in [s]:[s]:[n]"
ravdv_iface_same_config()
cannot find the corresponding
interface by name
20033 information system LOG_ID_RAD_MOBILE_IPV6 msg="using Mobile IPv6
extensions"
An interface uses Mobile IPv6
extensions
ID Severity Subtype Macro Format Description
Page 595
20034 critical system LOG_ID_RAD_IPV6_OUT_
OF_RANGE
msg="MinRtrAdvInterval for
[s] must be between [n] and
[n]"
MinRtrAdvInterval using Mobile
Ipv6 extension is out of range
20035 critical system LOG_ID_RAD_MIN_OUT_OF_
RANGE
msg="MinRtrAdvInterval
must be between [n] and [n]
for [s]"
MinRtrAdvInterval is out of
range
20036 critical system LOG_ID_RAD_MAX_OUT_
OF_RANGE
msg="MaxRtrAdvInterval
for [s] must be between [n]
and [n]"
MaxRtrAdvInterval using
Mobile Ipv6 extension is out of
range
20037 critical system LOG_ID_RAD_MAX_ADV_
OUT_OF_RANGE
msg="MaxRtrAdvInterval
must be between [n] and [n]
for [s]"
MaxRtrAdvInterval is out of
range
20038 critical system LOG_ID_RAD_MTU_OUT_
OF_RANGE
msg="AdvLinkMTU must
be zero or between [n] and
[n] for [s]"
AdvLinkMTU is out of range
20039 critical system LOG_ID_RAD_MTU_TOO_
SMALL
msg="AdvLinkMTU must
be zero or greater than [n]
for [s]"
AdvLinkMTU is too small
20040 critical system LOG_ID_RAD_TIME_TOO_
SMALL
msg="AdvReachableTime
must be less than [n] for [s]"
AdvReachableTimeis too small
20041 critical system LOG_ID_RAD_HOP_OUT_
OF_RANGE
msg="AdvCurHopLimit
must not be greater than [n]
for [s]"
AdvCurHopLimit in Router
Advertisement packet is too
big
20042 critical system LOG_ID_RAD_DFT_HOP_
OUT_OF_RANGE
msg="AdvDefaultLifetime
for [s] must be zero or
between [n] and [n]"
AdvCurHopLimit in Router
Advertisement packet is out of
range
20043 critical system LOG_ID_RAD_AGENT_OUT_
OF_RANGE
msg="HomeAgentLifetime
must be between [n] and [n]
for [s]"
HomeAgentLifetime in Router
Advertisement packet is out of
range
20044 critical system LOG_ID_RAD_AGENT_FLAG_
NOT_SET
msg="AdvHomeAgentFlag
must be set with
HomeAgentInfo"
AdvHomeAgentFlag
HomeAgentLifetime in Router
Advertisement packet must be
set with HomeAgentInfo
20045 critical system LOG_ID_RAD_PREFIX_TOO_
LONG
msg="invalid prefix length
for [s]"
prefix length is too long
20046 critical system LOG_ID_RAD_PREF_TIME_
TOO_SMALL
msg="AdvValidLifetime
must be greater than
AdvPreferredLifetime for
[s]"
AdvValidLifetime is less than
AdvPreferredLifetime
20047 critical system LOG_ID_RAD_FAIL_IPV6_
SOCKET
msg="can't create
socket(AF_INET6): [s]"
IPv6 router advertisement
daemon (radvd) failed to create
an IPv6 socket
20048 critical system LOG_ID_RAD_FAIL_OPT_
IPV6_PKTINFO
msg="setsockopt(IPV6_
PKTINFO): [s]"
Radvd failed to set IPV6_
PKTINFO option
ID Severity Subtype Macro Format Description
Page 596
20049 critical system LOG_ID_RAD_FAIL_OPT_
IPV6_CHECKSUM
msg="setsockopt(IPV6_
CHECKSUM): [s]"
Radvd failed to set IPV6_
CHECKSUM option
20050 critical system LOG_ID_RAD_FAIL_OPT_
IPV6_UNICAST_HOPS
msg="setsockopt(IPV6_
UNICAST_HOPS): [s]"
Radvd failed to set IPV6_
UNICAST_HOPS option
20051 critical system LOG_ID_RAD_FAIL_OPT_
IPV6_MULTICAST_HOPS
msg="setsockopt(IPV6_
MULTICAST_HOPS): [s]"
Radvd failed to set IPV6_
MULTICAST_HOPS option
20052 critical system LOG_ID_RAD_FAIL_OPT_
IPV6_HOPLIMIT
msg="setsockopt(IPV6_
HOPLIMIT): [s]"
Radvd failed to set IPV6_
HOPLIMIT option
20053 critical system LOG_ID_RAD_FAIL_OPT_
IPPROTO_ICMPV6
msg="setsockopt(ICMPV6_
FILTER): [s]"
Radvd failed to set ICMPV6_
FILTER option
20054 information system LOG_ID_RAD_EXIT_BY_
SIGNAL
msg="radvd receive
signal=[n]"
radvd has received a signal,
and is going to exit
20055 critical system LOG_ID_RAD_FAIL_CMDB_
QUERY
msg="Can not create query
to interface at [s]:[s]:[n]!"
Radvd cannot create query to
interface by using cmf_query_
create()
20056 critical system LOG_ID_RAD_FAIL_CMDB_
FOR_EACH
msg="Internal error in cmf_
query_for_each()!"
Radvd occurs an internal error
when it uses cmf_query_for_
each()
20057 critical system LOG_ID_RAD_FAIL_FIND_
VIRT_INTF
msg="Interface [s]:[n] not
found in the list!"
Radvd failed to find a virtual
interface by interface index
20058 information system LOG_ID_RAD_UNLOAD_INTF msg="Interface [s]:[n]
unloaded!"
Radvd reloads a specific
interface
20059 warning system LOG_ID_RAD_NO_PKT_INFO msg="received packet with
no pkt_info!"
Radvd received a packet with
no pkt_info
20060 warning system LOG_ID_RAD_INV_ICMPV6_
LEN
msg="received icmpv6
packet with invalid length:
[n]"
Radvd received an icmpv6
packet with invalid length
20061 critical system LOG_ID_RAD_INV_ICMPV6_
TYPE
msg="icmpv6 filter failed" Radvd received an unwanted
type of icmpv6 packet
20062 warning system LOG_ID_RAD_INV_ICMPV6_
RA_LEN
msg="received icmpv6 RA
packet with invalid length:
[n]"
Radvd received icmpv6 RA
packet with invalid length
20063 warning system LOG_ID_RAD_ICMPV6_NO_
SRC_ADDR
msg="received icmpv6 RA
packet with non-linklocal
source address"
Radvd received icmpv6 RA
packet with non-linklocal
source address
20064 warning system LOG_ID_RAD_INV_ICMPV6_
RS_LEN
msg="received icmpv6 RS
packet with invalid length:
[n]"
Radvd received icmpv6 RS
packet with invalid length
20065 warning system LOG_ID_RAD_INV_ICMPV6_
CODE
msg="received icmpv6
RS/RA packet with invalid
code: [n]"
Radvd received icmpv6 RS/RA
packet with invalid code
ID Severity Subtype Macro Format Description
Page 597
20066 warning system LOG_ID_RAD_INV_ICMPV6_
HOP
msg="received RS or RA
with invalid hoplimit [n] from
[s]"
Radvd received icmpv6 RS/RA
packet with wrong hoplimit
20067 warning system LOG_ID_RAD_MISMATCH_
HOP
msg="our AdvCurHopLimit
on [s] doesn't agree with
[s]"
AdvCurHopLimit on our
interface does not agree with a
remote site
20068 warning system LOG_ID_RAD_MISMATCH_
MGR_FLAG
msg="our
AdvManagedFlag on [s]
doesn't agree with [s]"
AdvManagedFlag on our
interface does not agree with a
remote site
20069 warning system LOG_ID_RAD_MISMATCH_
OTH_FLAG
msg="our
AdvOtherConfigFlag on [s]
doesn't agree with [s]"
AdvOtherConfigFlag on our
interface does not agree with a
remote site
20070 warning system LOG_ID_RAD_MISMATCH_
TIME
msg="our
AdvReachableTime on [s]
doesn't agree with [s]"
AdvReachableTime on our
interface does not agree with a
remote site
20071 warning system LOG_ID_RAD_MISMATCH_
TIMER
msg="our AdvRetransTimer
on [s] doesn't agree with
[s]"
AdvRetransTimer on our
interface does not agree with a
remote site
20072 critical system LOG_ID_RAD_EXTRA_DATA msg="trailing garbage in
RA on [s] from [s]"
Radvd finds extra data in RA
packet
20073 critical system LOG_ID_RAD_NO_OPT_DATA msg="zero length option in
RA on [s] from [s]"
Radvd finds a RA packet with
no option data
20074 critical system LOG_ID_RAD_INV_OPT_LEN msg="option length greater
than total length in RA on
[s] from [s]"
option length is greater than
total length in RA packet
20075 warning system LOG_ID_RAD_MISMATCH_
MTU
msg="our AdvLinkMTU on
[s] doesn't agree with [s]"
AdvLinkMTU on our interface
does not agree with a remote
site
20077 warning system LOG_ID_RAD_MISMATCH_
PREF_TIME
msg="our
AdvPreferredLifetime on [s]
for [s] doesn't agree with
[s]"
AdvPreferredLifetime on our
interface does not agree with a
remote site
20078 critical system LOG_ID_RAD_INV_OPT msg="invalid option [n] in
RA on [s] from [s]"
Radvd finds an invalid option in
RA packet from a remote site
20079 information system LOG_ID_RAD_READY msg="radvd started" Radvd daemon is ready to
serve
20080 critical system LOG_ID_RAD_FAIL_TO_RCV msg="recvmsg: [s]" Recvmsg() in radvd failed
20081 critical system LOG_ID_RAD_INV_HOP msg="received a bogus
IPV6_HOPLIMIT from the
kernel! len=[n], data=[n]"
Radvd received a packet with a
wrong IPV6_HOPLIMIT
20082 critical system LOG_ID_RAD_INV_PKTINFO msg="received a bogus
IPV6_PKTINFO from the
kernel! len=[n], index=[n]"
Radvd received a packet with a
wrong IPV6_PKTINFO
ID Severity Subtype Macro Format Description
Page 598
20083 warning system LOG_ID_RAD_FAIL_TO_
CHECK
msg="problem checking
all-routers membership on
[s]"
Radvd failed to check whether
we've joined the all-routers
multicast group
20084 warning system LOG_ID_RAD_FAIL_TO_
SEND
msg="sendmsg: [s]" sendmsg () in radvd failed
20085 information system 20085 status="clash" proto=[n]
msg="session clash"[s]
session clash
20086 unknown system 20086 msg="==[s] xh0(sp_[n],
fmc[n]) crashed, master is
fmc[n]=="
xh0 crashed
20090 notice |
information
system LOG_ID_INTF_LINK_STA_
CHG
intf=[s] status=[s]
msg="interface [s] link
status is [s]"
Interface link status changed
20101 warning system LOG_ID_WEB_LIC_EXPIRE msg="FortiGuard web
filtering license will expire in
[n] day(s)"
FortiGuard web filtering license
expiring
20102 warning system LOG_ID_SPAM_LIC_EXPIRE msg="FortiGuard
anti-spam license will
expire in [n] day(s)"
FortiGuard anti-spam license
expiring
20103 warning system LOG_ID_AV_LIC_EXPIRE msg="FortiGuard AV
update license will expire in
[n] day(s)"
FortiGuard AV update license
expiring
20104 warning system LOG_ID_IPS_LIC_EXPIRE msg="FortiGuard IPS
update license will expire in
[n] day(s)"
FortiGuard IPS update license
expiring
20105 warning system LOG_ID_LOG_UPLOAD_SKIP ui=[s] action=upload
error="Daily volume
exceeded" msg="Log
upload to FortiCloud
skipped (Daily volume
exceeded)."
Log uploading
20107 warning system LOG_ID_LOG_UPLOAD_ERR action=upload error="[s]"
user="[s]" server=[s]
port=[n] msg="Log upload
to [s] error on vdom [s]"
uploading error
20108 notice system LOG_ID_LOG_UPLOAD_
DONE
action=upload
status=completed
user="[s]" server=[s]
port=[n] msg="Log upload
to [s] completed on vdom
[s]"
upload status
20110 notice system LOG_ID_HPAPI_ESPD_
START
msg="hp_api: Connection
to ESPd has been
initialized"
hp_api log
20111 warning system LOG_ID_HPAPI_ESPD_
RESET
msg="hp_api: Connection
to ESPd has been reset,
exiting"
hp_api log
ID Severity Subtype Macro Format Description
Page 599
20113 error system LOG_ID_IPSA_DOWNLOAD_
FAIL
msg="Fail to download
IPSA DB!"
IPSA error
20114 error system LOG_ID_IPSA_SELFTEST_
FAIL
msg="IPSA self test failed,
disable IPSA!"
IPSA error
20115 error system LOG_ID_IPSA_STATUSUPD_
FAIL
msg="Fail to update IPSA
driver status!"
IPSA error
20200 notice system LOG_ID_FIPS_SELF_TEST user="[s]" ui=[s]
action=self-test
msg="Administrator [s]
initiates the [s] self-test
from [s]"
running self-test
20201 notice system LOG_ID_FIPS_SELF_ALL_
TEST
user="[s]" ui=[s]
action=self-test
msg="Administrator [s]
initiates all self-tests from
[s]"
running self-test
20202 warning system LOG_ID_DISK_FORMAT_
ERROR
msg="Partitioning or
formatting error ([s], [s])
partition=[n] format=[n]
label=[s]"
Error in partitioning or
formatting
20203 information system LOG_ID_DAEMON_
SHUTDOWN
action=daemon-shutdown
daemon=[s] pid=[n]
msg="[s] shut down"
daemon shutdown
20204 information system LOG_ID_DAEMON_START action=daemon-startup
daemon=[s] pid=[n]
msg="[s] has started"
daemon started
20205 critical system LOG_ID_DISK_FORMAT_REQ user="[s]" ui=[s]
action=format-disk
msg="User [s] requested to
format [s] disk from [s]"
format disk
20206 warning system LOG_ID_DISK_SCAN_REQ user="[s]" ui=[s]
action=scan-disk
msg="User [s] requested to
scan [s] disk from [s]"
scan disk
20300 unknown system LOG_ID_BGP_NB_STAT_CHG msg="BGP:
%%BGP-5-ADJCHANGE:
neighbor [s] [s] [s]"
bgp neighbor status change
22000 warning system LOG_ID_INV_PKT_LEN msg="Packet length does
not match that specified in
the request header."
Packet length does not match
that specified in the request
header.
22001 warning system LOG_ID_UNSUPPORTED_
PROT_VER
msg="Protocol version-[n]
is not supported"
Unsupported protocol version
22002 warning system LOG_ID_INV_REQ_TYPE msg="Request type [n] is
not supported."
Other request than http, https,
ftp, mail and av is not
supported
ID Severity Subtype Macro Format Description
Page 600
22003 warning system LOG_ID_FAIL_SET_SIG_
HANDLER
sigaction([n])failed: [s] failed to set up a signal handler
22004 warning system LOG_ID_FAIL_CREATE_
SOCKET
Socket() failed: [s] failed to create a socket
22005 warning system LOG_ID_FAIL_CREATE_
SOCKET_RETRY
failed to create a [s]/udp
socket to receive URL
request: [s]
failed to create a udp socket to
receive URL request
22006 warning system LOG_ID_FAIL_REG_CMDB_
EVENT
msg="Failed to register for
cmdb events."
Failed to register for cmdb
events
22009 warning system LOG_ID_FAIL_FIND_AV_
PROFILE
name=[s] status=failure
msg="failed to find its AV
protection profile"
failed to find av profile by ID
22010 error system LOG_ID_SENDTO_FAIL process="[s]" reason="[s]"
msg="failed to send urlfilter
packet"
safe_sendto() failed
22011 unknown system 22011 service=kernel
conserve=on free="[n]
pages" red="[n] pages"
msg="Kernel enters
conserve mode"
Kernel enters conserve mode
22012 unknown system 22012 service=kernel
conserve=exit free="[n]
pages" green="[n] pages"
msg="Kernel leaves
conserve mode"
Kernel leaves conserve mode
22013 alert system 22013 action=pba-block-exhaust
saddr=[n].[n].[n].[n]
poolname="[s]" msg="Pba
ippool port-block has been
exhausted"
Alert ippool pba block exhaust
22014 alert |
notice
system 22014 action=pba-natip-exhaust
saddr=[n].[n].[n].[n]
poolname="[s]" msg="Pba
ippool natip has been
exhausted"
Alert ippool pba natip exhaust
22015 notice system LOG_ID_EXCEED_VD_RES_
LIMIT
service=kernel msg="[s]
vdom([n]) limit. count=[n]
limit=[n]"
Exceed vdom resource limit
22016 notice system 22016 action=pba-close
saddr=[n].[n].[n].[n]
nat=[n].[n].[n].[n]
portbegin=[n] portend=[n]
poolname="[s]"
duration=[n] msg="Pba
ippool close"
Deallocate ippool pba
22020 warning system LOG_ID_FAIL_CREATE_HA_
SOCKET
msg="Socket() failed: [s]" Failed to create a ha_socket
ID Severity Subtype Macro Format Description
Page 601
22021 warning system LOG_ID_FAIL_CREATE_HA_
SOCKET_RETRY
msg="Failed to create a
udp socket to relay URL
requests: [s]"
Failed to create a udp socket
to relay URL requests
22100 warning system LOG_ID_QUAR_DROP_
TRAN_JOB
count=[n] duration=[n]
limit=[n] used=[n] fams_
pause=[n] action=transfer
status=drop reason=[s]
msg="In the past [n]
seconds, [n] files were
dropped by quard."
Quarantine dropped transfer
jobs
22101 warning system LOG_ID_QUAR_DROP_TLL_
JOB
count=[n] action=transfer
status=drop
reason=poor-network-cond
ition msg="[n] files were
dropped by quard to [s]: [n]
reached max retries, [n]
reached TTL."
Quarantine dropped transfer
jobs
22102 critical system LOG_ID_LOG_DISK_FAILURE msg="Log disk failure is
imminent, logs should be
backed up"
Erroneous SMART status
22104 critical system 22104 action=power-supply-monit
or status=restore unit=[s]
msg="Power supply [s]
restore"
Power supply restore
22105 critical system LOG_ID_POWER_FAILURE action=power-supply-monit
or status=failure unit=[s]
msg="Power supply [s] [s]"
Power supply failure
22106 warning |
information
system LOG_ID_POWER_
OPTIONAL_NOT_DETECTED
action=ipmc-sensor-monito
r status=failure msg="[s]"
IPMC sensor failure
22107 warning system LOG_ID_VOLT_ANOM action=ipmc-sensor-monito
r status=failure msg="[s]"
IPMC sensor failure
22108 warning system LOG_ID_FAN_ANOM action=ipmc-sensor-monito
r status=failure msg="[s]"
IPMC sensor failure
22110 critical system LOG_ID_SPARE_BLOCK_
LOW
msg="Available spare
blocks of boot device are
getting low (remaining [n])."
Available spare blocks is low
22200 warning system LOG_ID_AUTO_UPT_CERT user=system
action=certificate-update
status=warning cert=[s]
msg="CA certificate [s] will
auto-update in [n] days."
Certificate will be auto-update
22201 warning system LOG_ID_AUTO_GEN_CERT user=system
action=certificate-regenerat
e status=warning cert=[s]
msg="Local certificate [s]
will auto-regenerate in [n]
days."
Certificate will be
auto-regenerate
ID Severity Subtype Macro Format Description
Page 602
22202 error system LOG_ID_AUTO_UPT_CERT_
FAIL
user=system
action=certificate-update
status=failure cert=[s]
msg="[s]"
Certificate failed to
auto-update
22203 error system LOG_ID_AUTO_GEN_CERT_
FAIL
user=system
action=certificate-regenerat
e status=failure cert=[s]
msg="[s]"
Certificate failed to
auto-regenerate
22700 critical system LOG_ID_IPS_FAIL_OPEN msg="IPS session scan
resumed, exit fail open
mode."
IPS fail open
22800 critical system LOG_ID_SCAN_SERV_FAIL service=[s] mode=[s]
msg="The system has [s]
session fail mode"
Scan services session fail
mode
22801 critical system LOG_ID_SCAN_LEAVE_
CONSERVE_MODE
service=[s] conserve=exit
total=[n] free=[n]
entermargin=[n]
exitmargin=[n] msg="The
system exited conserve
mode"
Scan services exited conserve
mode
22802 critical system LOG_ID_SYS_ENTER_
CONSERVE_MODE
service=[s] sysconserve=on
total=[n] free=[n]
entermargin=[n]
exitmargin=[n] msg="The
system has entered system
conserve mode"
System services entered
conserve mode
22803 critical system LOG_ID_SYS_LEAVE_
CONSERVE_MODE
service=[s]
sysconserve=exit total=[n]
free=[n] entermargin=[n]
exitmargin=[n] msg="The
system exited system
conserve mode"
System exited conserve mode
22804 critical system LOG_ID_LIC_STATUS_CHG service=license status=[s]
msg="License status
changed to [s]"
License Status Change
22805 warning system LOG_ID_FAIL_TO_VALIDATE_
LIC
service=license
status=warning
msg="License could not be
validated for over 4 hours"
License Status Warning
22806 warning system LOG_ID_DUP_LIC service=license
status=warning
msg="Detected duplicate
license in use"
License Status Duplicate
Warning
22810 critical system LOG_ID_SCAN_ENTER_
CONSERVE_MODE
service=[s] conserve=on
total=[n] free=[n]
entermargin=[n]
exitmargin=[n] msg="The
system has entered
conserve mode"
Scan services entered
conserve mode
ID Severity Subtype Macro Format Description
Page 603
22900 notice system LOG_ID_CAPUTP_SESSION msg="[s]" action=[s]
src=[n].[n].[n].[n]
caputp-session
22901 notice system LOG_ID_FAZ_CON action=connect
status=success
msg="Connected to
FortiAnalyzer [s]"
FortiAnalyzer Connection
22902 notice system LOG_ID_FAZ_DISCON action=disconnect
status=success
reason="[s]"
msg="Disconnected from
FortiAnalyzer [s]"
FortiAnalyzer Disconnection
22903 critical system LOG_ID_FAZ_CON_ERR action=connect
status=failure reason="[s]"
msg="Failed to connect
FortiAnalyzer [s]"
FortiAnalyzer Connection
22910 notice system LOG_ID_EVENT_SLA_
PROBE_PING
[s]="[n]" [s]="[s]" [s]="ping"
[s]="[s]" msg="SLA Probe
event: change state from [s]
to [s]"
SLA Probe information
22911 notice system LOG_ID_EVENT_SLA_
PROBE_HTTPGET
[s]="[n]" [s]="[s]" [s]="[s]"
[s]="http-get" [s]="[s]"
msg="SLA Probe event:
change state from [s] to [s]"
SLA Probe information
22916 notice system LOG_ID_FDS_STATUS status=[s] msg="FortiGuard
Message Service server is
[s]"
FortiGuard Message Service
status
22917 notice system LOG_ID_FDS_SMS_QUOTA user=system msg="SMS
quota is used up."
SMS quota used up
23101 unknown vpn LOG_ID_IPSEC_TUNNEL_UP action=[s] tunnel_id=[n]
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"
VPN event log message
23102 unknown vpn LOG_ID_IPSEC_TUNNEL_
DOWN
action=[s] tunnel_id=[n]
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"
VPN event log message
23103 unknown vpn LOG_ID_IPSEC_TUNNEL_
STAT
action=[s] tunnel_id=[n]
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"
VPN event log message
26001 information
| unknown
router LOG_ID_DHCP_MSG interface="[s]" dhcp_
msg="[s]" dir=[s]
mac=[s]:[s]:[s]:[s]:[s]:[s]
ip=[n].[n].[n].[n] lease=[n]
hostname="[s]" msg="[s]"
DHCP request and response
log
ID Severity Subtype Macro Format Description
Page 604
26002 error router LOG_ID_DHCP_NO_SHARE_
NET
interface="[s]" No shared
network for network [s] ([s])
No shared network found
26003 information router LOG_ID_DHCP_STAT interface="[s]" total=[n]
used=[n] msg="[s]"
DHCP Statistics
26004 error router LOG_ID_DHCP_MULT_SUB_
NET
interface="[s]" Address
range [s] to [s], netmask [s]
spans [s]!
Address range spans multiple
subnets
26005 error router LOG_ID_DHCP_INV_ADDR_
RANGE
interface="[s]" Address
range [s] to [s] not on net
[s]/[s]!
Address range doesn't belong
to the net
29001 unknown router LOG_ID_PPPD_MSG user="[s]"
local=[n].[n].[n].[n]
remote=[n].[n].[n].[n]
assigned=[n].[n].[n].[n]
stat="[s]" msg="[s]"
Pppd log message
29002 notice |
debug
router LOG_ID_PPPD_AUTH_SUC user="[s]"
local=[n].[n].[n].[n]
remote=[n].[n].[n].[n]
assigned=[n].[n].[n].[n]
action=auth_success
msg="User '[s]' using [s]
with authentication protocol
[s], [s]"
PPPD authentication success
log message
29003 notice router LOG_ID_PPPD_AUTH_FAIL local=[n].[n].[n].[n]
remote=[n].[n].[n].[n]
assigned=[n].[n].[n].[n]
action=auth_failed msg="[s]
is trying to connect using [s]
with authentication protocol
[s], failed"
PPPD authentication failure log
message
29009 notice router LOG_ID_PPPOE_STATUS_
REPORT
gateway=[n].[n].[n].[n]
assigned=[n].[n].[n].[n]
msg="PPPoE status report"
PPPoE status report
29011 error router LOG_ID_PPPD_FAIL_TO_
EXEC
Can't execute [s]: [s] pppd cannot execute a
program
29012 unknown router LOG_ID_PPP_OPT_ERR [s] ppp has received wrong
options
29013 notice router LOG_ID_PPPD_START msg="pppd is started" pppd is started
29014 information router LOG_ID_PPPD_EXIT msg="pppd is exiting" pppd is exiting
29015 error router LOG_ID_PPP_RCV_BAD_
PEER_IP
Peer IP is the same as an
interface IP[s].
IP([n].[n].[n].[n])
ppp has received bad options
29016 error router LOG_ID_PPP_RCV_BAD_
LOCAL_IP
Local IP is the same as an
interface IP[s].
IP([n].[n].[n].[n])
ppp has received bad options
ID Severity Subtype Macro Format Description
Page 605
29017 unknown router LOG_ID_PPP_OPT_NOTIF [s] ppp has received wrong
options
29020 notice router LOG_ID_WIRELESS_SET_
FAIL
wireless set command [s] [s]
failed
32001 information system LOG_ID_ADMIN_LOGIN_
SUCC
user="[s]" ui=[s]
action=login
status=success
reason=none profile="[s]"
msg="Administrator [s]
logged in successfully from
[s]"
Admin logged in successfully
32002 alert system LOG_ID_ADMIN_LOGIN_FAIL user=test ui=cli
action=login status=failed
reason=test msg="Alarm
testing"
Failed admin login attempt
32003 information system LOG_ID_ADMIN_LOGOUT user="[s]" ui=[s]
action=logout
status=success
duration=[n] [s]reason=[s]
msg="Administrator [s] [s]
[s]"
Admin logged out
32004 emergency system LOG_ID_ALARM_TEST_FAIL action=error-mode
reason=self-test
msg="Alarm testing"
alarm testing
32005 information system 32005 user="[s]"
action=vdom-override
status=success
reason=none
msg="Administrator [s]
vdom overridden to [s]"
Admin overrided vdom
successfully
32006 information system LOG_ID_ADMIN_ENTER_
VDOM
user="[s]" ui=[s]
action=vdom-switch
reason=none msg="User [s]
has entered the virtual
domain [s]"
A super admin has entered to
this vdom
32007 information system LOG_ID_ADMIN_LEFT_VDOM user="[s]" ui=[s]
action=vdom-switch
reason=none msg="User [s]
has left the virtual domain
[s]"
A super admin has left the
current vdom
32008 warning system LOG_ID_VIEW_LOG_FAIL user="[s]" ui=[s] msg="User
[s] failed to access the [s]
logs from [s]"
Failed to view log
32009 information system LOG_ID_SYSTEM_START msg="Fortigate started[s]" System started
32010 emergency
|
information
| unknown
system LOG_ID_DISK_LOG_FULL msg="[s] is [n]%
full.System will stop [s]
logging."
Log full
ID Severity Subtype Macro Format Description
Page 606
32011 notice system LOG_ID_LOG_ROLL action=roll-log
reason=file-size log=[s]
msg="Disk log has rolled."
Log rotation
32012 information system LOG_ID_FIPS_LEAVE_ERR_
MOD
action=exit-error-mode
msg="System exiting out of
error mode."
CC exiting error mode
32014 warning system LOG_ID_CS_LIC_EXPIRE msg="FortiGuard customer
support license will expire
in [n] day(s)"
FortiGuard customer support
license expiring
32015 warning system LOG_ID_DISK_LOG_USAGE msg="Log disk is [n]% full" Log full
32018 emergency system LOG_ID_FIPS_ENTER_ERR_
MOD
action=error-mode
reason=[s] msg="System
enters error-mode due to
[s]"
FIPS error mode
32020 warning system LOG_ID_SSH_CORRPUT_
MAC
ui=https msg="Corrupted
MAC packet detected"
Corrupted MAC detected
32021 alert system LOG_ID_ADMIN_LOGIN_
DISABLE
ui=[s] action=login
status=failed
reason=exceed_limit
msg="Login disabled from
IP [s] for [n] seconds
because of [n] bad
attempts"
Admin login disabled
32022 notice system LOG_ID_VDOM_ENABLED user="[s]" ui=[s] msg="User
[s] enabled virtual domain
[s] from [s]"
vdom enabled
32023 warning |
information
system LOG_ID_MEM_LOG_FULL msg="Memory log is [n]%
full"
Log full
32024 notice system LOG_ID_ADMIN_PASSWD_
EXPIRE
user="[s]"
action=admin-password
status=expired
msg="Password of
administrator [s] has
expired."
Admin password expiry
32026 critical system LOG_ID_STORE_CONF_FAIL Cannot store config due to
first line error: require first
line in file [s] from process
[n]
Cannot store config due to first
line error
32027 notice system LOG_ID_VIEW_LOG_SUCC user="[s]" ui=[s] log=[s]
msg="User [s] has viewed
the disk logs from [s]"
User displayed disk logs
32028 information system LOG_ID_LOG_DEL_DIR msg="System deleted
directory [s]."
Log full
32029 information system LOG_ID_LOG_DEL_FILE action=delete
msg="System deleted log
file [s]"
Log deleted
ID Severity Subtype Macro Format Description
Page 607
32030 notice system LOG_ID_SEND_FDS_STAT user="[s]" ui=[s]
action=send-fds-stats
msg="User [s] requested to
send FDS statistics from
[s]"
send fds stats
32035 notice system LOG_ID_VDOM_DISABLED user="[s]" ui=[s] msg="User
[s] disabled virtual domain
[s] from [s]"
vdom disabled
32045 warning system LOG_ID_MGR_LIC_EXPIRE msg="FortiGuard
management service
license will expire in [n]
day(s)"
FortiGuard management
service license expiring
32048 warning system LOG_ID_SCHEDULE_EXPIRE msg="onetime schedule [s]
will expire in [n] day(s)"
onetime schedule expiring
32051 notice system LOG_ID_LOG_UPLOAD ui=[s] action=upload
status=start msg="Start
uploading disk logs to [s]
from vdom [s]."
Log uploading
32086 warning system LOG_ID_ENTER_
TRANSPARENT
user=[s] ui=lcd action=[s]
status=success
msg="System has been
changed to transparent
mode LCD via LCD"
System has been changed to
transparent mode LCD via LCD
32087 warning system LOG_ID_ENTER_NAT user=[s] ui=lcd action=[s]
status=success
msg="System has been
changed to NAT mode LCD
via LCD"
System has been changed to
NAT mode LCD via LCD
32095 warning system LOG_ID_GUI_CHG_SUB_
MODULE
user="[s]" ui=[s] action=[s]
status=[s] msg="[s] by user
[s] via [s]"
A user has performed an action
to the firewall via GUI. The
action can be one of the
followings: reboot, shutdown,
reload, backup, factory_reset,
restore, upgrade,switch_mode,
download, upload, clear_mlog,
del_log, update, downgrade,
del_session, bootup
32096 warning system LOG_ID_GUI_DOWNLOAD_
LOG
user="[s]" ui=[s] action=[s]
status=[s] hash=[s] file=[s]
msg="[s] by user [s] via [s]"
A user has downloaded a
logging file from the firewall via
GUI
32100 warning system LOG_ID_FORTI_TOKEN_
SYNC
user="[s]" action=token_
sync msg="User [s]
synchronized his/her
FortiToken"
FortiToken synchronization
32101 notice system LOG_ID_LCD_CHG_CONF user="[s]" ui=[s] msg="[s]
by [s]"
Administrator has changed
configuration from LCD
ID Severity Subtype Macro Format Description
Page 608
32102 unknown system LOG_ID_CHG_CONFIG user="[s]" ui=[s]
module="[s]"
submodule="[s]" msg="[s]
made a change from [s]:[s]"
A user has changed the
configuration
32103 notice system LOG_ID_NEW_FIRMWARE user=system
action=firmware
status=new msg="New
firmware is available from
FortiGuard"
New firmware is available from
FortiGuard
32120 notice system LOG_ID_RPT_ADD_DATASET user="[s]" ui=[s] name="[s]"
msg="User [s] added a
report dataset [s] from [s]"
Report Dataset is added
32122 notice system LOG_ID_RPT_DEL_DATASET user="[s]" ui=[s] name="[s]"
msg="User [s] delete a
report dataset [s] from [s]"
A report dataset is deleted
32123 notice system LOG_ID_RPT_ADD_LAYOUT_
ITEM
user="[s]" ui=[s] name="[n]"
msg="User [s] added a
report summary entry [n]
from [s]"
Report Summary entries is
added
32124 notice system LOG_ID_RPT_DEL_LAYOUT_
ITEM
user="[s]" ui=[s] name="[n]"
msg="User [s] delete a
report summary entry [n]
from [s]"
A report summary entries is
deleted
32125 notice system LOG_ID_RPT_ADD_CHART user="[s]" ui=[s] name="[s]"
msg="User [s] added a
report chart widget [s] from
[s]"
Report Chart widget is added
32126 notice system LOG_ID_RPT_DEL_CHART user="[s]" ui=[s] name="[s]"
msg="User [s] delete a
report chart widget [s] from
[s]"
A report chart widget is deleted
32129 notice system LOG_ID_ADD_GUEST user="[s]" ui=[s] name="[s]"
status=[s] msg="User [s]
added guest user [s] from
[s]"
A new guest user is added
32130 notice system LOG_ID_CHG_USER user="[s]" ui=[s] name="[s]"
old_status=[s] new_
status=[s] passwd=[s]
msg="User [s] changed
local user [s] setting from
[s]"
A local user's setting is
changed
32131 notice system LOG_ID_DEL_GUEST user="[s]" ui=[s] name="[s]"
status=[s] msg="User [s]
deleted guest user [s] from
[s]"
A guest user is deleted
32132 notice system LOG_ID_ADD_USER user="[s]" ui=[s] name="[s]"
status=[s] msg="User [s]
added local user [s] from
[s]"
A new local user is added
ID Severity Subtype Macro Format Description
Page 609
32138 critical system LOG_ID_REBOOT device is rebooted
32139 critical |
warning |
notice
system LOG_ID_UPD_SIGN_DB user="[s]" ui=[s]
action=update msg="User
[s] requested a geoip object
update from [s]"
Update src-vis object.
32140 notice system 32140 user="[s]" ui=[s]
field=date-time msg="The
[s] ntp server, [s]([s]), is
determined [s] at [s]"
ntp server status change
32142 alert | error
| warning |
notice
system LOG_ID_BACKUP_CONF action=backup
status=success
msg="Configuration
backed up to flash disk
after system upgrading"
backup configuration
32143 critical system 32143 user="[s]" ui="[s]"
action=update-image
msg="User [s] loaded a
wrong layout image from
[s]."
update image
32148 notice system LOG_ID_GET_CRL user="[s]" ui=[s]
action=crl-update crl=[s]
msg="User [s] requested a
CRL update from [s]"
get CRL
32149 notice system LOG_ID_COMMAND_FAIL user="[s]" ui=[s] ret=[n]
msg="Command failed:'[s]'
Return code [n]: [s]"
command failure
32151 notice system LOG_ID_ADD_IP6_LOCAL_
POL
[s] A new ipv6 firewall local in
policy is added
32152 notice system LOG_ID_CHG_IP6_LOCAL_
POL
[s] A ipv6 firewall local in policy's
setting is changed
32153 notice system LOG_ID_DEL_IP6_LOCAL_
POL
[s] A ipv6 firewall local in policy is
deleted
32155 notice system LOG_ID_ACT_FTOKEN_REQ user="[s]" ui=[s]
action=fortitoken-activate
serialno=[s] msg="User [s]
has requested to activate
FortiToken [s]."
Activate FortiToken
32156 notice system LOG_ID_ACT_FTOKEN_
SUCC
action=fortitoken-activate
serialno=[s] status=success
msg="Activation of
FortiToken [s] succeeded."
Activate FortiToken
32157 notice system LOG_ID_SYNC_FTOKEN_
SUCC
user="[s]" ui=[s]
action=fortitoken-synchroni
ze serialno=[s]
status=success
msg="Administrator [s]
resynchronized FortiToken
[s] successfully."
Synchronize FortiToken
ID Severity Subtype Macro Format Description
Page 610
32158 notice system LOG_ID_SYNC_FTOKEN_
FAIL
user="[s]" ui=[s]
action=fortitoken-synchroni
ze serialno=[s] status=failed
msg="Administrator [s]
failed to resynchronize
FortiToken [s], because [s]."
Synchronize FortiToken
32159 notice system LOG_ID_ACT_FTOKEN_FAIL action=fortitoken-activate
serialno=[s] status=failed
msg="Activation of
FortiToken [s] failed,
because [s]."
Activate FortiToken
32168 notice system LOG_ID_REACH_VDOM_
LIMIT
user="[s]" ui=[s]
msg="Adding new entry
failed: vdom property limit
has been reached when
user [s] adds [s].[s] from [s]"
adding new entry failed
32170 alert system LOG_ID_ALARM_MSG action=alarm alarmid=[n]
groupid=[n] msg="[s]"
alarm
32171 alert system LOG_ID_ALARM_ACK user="[s]" ui=[s]
action=alarm-ack
alarmid=[n] acktime="[s]"
msg="[s]"
alarm ack
32172 notice system LOG_ID_ADD_IP4_LOCAL_
POL
[s] A new firewall local in policy is
added
32173 notice system LOG_ID_CHG_IP4_LOCAL_
POL
[s] A firewall local in policy's
setting is changed
32174 notice system LOG_ID_DEL_IP4_LOCAL_
POL
[s] A firewall local in policy is
deleted
32188 warning system LOG_ID_SSL_PROXY_CA_
INIT_FAIL
msg="SSL Proxy CA
initialization failed"
[s]
32200 critical system LOG_ID_SHUTDOWN user="[s]" ui=[s]
action=shutdown
msg="User [s] shutdown
the device from [s].[s]"
shutdown device
32201 critical system LOG_ID_LOAD_IMG_SUCC user="[s]" ui=[s]
action=loaded-image
msg="User [s] loaded the
image from [s], the new
image does not support CC
mode."
loaded an image
32202 critical system LOG_ID_RESTORE_IMG user="[s]" ui=[s]
action=restore-image
msg="User [s] restored the
image from [s] ([s],build[s]
-> [s],build[s])"
restore the image
ID Severity Subtype Macro Format Description
Page 611
32203 critical |
warning |
notice
system LOG_ID_RESTORE_CONF user="[s]" ui=[s]
action=restore-configuratio
n msg="User [s] restored
the configuration from [s]"
restore the configuration
32204 critical |
notice
system LOG_ID_RESTORE_FGD_
SVR
user="[s]" ui=[s] action=[s]
msg="User [s] restored [s]
file from [s]"
restore the fortiguard service
32205 critical |
notice
system LOG_ID_RESTORE_VDOM_
LIC
user="[s]" ui=[s] action=[s]
msg="User [s] restored [s]
file from [s]"
restore VM license
32206 warning system LOG_ID_RESTORE_SCRIPT user="system"
action=restore-script
msg="System restored
script [s] from management
station"
restore script
32207 warning system LOG_ID_RETRIEVE_CONF_
LIST
user="[s]" ui=[s]
action=retrieve-[s]
msg="User [s] failed to
retrieve the [s] list from
management station"
retrieve configuration list failure
32208 critical system LOG_ID_IMP_PKCS12_CERT user="[s]" ui=[s]
action=import-certificate
msg="User [s] imported the
certificate from [s]"
import the pkcs12 certificate
32209 critical |
notice
system LOG_ID_RESTORE_USR_
DEF_IPS
user="[s]" ui=[s]
action=restore-ips-signatur
e status=success
msg="Administrator [s]
restored the user-defined
IPS signatures from [s]"
restore the user-defined IPS
signatures
32210 notice system LOG_ID_BACKUP_IMG user="[s]" ui=[s]
action=backup
status=success
msg="Firmware image
backed up to flash disk for
system [s]"
backup image
32211 notice system LOG_ID_UPLOAD_REVISION user="[s]" ui=[s]
action=upload
status=success msg="User
[s] upload the [s] from [s] to
flash disk"
upload revision
32212 notice system LOG_ID_DEL_REVISION action=delete
status=success
msg="[s]:[n] has been
deleted from revision data
base"
revision DB deletion
ID Severity Subtype Macro Format Description
Page 612
32213 warning system LOG_ID_RESTORE_
TEMPLATE
user="system"
action=restore-cfg
msg="System restored [s]
file [s] from management
station"
restore template
32214 warning system LOG_ID_RESTORE_FILE user="system"
action=restore-[s]
msg="System failed to
restore [s] file [s] from
management station"
restore failure
32215 critical system LOG_ID_UPT_IMG user="[s]" ui="[s]"
action=update-image
msg="User [s] loaded a
wrong image from [s]."
update image
32217 warning |
notice
system LOG_ID_UPD_IPS user="[s]" ui="[s]"
action=update msg="User
[s] has updated IPS
package by SCP"
An user has updated the IPS
package by SCP
32218 warning system LOG_ID_UPD_DLP user="[s]"
ui="Fortimanager"
action=update msg="User
[s] failed to update DLP
fingerprint database by
SCP"
An user failed to update the
DLP fingerprint database by
SCP
32219 warning system LOG_ID_BACKUP_OUTPUT user="[s]" ui="[s]"
action=backup msg="User
[s] backed up the result of
batch mode commands by
SCP"
An user has backed up the
result of standardized error
output by SCP
32220 warning system LOG_ID_BACKUP_
COMMAND
user="[s]" ui="[s]"
action=backup msg="User
[s] backed up the result of
batch mode commands by
SCP"
An user has backed up the
result of batch mode
commands by SCP
32221 warning system LOG_ID_UPD_VDOM_LIC user="[s]" ui="[s]"
action=update msg="User
[s] has installed VM license
by SCP"
An user has installed the VM
license by SCP
32222 notice system LOG_ID_GLB_SETTING_CHG user="[s]" ui=[s]
field=virtual-domain
action=[s] msg="User [s]
changed global setting from
[s]"
global setting change
32223 error |
notice
system LOG_ID_BACKUP_USER_
DEF_IPS
user="[s]" ui=[s]
action=backup
status=failure
msg="Administrator [s]
failed to back up the
user-defined IPS signatures
from [s]"
backup the user-defined IPS
signatures failure
ID Severity Subtype Macro Format Description
Page 613
32224 notice system LOG_ID_BACKUP_LOG user="[s]" ui=[s]
action=backup msg="User
[s] backed up [s] log from
[s]"
backup log
32225 notice system LOG_ID_DEL_ALL_REVISION action=delete
status=success
msg="[s]:revision data base
corruption detected, reset."
revision DB clearance
32226 critical system LOG_ID_LOAD_IMG_FAIL user="[s]" ui=[s]
action=loaded-image
status=failure msg="User
[s] loaded a wrong image
from [s]."
loaded an image
32240 critical system LOG_ID_SYS_USB_MODE action=reboot
status=success
msg="System is rebooted
and operating in USB mode
with configurations loaded
from USB (read-only)"
System is operating in USB
mode
32252 critical system LOG_ID_FACTORY_RESET user="[s]" ui=[s]
action=factory-reset
msg="User [s] reset to the
factory settings from [s]"
factory reset
32253 critical system LOG_ID_FORMAT_RAID user="[s]" ui=[s]
action=format-rebuild-level
msg="User [s] formatted
the RAID disk from [s]"
config raid
32254 critical system LOG_ID_ENABLE_RAID user="[s]" ui=[s]
action=enable-raid
msg="User [s] enabled
RAID from [s]"
config raid
32255 critical system LOG_ID_DISABLE_RAID user="[s]" ui=[s]
action=disable-raid
msg="User [s] disabled
RAID from [s]"
config raid
32300 notice system LOG_ID_UPLOAD_RPT_IMG user="[s]" ui=[s] status=[s]
action=upload-report-imag
e reason="[s]" msg="User
'[s]' [s] upload the report
image file '[s]' from [s]([s])"
upload the report image file
32301 notice system LOG_ID_ADD_VDOM user="[s]" ui=[s]
action=add-vdom
msg="Virtual domain [s] is
added"
Vdom is added
32302 notice system LOG_ID_DEL_VDOM user="[s]" ui=[s]
action=del-vdom
msg="Virtual domain [s] is
deleted"
Vdom is deleted
ID Severity Subtype Macro Format Description
Page 614
32340 critical system LOG_ID_LOG_DISK_UNAVAIL msg="Log disk is
unavailable"
Log disk is unavailable
32341 notice system LOG_ID_LOG_DISK_
DEFAULT_DISABLED
msg="Disk log status
changed to disabled in
upgrade process."
disk log status changed
32400 alert system LOG_ID_CONF_CHG user="[s]" ui=[s]
msg="Configuration is
changed in the admin
session"
config changed
32545 critical system LOG_ID_SYS_RESTART user=none ui=none
action=reboot
msg="System will reboot
due to scheduled daily
restart."
System restart
32546 warning system LOG_ID_APPLICATION_
CRASH
action=crash msg="Pid: [s],
application: [s], Firmware:
[s], Signal [n] received,
Backtrace:[s]"
Application crash
35001 notice system LOG_ID_HA_SYNC_VIRDB msg="HA slave sync
virdb([s]) [s]"
HA slave sync virdb
35002 notice system LOG_ID_HA_SYNC_ETDB msg="HA slave sync
etdb([s]) [s]"
HA slave sync etdb
35003 notice system LOG_ID_HA_SYNC_EXDB msg="HA slave sync
exdb([s]) [s]"
HA slave sync exdb
35004 notice system LOG_ID_HA_SYNC_FLDB msg="HA slave sync
fldb([s]) [s]"
HA slave sync fldb
35005 notice system LOG_ID_HA_SYNC_IPS msg="HA slave sync ids([s])
package [s]"
HA slave sync ids package
35007 notice system LOG_ID_HA_SYNC_AV msg="HA slave sync AV([s])
package [s]"
HA slave sync AV package
35008 notice system LOG_ID_HA_SYNC_VCM msg="HA slave sync
VCM([s]) package [s]"
HA slave sync VCM package
35009 notice system LOG_ID_HA_SYNC_CID msg="HA slave sync
CID([s]) package [s]"
HA slave sync CID package
35010 error system LOG_ID_HA_SYNC_FAIL msg="HA slave sync failed
in [n] turns"
HA slave sync failed
36880 warning system LOG_ID_EVENT_SYSTEM_
MAC_HOST_STORE_LIMIT
msg="Number of detected
user devices exceeds limit
that can be persistently
stored. Detected [n]; can
save [n]."
user device data store limit
ID Severity Subtype Macro Format Description
Page 615
37124 error vpn MESGID_NEG_I_P1_ERROR msg="IPsec phase 1 error"
action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" status=[s]
error_reason="[s]" peer_
notif="[s]"
IPsec phase 1 error log
37125 error vpn MESGID_NEG_I_P2_ERROR msg="IPsec phase 2 error"
action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" status=[s]
error_reason="[s]"
IPsec phase 2 error log
37126 error vpn MESGID_NEG_NO_STATE_
ERROR
msg="IPsec no state error"
action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" status=[s]
error_reason="[s]"
IPsec no state error log
37133 notice vpn MESGID_INSTALL_SA msg="install IPsec SA"
action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" role=[s] in_
spi="[s]" out_spi="[s]"
install IPsec SA log
37134 notice vpn MESGID_DELETE_P1_SA msg="delete IPsec phase 1
SA" action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]"
delete IPsec phase 1 SA log
37135 notice vpn MESGID_DELETE_P2_SA msg="delete IPsec phase 2
SA" action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" enc_
spi="[s]" dec_spi="[s]"
delete IPsec phase 2 SA log
ID Severity Subtype Macro Format Description
Page 616
37136 error vpn MESGID_DPD_FAILURE msg="IPsec DPD failure"
action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" status=[s]
IPsec DPD failure log
37137 error vpn MESGID_CONN_FAILURE msg="IPsec connection
failure" action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" status=[s]
IPsec connection failure log
37138 notice vpn MESGID_CONN_UPDOWN msg="IPsec connection
status change" action=[s]
remip=[s] locip=[s]
remport=[n] locport=[n]
outintf=[s] cookies="[s]"
user="[s]" group="[s]"
xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" tunnelip=[s]
tunnelid=[n]
tunneltype="ipsec"
duration=[n] sent=[n]
rcvd=[n] nextstat=[n]
tunnel="[s]"
IPsec connection status
change log
37139 notice vpn MESGID_P2_UPDOWN msg="IPsec phase 2 status
change" action=[s]
remip=[s] locip=[s]
remport=[n] locport=[n]
outintf=[s] cookies="[s]"
user="[s]" group="[s]"
xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" phase2_
name=[s]
IPsec phase 2 status change
log
37140 notice vpn MESGID_AUTO_IPSEC msg="auto-ipsec status
change" action=[s]
remip=[s] locip=[s]
remport=[n] locport=[n]
outintf=[s] cookies="[s]"
user="[s]" group="[s]"
xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" status=[s]
reason="[s]"
auto-ipsec status log
ID Severity Subtype Macro Format Description
Page 617
37141 notice vpn MESGID_CONN_STATS msg="IPsec tunnel
statistics" action=[s]
remip=[s] locip=[s]
remport=[n] locport=[n]
outintf=[s] cookies="[s]"
user="[s]" group="[s]"
xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" tunnelip=[s]
tunnelid=[n]
tunneltype="[s]"
duration=[n] sent=[n]
rcvd=[n] nextstat=[n]
tunnel="[s]"
IPsec tunnel statistics log
37188 error vpn MESGID_NEG_I_P1_ERROR_
IKEV2
msg="IPsec phase 1 error"
action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" vpntunnel="[s]"
status=[s] error_
reason="[s]"
IPsec phase 1 error log
37189 error vpn MESGID_NEG_I_P2_ERROR_
IKEV2
msg="IPsec phase 2 error"
action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" vpntunnel="[s]"
status=[s] error_
reason="[s]"
IPsec phase 2 error log
37190 error vpn MESGID_NEG_NO_STATE_
ERROR_IKEV2
msg="IPsec no state error"
action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" vpntunnel="[s]"
status=[s] error_
reason="[s]"
IPsec no state error log
37197 notice vpn MESGID_INSTALL_SA_IKEV2 msg="install IPsec SA"
action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" vpntunnel="[s]"
role=[s] in_spi="[s]" out_
spi="[s]"
install IPsec SA log
37198 notice vpn MESGID_DELETE_P1_SA_
IKEV2
msg="delete IPsec phase 1
SA" action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" vpntunnel="[s]"
delete IPsec phase 1 SA log
ID Severity Subtype Macro Format Description
Page 618
37199 notice vpn MESGID_DELETE_P2_SA_
IKEV2
msg="delete IPsec phase 2
SA" action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" vpntunnel="[s]"
enc_spi="[s]" dec_spi="[s]"
delete IPsec phase 2 SA log
37200 error vpn MESGID_DPD_FAILURE_
IKEV2
msg="IPsec DPD failure"
action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" vpntunnel="[s]"
status=[s]
IPsec DPD failure log
37201 error vpn MESGID_CONN_FAILURE_
IKEV2
msg="IPsec connection
failure" action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" vpntunnel="[s]"
status=[s]
IPsec connection failure log
37202 notice vpn MESGID_CONN_UPDOWN_
IKEV2
msg="IPsec connection
status change" action=[s]
remip=[s] locip=[s]
remport=[n] locport=[n]
outintf=[s] cookies="[s]"
user="[s]" group="[s]"
vpntunnel="[s]" tunnelip=[s]
tunnelid=[n]
tunneltype="ipsec"
duration=[n] sent=[n]
rcvd=[n] nextstat=[n]
tunnel="[s]"
IPsec connection status
change log
37203 notice vpn MESGID_P2_UPDOWN_
IKEV2
msg="IPsec phase 2 status
change" action=[s]
remip=[s] locip=[s]
remport=[n] locport=[n]
outintf=[s] cookies="[s]"
user="[s]" group="[s]"
vpntunnel="[s]" phase2_
name="[s]"
IPsec phase 2 status change
log
37204 notice vpn MESGID_CONN_STATS_
IKEV2
msg="IPsec tunnel
statistics" action=[s]
remip=[s] locip=[s]
remport=[n] locport=[n]
outintf=[s] cookies="[s]"
user="[s]" group="[s]"
vpntunnel="[s]" tunnelip=[s]
tunnelid=[n]
tunneltype="[s]"
duration=[n] sent=[n]
rcvd=[n] nextstat=[n]
tunnel="[s]"
IPsec tunnel statistics log
ID Severity Subtype Macro Format Description
Page 619
37888 notice system MESGID_HA_GROUP_
DELETE
msg="HA group is deleted"
ha_group=[n]
HA group delete log
37889 notice system MESGID_VC_DELETE msg="Virtual cluster is
deleted" vcluster=[n]
Virtual cluster delete log
37890 notice system MESGID_VC_MOVE_VDOM msg="Virtual cluster's
vdom is moved" from_
vcluster=[n] to_vcluster=[n]
vdname="[s]"
Virtual cluster move vdom log
37891 notice system MESGID_VC_ADD_VDOM msg="Virtual cluster's
vdom is added" to_
vcluster=[n] vdname="[s]"
Virtual cluster add vdom log
37892 notice system MESGID_VC_MOVE_MEMB_
STATE
Virtual cluster move member
state log
37893 notice system MESGID_VC_DETECT_
MEMB_DEAD
msg="Virtual cluster
detected member dead"
vcluster=[n] ha_group=[n]
sn="[s]"
Virtual cluster detect member
dead log
37894 notice system MESGID_VC_DETECT_
MEMB_JOIN
msg="Virtual cluster
detected member join"
vcluster=[n] ha_group=[n]
sn="[s]"
Virtual cluster detect member
join log
37895 notice system MESGID_VC_ADD_HADEV msg="Virtual cluster add
HA device" vcluster=[n]
devintfname="[s]"
Virtual cluster add HA
device(interface) log
37896 notice system MESGID_VC_DEL_HADEV msg="Virtual cluster delete
HA device(interface)"
vcluster=[n]
devintfname="[s]"
Virtual cluster delete HA
device(interface) log
37897 notice system MESGID_HADEV_READY msg="HA device(interface)
ready" ha_role=[s]
devintfname="[s]"
HA device(interface) ready log
37898 warning system MESGID_HADEV_FAIL msg="HA device(interface)
fail" ha_role=[s]
devintfname="[s]"
HA device(interface) fail log
37899 notice system MESGID_HADEV_PEERINFO msg="HA device(interface)
peerinfo" ha_role=[s]
devintfname="[s]"
HA device(interface) peerinfo
log
37900 notice system MESGID_HBDEV_DELETE msg="Heartbeat
device(interface) delete"
devintfname="[s]"
Heartbeat device(interface)
delete log
37901 critical system MESGID_HBDEV_DOWN msg="Heartbeat
device(interface) down" ha_
role=[s] hbdn_reason="[s]"
devintfname="[s]"
Heartbeat device(interface)
down log
ID Severity Subtype Macro Format Description
Page 620
37902 information system MESGID_HBDEV_UP msg="Heartbeat
device(interface) up" ha_
role=[s] devintfname="[s]"
Heartbeat device(interface) up
log
37903 information system MESGID_SYNC_STATUS msg="The sync status with
the master" sync_type=[s]
sync_status="[s]"
The sync status with the
master log
37904 information system MESGID_HA_ACTIVITY msg="HA activity report"
ip=[s] ha-prio=[n]
activity="[s]"
HA activity report log
38010 alert user LOG_ID_FIPS_ENCRY_FAIL user="[s]" ui=[s]
action=encryption
cipher=aes-128-cbc
status=failed msg="EVP
encryption failed"
Encryption failed
38011 alert user LOG_ID_FIPS_DECRY_FAIL user="[s]" ui=[s]
action=decryption
cipher=aes-128-cbc
status=failed msg="EVP
decryption failed"
Decryption failed
38012 notice user LOG_ID_ENTROPY_TOKEN user=system
action=seeding
msg="Seeding PRNG from
entropy token"
Seeding from entropy token
38031 notice user LOG_ID_FSSO_LOGON user="[s]" src=[n].[n].[n].[n]
server="[s]"
action=FSSO-polling-logon
status=success
reason="[s]"
msg="FSSO-polling-logon
event from [s]: user [s]
logged on [n].[n].[n].[n]"
authentication information
38032 notice user LOG_ID_FSSO_LOGOFF user="[s]" src=[n].[n].[n].[n]
server="[s]"
action=FSSO-polling-logoff
status=success
reason="[s]"
msg="FSSO-polling-logoff
event from [s]: user [s]
logged off [n].[n].[n].[n]"
authentication information
38033 notice user LOG_ID_FSSO_SVR_STATUS user="[s]" server="[s]"
action=FSSO-polling-AD-s
erver
msg="FSSO-polling-AD-se
rver status changes: [s] ->
[s]"
authentication information
ID Severity Subtype Macro Format Description
Page 621
38400 notice system LOGID_EVENT_NOTIF_
SEND_SUCC
user="[s]" from="[s]"
to="[s]" service="[s]"
proto=[s] dst=[s] dport=[n]
nf_type=[s] virus="[s]"
profile="[s]"
profiletype="[s]"
profilegroup="[s]" count=[n]
duration=[n]
msg="Successfuly sent a
notification message."
The system successfully sent a
notification message log
38401 warning system LOGID_EVENT_NOTIF_
SEND_FAIL
user="[s]" from="[s]"
to="[s]" service="[s]"
proto=[s] dst=[s] dport=[n]
nf_type=[s] virus="[s]"
profile="[s]"
profiletype="[s]"
profilegroup="[s]" count=[n]
duration=[n] msg="Unable
to send notification
message." sess_
duration=[n]
The system was unable to
send a notification message
log
38402 notice system LOGID_EVENT_NOTIF_DNS_
FAIL
hostname="[s]"
service="[s]" profile="[s]"
profiletype="[s]" profile_
vd="[s]" msg="Unable to
resolve hostname."
The system was unable to
resolve an MMSC hostname
log
38403 notice system LOGID_EVENT_NOTIF_
INSUFFICIENT_RESOURCE
msg="[s] ([s])" Insufficient resource
38404 notice system LOGID_EVENT_NOTIF_
HOSTNAME_ERROR
hostname="[s]" msg="[s]" Unable to resolve FortiGuard
hostname
38405 notice system LOGID_NOTIF_CODE_
SENDTO_SMS_PHONE
user="[s]"
action=send-activation-cod
e msg="Send token [s]
activation code [s] to [s]"
send activation code
38406 notice system LOGID_NOTIF_CODE_
SENDTO_SMS_TO
user="[s]"
action=send-activation-cod
e msg="Send token [s]
activation code [s] to [s]"
send activation code
38407 notice system LOGID_NOTIF_CODE_
SENDTO_EMAIL
user="[s]"
action=send-activation-cod
e msg="Send token [s]
activation code [s] to [s]"
send activation code
38408 information system LOGID_EVENT_OFTP_SSL_
CONNECTED
dst=[n].[n].[n].[n] dstport=[n]
action=connect
status=success msg="SSL
connection to [n].[n].[n].[n]
is successfully
established."
SSL connection established.
ID Severity Subtype Macro Format Description
Page 622
38409 information system LOGID_EVENT_OFTP_SSL_
DISCONNECTED
dst=[n].[n].[n].[n] dstport=[n]
action=disconnect
status=success msg="SSL
connection to [n].[n].[n].[n]
is successfully closed."
SSL connection closed.
38410 information system LOGID_EVENT_OFTP_SSL_
FAILED
dst=[n].[n].[n].[n] dstport=[n]
reason="[s]([n])"
action=connect
status=failure msg="SSL
read to [n].[n].[n].[n] has
failed."
SSL connection failure.
38656 notice user LOGID_EVENT_RAD_RPT_
PROTO_ERROR
count=[n] duration=[n]
msg="[s]"
RADIUS
protocol/profile/context error,
missing stop
packet,accounting or other
report log
38657 notice user LOGID_EVENT_RAD_RPT_
PROF_NOT_FOUND
count=[n] duration=[n]
msg="[s]"
RADIUS
protocol/profile/context error,
missing stop
packet,accounting or other
report log
38658 notice user LOGID_EVENT_RAD_RPT_
CTX_NOT_FOUND
count=[n] duration=[n]
msg="[s]"
RADIUS
protocol/profile/context error,
missing stop
packet,accounting or other
report log
38659 notice user LOGID_EVENT_RAD_RPT_
ACCT_STOP_MISSED
count=[n] duration=[n]
msg="[s]"
RADIUS
protocol/profile/context error,
missing stop
packet,accounting or other
report log
38660 notice user LOGID_EVENT_RAD_RPT_
ACCT_EVENT
count=[n] duration=[n]
msg="[s]"
RADIUS
protocol/profile/context error,
missing stop
packet,accounting or other
report log
38661 notice user LOGID_EVENT_RAD_RPT_
OTHER
count=[n] duration=[n]
msg="[s]"
RADIUS
protocol/profile/context error,
missing stop
packet,accounting or other
report log
38662 notice user LOGID_EVENT_RAD_STAT_
PROTO_ERROR
carrier_ep="[s]" ip=[s] rsso_
key="[s]" msg="[s]" acct_
stat=[s] reason="[s]"
RADIUS protocol errors
occurred log
38663 notice user LOGID_EVENT_RAD_STAT_
PROF_NOT_FOUND
carrier_ep="[s]" ip=[s] rsso_
key="[s]" msg="[s]" acct_
stat=[s] reason="[s]"
RADIUS start or interim-update
packet receivedwith missing or
invalid profile specified
38664 notice user LOGID_EVENT_RAD_STAT_
CTX_NOT_FOUND
carrier_ep="[s]" ip=[s] rsso_
key="[s]" msg="[s]"
RADIUS no context found for
user
ID Severity Subtype Macro Format Description
Page 623
38665 notice user LOGID_EVENT_RAD_STAT_
ACCT_STOP_MISSED
carrier_ep="[s]" ip=[s] rsso_
key="[s]" msg="[s]" acct_
stat=[s] reason="[s]"
RADIUS stop packet was
missed
38666 notice user LOGID_EVENT_RAD_STAT_
ACCT_EVENT
carrier_ep="[s]" ip=[s] rsso_
key="[s]" msg="[s]" acct_
stat=[s] reason="[s]"
RADIUS accounting event
38667 notice user LOGID_EVENT_RAD_STAT_
OTHER
carrier_ep="[s]" ip=[s] rsso_
key="[s]" msg="[s]" acct_
stat=[s] reason="[s]"
count=[n]
RADIUS other dynamic profile
event
39424 unknown vpn LOG_ID_EVENT_SSL_VPN_
USER_TUNNEL_UP
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"
SSL user event log
39425 unknown vpn LOG_ID_EVENT_SSL_VPN_
USER_TUNNEL_DOWN
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
duration=[n] sent=[n]
rcvd=[n] msg="[s]"
SSL user event log
39426 unknown vpn LOG_ID_EVENT_SSL_VPN_
USER_SSL_LOGIN_FAIL
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"
SSL user event log
39936 unknown vpn LOG_ID_EVENT_SSL_VPN_
SESSION_WEB_TUNNEL_
STATS
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] next_stats=[n]
duration=[n] sent=[n]
rcvd=[n] msg="[s]"
SSL user event log
39937 unknown vpn LOG_ID_EVENT_SSL_VPN_
SESSION_WEBAPP_DENY
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] app-type="[s]"
msg="[s]"
SSL user event log
39938 unknown vpn LOG_ID_EVENT_SSL_VPN_
SESSION_WEBAPP_PASS
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] app-type="[s]"
msg="[s]"
SSL user event log
ID Severity Subtype Macro Format Description
Page 624
39939 unknown vpn LOG_ID_EVENT_SSL_VPN_
SESSION_WEBAPP_
TIMEOUT
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] app-type="[s]"
msg="[s]"
SSL user event log
39940 unknown vpn LOG_ID_EVENT_SSL_VPN_
SESSION_WEBAPP_CLOSE
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] app-type="[s]"
msg="[s]"
SSL user event log
39941 unknown vpn LOG_ID_EVENT_SSL_VPN_
SESSION_SYS_BUSY
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"
SSL user event log
39942 unknown vpn LOG_ID_EVENT_SSL_VPN_
SESSION_CERT_OK
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"
SSL user event log
39943 unknown vpn LOG_ID_EVENT_SSL_VPN_
SESSION_NEW_CON
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"
SSL user event log
39944 unknown vpn LOG_ID_EVENT_SSL_VPN_
SESSION_ALERT
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] alert="[s]"
desc="[s]" msg="[s]"
SSL user event log
39945 unknown vpn LOG_ID_EVENT_SSL_VPN_
SESSION_EXIT_FAIL
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"
SSL user event log
39946 unknown vpn LOG_ID_EVENT_SSL_VPN_
SESSION_EXIT_ERR
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"
SSL user event log
ID Severity Subtype Macro Format Description
Page 625
39947 unknown vpn LOG_ID_EVENT_SSL_VPN_
SESSION_TUNNEL_UP
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"
SSL user event log
39948 unknown vpn LOG_ID_EVENT_SSL_VPN_
SESSION_TUNNEL_DOWN
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
duration=[n] sent=[n]
rcvd=[n] msg="[s]"
SSL user event log
39949 unknown vpn LOG_ID_EVENT_SSL_VPN_
SESSION_TUNNEL_STATS
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] next_stats=[n]
duration=[n] sent=[n]
rcvd=[n] msg="[s]"
SSL user event log
39950 unknown vpn LOG_ID_EVENT_SSL_VPN_
SESSION_TUNNEL_
UNKNOWNTAG
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"
SSL user event log
39951 unknown vpn LOG_ID_EVENT_SSL_VPN_
SESSION_TUNNEL_ERROR
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"
SSL user event log
39952 unknown vpn LOG_ID_EVENT_SSL_VPN_
SESSION_ENTER_
CONSERVE_MODE
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"
SSL user event log
39953 unknown vpn LOG_ID_EVENT_SSL_VPN_
SESSION_LEAVE_
CONSERVE_MODE
action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"
SSL user event log
40001 unknown vpn LOG_ID_PPTP_TUNNEL_UP action=[s] tunnel_id=[n]
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"
VPN event log message
ID Severity Subtype Macro Format Description
Page 626
40002 unknown vpn LOG_ID_PPTP_TUNNEL_
DOWN
action=[s] tunnel_id=[n]
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"
VPN event log message
40003 unknown vpn LOG_ID_PPTP_TUNNEL_
STAT
action=[s] tunnel_id=[n]
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"
VPN event log message
40014 warning vpn LOG_ID_PPTP_REACH_
MAX_CON
status=failure
action=connect
msg="PPTP: the maximum
number of connections has
been reached. No more
clients can connect."
The maximum number of PPTP
connections has been reached
40016 warning vpn LOG_ID_L2TPD_SVR_
DISCON
action=disconnect
status=success
reason="interface not
found" msg="L2TPD
closed all client
connections in vdom '[s]'
because failed to find
interface by device index"
L2TPD disconnection
40017 warning vpn LOG_ID_L2TPD_CLIENT_
CON_FAIL
action=connect
status=failure reason="no
ip available" msg="No IP
addresses left to assign in
virtual domain: [s]"
L2TP client connection
40019 information vpn LOG_ID_L2TPD_CLIENT_
DISCON
action=disconnect
status=success
msg="Client [n].[n].[n].[n]
control connection (id [n])
finished"
L2TP client disconnection
40021 debug vpn LOG_ID_PPTP_NOT_CONIG status=failure
action=connect
msg="PPTP: connection
request in unconfigured
virtual domain: [s]"
pptp is not configured (in this
virtual domain)
40022 warning vpn LOG_ID_PPTP_NO_IP_AVAIL status=failure
action=connect
msg="PPTP: No IP
addresses left to assign in
virtual domain: [s]"
No ip available
40024 warning vpn LOG_ID_PPTP_OUT_MEM status=failure action=start
msg="failed to expand pptp
config list due to not
enough memory"
Not enough memory
ID Severity Subtype Macro Format Description
Page 627
40034 notice vpn LOG_ID_PPTP_START action=start
status=success
msg="PPTPD started
successfully"
PPTPD start
40035 error vpn LOG_ID_PPTP_START_FAIL action=start status=failure
reason="failed to create
socket" msg="PPTPD
failed to start because
failed to create socket"
PPTPD start
40036 notice vpn LOG_ID_PPTP_EXIT action=exit status=success
msg="PPTPD exited
successfully"
PPTPD exit
40037 information vpn LOG_ID_PPTPD_SVR_
DISCON
action=disconnect
status=success
reason="PPTP setting is
changed" msg="PPTPD
closed all client
connections in vdom '[s]'
because PPTP setting was
changed"
PPTPD disconnect
40038 information vpn LOG_ID_PPTPD_CLIENT_
CON
action=connect
status=success
msg="Client [n].[n].[n].[n]
control connection started"
PPTPD client connection
40039 information vpn LOG_ID_PPTPD_CLIENT_
DISCON
action=disconnect
status=success
msg="Client [n].[n].[n].[n]
control connection
finished"
PPTPD client disconnection
40101 unknown vpn LOG_ID_L2TP_TUNNEL_UP action=[s] tunnel_id=[n]
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"
VPN event log message
40102 unknown vpn LOG_ID_L2TP_TUNNEL_
DOWN
action=[s] tunnel_id=[n]
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"
VPN event log message
40103 unknown vpn LOG_ID_L2TP_TUNNEL_
STAT
action=[s] tunnel_id=[n]
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"
VPN event log message
40114 notice vpn LOG_ID_L2TPD_START action=start
status=success
msg="L2TPD started
successfully"
L2TPD starting
ID Severity Subtype Macro Format Description
Page 628
40115 notice vpn LOG_ID_L2TPD_EXIT action=exit status=success
msg="L2TPD exited
successfully"
L2TPD exiting
40118 information vpn LOG_ID_L2TPD_CLIENT_
CON
action=connect
status=success
msg="Client [s] control
connection started (id [n]),
assigned ip [n].[n].[n].[n]"
L2TP client connection
40704 notice system LOG_ID_EVENT_SYS_PERF action="perf-stats" cpu=[n]
mem=[n] totalsession=[n]
msg="Performance
statistics"
system performace log
40960 notice wad LOGID_EVENT_WAD_
WEBPROXY_FWD_SRV_
ERROR
fwserver_name="[s]" addr_
type=[s] ip=[s] fqdn="[s]"
port=[n] msg="[s]"
Web proxy forward server error
41000 notice system LOG_ID_UPD_FGT_SUCC [s] msg="Fortigate [s]
[s][s][s] [s][s][s] [s][s][s]
[s][s][s] [s][s][s] [s][s][s]
[s][s][s] [s][s][s] from [s]"
Administrator has updated
fortigate successfully
41001 critical system LOG_ID_UPD_FGT_FAIL [s] msg="Fortigate [s]
failed"
Administrator has failed to
update fortigate
41002 notice system LOG_ID_UPD_SRC_VIS status=update src-vis=yes
msg="FortiGate updated
src-vis ([s])"
Administrator has updated
src-vis plugin successfully
41003 critical system LOG_ID_INVALID_UPD_LIC action=update
status=failure msg="HA
member [s] does not have
valid license"
Invalid update license
41005 notice system LOG_ID_UPD_VCM status=update vcm=yes
msg="FortiGate updated
VCM ([s])"
Administrator has updated
VCM plugin successfully
41984 information vpn LOG_ID_EVENT_SSL_VPN_
CERT_LOAD
action="[s]" user="[s]"
ui="[s]" name="[s]"
msg="[s]" cert-type=[s]
Certificate log
41985 information vpn LOG_ID_EVENT_SSL_VPN_
CERT_REMOVAL
action="[s]" user="[s]"
ui="[s]" name="[s]"
msg="[s]" cert-type=[s]
Certificate log
41987 information vpn LOG_ID_EVENT_SSL_VPN_
CERT_UPDATE
action="[s]" cert-type=[s]
status="[s]" name="[s]"
method="[s]" msg="[s]"
Certificate log
41988 information vpn LOG_ID_EVENT_SSL_VPN_
SETTING_UPDATE
action="info" user="[s]"
ui="[s]" msg="User
changed SSL setting"
SSL Setting Updated
41989 information vpn LOG_ID_EVENT_SSL_VPN_
CERT_ERR
action="[s]" cert-type=[s]
status="[s]" name="[s]"
method="[s]" msg="[s]"
Certificate log
ID Severity Subtype Macro Format Description
Page 629
41990 information vpn LOG_ID_EVENT_SSL_VPN_
CERT_UPDATE_FAILED
action="[s]" cert-type=[s]
status="[s]" name="[s]"
method="[s]" msg="[s]"
Certificate log
43008 notice user LOG_ID_EVENT_AUTH_
SUCCESS
src=[s] dst=[s] policyid=3
user="user"
group="usergroup"
ui="HTTP([s])"
action=authentication
status=success
reason="reason"
msg="User user succeeded
in authentication"
Authentication log
43009 notice user LOG_ID_EVENT_AUTH_
FAILED
src=[s] dst=[s] policyid=3
user="user"
group="usergroup"
ui="HTTP([s])"
action=authentication
status=failure
reason="reason"
msg="User user failed in
authentication"
Authentication log
43010 warning user LOG_ID_EVENT_AUTH_
LOCKOUT
src=[s] dst=[s] policyid=3
user="user"
group="usergroup"
ui="HTTP([s])"
action=authentication
status=locked_out
reason="reason"
msg="User from [s] was
locked out"
Authentication log
43011 notice user LOG_ID_EVENT_AUTH_
TIME_OUT
src=[s] dst=[s] policyid=[n]
user="[s]" group="[s]"
ui="[s]" action=[s]
status=[s]
reason="Authentication
timed out" msg="[s]"
Authentication log
43012 notice user LOG_ID_EVENT_AUTH_
FSAE_AUTH_SUCCESS
src=[s] dst=[s] proto=[n]
policyid=[n] user="[s]"
adgroup="[s]" ui="[s]"
action=[s] status=[s]
reason="[s]" msg="[s]"
FSSO Authentication log
43013 notice user LOG_ID_EVENT_AUTH_
FSAE_AUTH_FAIL
src=[s] dst=[s] proto=[n]
policyid=[n] user="[s]"
adgroup="[s]" ui="[s]"
action=[s] status=[s]
reason="[s]" msg="[s]"
FSSO Authentication log
43014 notice user LOG_ID_EVENT_AUTH_
FSAE_LOGON
src=[s] user="[s]"
server="[s]" action=[s]
msg="[s]"
FSSO log on/off
43015 notice user LOG_ID_EVENT_AUTH_
FSAE_LOGOFF
src=[s] user="[s]"
server="[s]" action=[s]
msg="[s]"
FSSO log on/off
ID Severity Subtype Macro Format Description
Page 630
43016 notice user LOG_ID_EVENT_AUTH_
NTLM_AUTH_SUCCESS
src=[s] dst=[s] policyid=[n]
user="[s]" adgroup="[s]"
group="[s]" ui="[s]"
action=[s] status=[s]
reason="[s]" msg="[s]"
NTLM authentication log
43017 notice user LOG_ID_EVENT_AUTH_
NTLM_AUTH_FAIL
src=[s] dst=[s] policyid=[n]
user="[s]" adgroup="[s]"
group="[s]" ui="[s]"
action=[s] status=[s]
reason="[s]" msg="[s]"
NTLM authentication log
43018 warning user LOG_ID_EVENT_AUTH_
FGOVRD_FAIL
src=[s] dst=[s] initiator=[s]
status=[s] reason="[s]"
msg="[s]"
Fortiguard override failed log
43019 warning user LOG_ID_EVENT_AUTH_
FGOVRD_TBL_FULL
src=[s] dst=[s] initiator=N/A
status=failure
reason="reason"
msg="FortiGuard Web
Filtering override table is
full"
Fortiguard override log
43020 notice user LOG_ID_EVENT_AUTH_
FGOVRD_SUCCESS
src=[s] dst=[s] initiator=[s]
status=[s] reason="[s]"
scope=[s] scope_data="[s]"
rule_type=[s] rule_
data="[s]" offsite=[s]
expiry="[s]" oldwprof="[s]"
newwprof="[s]" msg="[s]"
Fortiguard override succeeded
log
43021 notice user LOG_ID_EVENT_AUTH_
ENDPOINT_CHECK
dst=[s] ui="HTTP(0.0.0.0)"
msg="forticlient msg"
Endpoint log
43022 notice user LOG_ID_EVENT_AUTH_
ENDPOINT_LICENSE
dst=[s] ui="HTTP(0.0.0.0)"
msg="forticlient msg"
Endpoint log
43023 notice user LOG_ID_EVENT_AUTH_
ENDPOINT_DET_RECORD
dst=[s] ui="N/A(0.0.0.0)"
msg="forticlient msg"
Endpoint log
43024 notice user LOG_ID_EVENT_AUTH_
ENDPOINT_DET_SESSION
dst=[s] ui="HTTP(0.0.0.0)"
msg="forticlient msg"
Endpoint log
43025 notice user LOG_ID_EVENT_AUTH_
PROXY_SUCCESS
src=[s] dst=[s] policyid=[n]
user="[s]" group="[s]"
ui="[s]" action=[s]
status=[s] reason="[s]"
msg="[s]"
Wad-auth HTTP log
43026 notice user LOG_ID_EVENT_AUTH_
PROXY_FAILED
src=[s] dst=[s] policyid=[n]
user="[s]" group="[s]"
ui="[s]" action=[s]
status=[s] reason="[s]"
msg="[s]"
Wad-auth FTP log
43027 notice user LOG_ID_EVENT_AUTH_
PROXY_TIME_OUT
src=[s] dst=[s] policyid=[n]
user="[s]" group="[s]"
ui="[s]" action=[s]
status=[s] reason="user
timed out" msg="[s]"
Wad-auth time out log
ID Severity Subtype Macro Format Description
Page 631
43028 notice user LOG_ID_EVENT_AUTH_
PROXY_AUTHORIZATION_
FAILED
src=[s] dst=[s] policyid=[n]
user="[s]" group="[s]"
ui="[s]" action=[s]
status=[s] reason="[s]"
msg="[s]"
Wad-auth HTTP log
43029 notice user LOG_ID_EVENT_AUTH_
WARNING_SUCCESS
src=[s] dst=[s] initiator=[s]
status=[s] reason="[s]"
scope=[s] scope_data="[s]"
rule_type=[s] rule_
data="[s]" offsite=[s]
expiry="[s]" oldwprof="[s]"
newwprof="[s]" msg="[s]"
Fortiguard override succeeded
log
43030 warning user LOG_ID_EVENT_AUTH_
WARNING_TBL_FULL
src=[s] dst=[s] initiator=[s]
status=[s] reason="[s]"
msg="[s]"
Fortiguard override failed log
43264 information system LOGID_MMS_STATS proto=[s] infected=[n]
suspicious=[n] scanned=[n]
intercepted=[n] blocked=[n]
checksum=[n] duration=[n]
MMS Statistics log
43520 notice wireless LOG_ID_EVENT_WIRELESS_
SYS
action="[s]" msg="[s]" wireless system activity log
43522 notice wireless LOG_ID_EVENT_WIRELESS_
WTP
sn="[s]" ap="[s]"
approfile="[s]" ip=[s]
meshmode="[s]"
snmeshparent="[s]"
action="[s]" reason="[s]"
msg="[s]"
physical AP activity log
43524 notice wireless LOG_ID_EVENT_WIRELESS_
STA
sn="[s]" ap="[s]" vap="[s]"
ssid="[s]" user="[s]"
group="[s]" mac=[s] ip=[s]
channel=[n] radioband="[s]"
security="[s]" action="[s]"
reason="[s]" msg="[s]"
wireless client activity log
43526 notice wireless LOG_ID_EVENT_WIRELESS_
WTPR
sn="[s]" ap="[s]" ip="[s]"
radioid=[n]
configcountry="[s]"
opercountry="[s]"
cfgtxpower=[n]
opertxpower=[n]
action="[s]" msg="[s]"
physical AP radio activity log
43527 notice wireless LOG_ID_EVENT_WIRELESS_
ROGUE_CFG
action="[s]" ssid="[s]"
bssid=[s] apstatus=[n]
msg="[s]"
wireless rogue AP status config
log
43529 notice wireless LOG_ID_EVENT_WIRELESS_
CLB
sn="[s]" ap="[s]" vap="[s]"
ssid="[s]" mac="[s]"
radioband="[s]"
stacount=[n] action="[s]"
reason="[s]" msg="[s]"
wireless client load balancing
log
ID Severity Subtype Macro Format Description
Page 632
43530 notice wireless LOG_ID_EVENT_WIRELESS_
WIDS_WL_BRIDGE
action="[s]"
Threattype="[s]" live=[n]
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" seq=[n]
Encrypt=[n] TAMAC="[s]"
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]"
wireless wids detected log
43532 notice wireless LOG_ID_EVENT_WIRELESS_
WIDS_NL_PBRESP
action="[s]"
Threattype="[s]" live=[n]
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" seq=[n]
Encrypt=[n] TAMAC="[s]"
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]"
wireless wids detected log
43533 notice wireless LOG_ID_EVENT_WIRELESS_
WIDS_MAC_OUI
action="[s]"
Threattype="[s]" live=[n]
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" seq=[n]
Encrypt=[n] TAMAC=[s]
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" Invalidmac=[s]
wireless wids
invalid-OUI-detect log
43534 notice wireless LOG_ID_EVENT_WIRELESS_
WIDS_LONG_DUR
action="[s]"
Threattype="[s]" live=[n]
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" seq=[n]
Encrypt=[n] TAMAC=[s]
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" Dur=[n]
wireless wids long-dur-detect
log
43535 notice wireless LOG_ID_EVENT_WIRELESS_
WIDS_WEP_IV
action="[s]"
Threattype="[s]" live=[n]
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" seq=[n]
Encrypt=[n] TAMAC=[s]
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" Weakwepiv=[s]
wireless wids
weak-wepiv-detect log
ID Severity Subtype Macro Format Description
Page 633
43542 notice wireless LOG_ID_EVENT_WIRELESS_
WIDS_EAPOL_FLOOD
action="[s]"
Threattype="[s]" live=[n]
TAMAC=[s] manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" eapoltype=[s]
eapolcnt=[n]
wireless wids
eapol-packet-flood log
43544 notice wireless LOG_ID_EVENT_WIRELESS_
WIDS_MGMT_FLOOD
action="[s]"
Threattype="[s]" live=[n]
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" TAMAC=[s]
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" mgmtcnt=[n]
wireless wids
mgmt-flood-detect log
43546 notice wireless LOG_ID_EVENT_WIRELESS_
WIDS_SPOOF_DEAUTH
action="[s]"
Threattype="[s]" live=[n]
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" seq=[n]
Encrypt=[n] TAMAC="[s]"
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]"
wireless wids detected log
43548 notice wireless LOG_ID_EVENT_WIRELESS_
WIDS_ASLEAP
action="[s]"
Threattype="[s]" live=[n]
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" seq=[n]
Encrypt=[n] TAMAC="[s]"
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]"
wireless wids detected log
43550 notice wireless LOG_ID_EVENT_WIRELESS_
STA_LOCATE
sn="[s]" ap="[s]" radioid=[n]
radioband="[s]"
stamac="[s]" signal=[n]
noise=[n] action="[s]"
msg="[s]"
wireless station presence
detection log
43776 notice system LOGID_EVENT_NAC_
QUARANTINE
src=[s] dst=[s] src_int=[s]
proto=[n] service="[s]"
action=[s] user="[s]"
group="[s]" policyid=[n]
banned_src=[s] banned_
rule="[s]" sensor="[s][n]"
NAC quarantine event log
43800 critical system LOG_ID_EVENT_ELBC_
BLADE_JOIN
[s]="blade-join" [s]="[n]"
[s]="[n]" [s]="[s]" [s]="blade
in slot [n] of chassis [n] is
ready to process traffic"
blade joins cluster
ID Severity Subtype Macro Format Description
Page 634
43801 critical system LOG_ID_EVENT_ELBC_
BLADE_LEAVE
[s]="blade-leave" [s]="[n]"
[s]="[n]" [s]="[s]" [s]="blade
in slot [n] of chassis [n] is no
longer ready to process
traffic"
blade leaves cluster
43802 critical system LOG_ID_EVENT_ELBC_
MASTER_BLADE_FOUND
[s]="master-found" [s]="[n]"
[s]="[n]" [s]="[s]" [s]="blade
in slot [n] of chassis [n]
became master. there was
no previous master."
master blade found
43803 critical system LOG_ID_EVENT_ELBC_
MASTER_BLADE_LOST
[s]="master-lost" [s]="[n]"
[s]="[n]" [s]="[s]" [s]="blade
in slot [n] of chassis [n] is no
longer master. there is no
new master."
master blade lost
43804 critical system LOG_ID_EVENT_ELBC_
MASTER_BLADE_CHANGE
[s]="master-changed"
[s]="[n]" [s]="[n]" [s]="[n]"
[s]="[n]" [s]="[s]" [s]="blade
in slot [n] of chassis [n] is no
longer master. blade in slot
[n] of chassis [n] is the new
master"
master blade changed
43805 critical system LOG_ID_EVENT_ELBC_
ACTIVE_CHANNEL_FOUND
[s]="channel-activate"
[s]="[n]" [s]="[n]" [s]="[s]"
[s]="[n]" [s]="Channel [n]
(FortiSwitch in slot [n]) of
chassis [n] became active.
there was no previous
active channel"
ELBC channel becomes active
43806 critical system LOG_ID_EVENT_ELBC_
ACTIVE_CHANNEL_LOST
[s]="channel-deactivate"
[s]="[n]" [s]="[n]" [s]="[s]"
[s]="[n]" [s]="Channel [n]
(FortiSwitch in slot [n]) of
chassis [n] became
inactive. there is currently
no active channel."
ELBC channel becomes
inactive
43807 critical system LOG_ID_EVENT_ELBC_
ACTIVE_CHANNEL_CHANGE
[s]="channel-failover"
[s]="[n]" [s]="[n]" [s]="[s]"
[s]="[n]" [s]="[n]"
[s]="Channel [n]
(FortiSwitch in slot [n]) of
chassis [n] failed over to
channel [n] (FortiSwitch in
slot [n])."
ELBC channel failover
43808 critical system LOG_ID_EVENT_ELBC_
CHASSIS_ACTIVE
[s]="chassis-activated"
[s]="[n]" [s]="[s]"
[s]="chassis [n] became
active and will process
traffic"
chassis becomes active
ID Severity Subtype Macro Format Description
Page 635
43809 critical system LOG_ID_EVENT_ELBC_
CHASSIS_INACTIVE
[s]="chassis-deactivated"
[s]="[n]" [s]="[s]"
[s]="chassis [n] became
passive and will not
process traffic"
chassis becomes inactive
44288 information router LOG_ID_DNS_RESPONSE policyid=22 src=[s] dst=[s]
src_int="eth0" dst_
int="switch0" user="user"
group="group" dns_
name="fotinet dns" dns_
ip="1.1.1.1"
test dns event log
44544 information system LOGID_EVENT_CONFIG_
PATH
user="[s]" ui="[s]"
action=[s] cfgtid=[n]
cfgpath="[s]" msg="[s]"
config path log
44545 information system LOGID_EVENT_CONFIG_OBJ user="[s]" ui="[s]"
action=[s] cfgtid=[n]
cfgpath="[s]" cfgobj="[s]"
msg="[s]"
config obj log
44546 information system LOGID_EVENT_CONFIG_
ATTR
user="[s]" ui="[s]"
action=[s] cfgtid=[n]
cfgpath="[s]" cfgattr=[s]
msg="[s]"
config attr log
44547 information system LOGID_EVENT_CONFIG_
OBJATTR
user="[s]" ui="[s]"
action=[s] cfgtid=[n]
cfgpath="[s]" cfgobj="[s]"
cfgattr=[s] msg="[s]"
config obj attr log
44801 notice system 44801 limit=[n]
msg=”[Inbound/Outbound]
bandwidth rate exceeded
the shaper limit.”
[Inbound/Outbound]
bandwidth rate exceeded
45000 debug router LOG_ID_VSD_SSL_RCV_HS serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
handshake=[s] msg=[s]
SSL handshake received
45001 error router LOG_ID_VSD_SSL_RCV_
WRG_HS
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
expected=[s] received=[s]
msg="Incorrect SSL
handshake message"
SSL received incorrect
handshake message
45002 debug router LOG_ID_VSD_SSL_SENT_HS serial=[s] policy_id=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=send
handshake=[s] msg=[s]
SSL handshake sent
ID Severity Subtype Macro Format Description
Page 636
45003 error router LOG_ID_VSD_SSL_WRG_
HS_LEN
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
len=[n] msg="Incorrect SSL
handshake length"
SSL handshake has invalid
length
45004 debug router LOG_ID_VSD_SSL_RCV_CCS serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
msg=ChangeCipherSpec
SSL ChangeCipherSpec
received
45005 error router LOG_ID_VSD_SSL_RSA_DH_
FAIL
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
msg="RSA verification of
Diffie-Hellman parameters
failed"
RSA verification of
Diffie-Hellman parameters
failed
45006 debug router LOG_ID_VSD_SSL_SENT_
CCS
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=send
msg=ChangeCipherSpec
SSL ChangeCipherSpec sent
45007 error router LOG_ID_VSD_SSL_BAD_
HASH
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] local=[s]
remote=[s] action=close
msg="Hash in SSL Finished
does not match calculated
hash"
Hash in SSL Finished does not
match calculated hash
45009 error router LOG_ID_VSD_SSL_DECRY_
FAIL
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
reason=[n] msg="SSL
decryption failure"
SSL decryption failure
45010 debug router LOG_ID_VSD_SSL_
SESSION_CLOSED
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
msg="SSL session closed"
SSL session closed
45011 error router LOG_ID_VSD_SSL_LESS_
MINOR
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
min-minor=[n]
recv-minor=[n] msg="SSL
minor below mininum
configured value"
SSL minor version less than
configured minimum value
ID Severity Subtype Macro Format Description
Page 637
45012 warning router LOG_ID_VSD_SSL_REACH_
MAX_CON
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
msg="SSL maximum
connections reached"
SSL maximum connection limit
reached
45013 error router LOG_ID_VSD_SSL_NOT_
SUPPORT_CS
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
msg="None of the offered
CipherSuites are
supported"
None of the offered SSL
CipherSuites are supported
45016 debug router LOG_ID_VSD_SSL_HS_FIN serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n]
action=complete
msg="SSL Handshake
complete"
SSL handshake complete
45017 error router LOG_ID_VSD_SSL_HS_TOO_
LONG
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
handshake=[s] len=[n]
max=[n] msg="SSL
Handshake too long"
SSL handshake too long
45018 debug router LOG_ID_VSD_SSL_MORE_
MINOR
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=recv
max-minor=[n]
recv-minor=[n] msg="SSL
capping minor version at
maximum configured value"
SSL minor version larger than
configured maximum value
45019 error router LOG_ID_VSD_SSL_SENT_
ALERT_ERR
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=send
level=[n] desc=[n]
msg="SSL Alert sent"
SSL Alert sent
45020 debug router LOG_ID_VSD_SSL_
SESSION_EXPIRE
vip="[s]" addr=[s] port=[n]
created="[s]" id=[s]
action=expire msg="SSL
session state expired"
SSL session state expiry
45021 debug router LOG_ID_VSD_SSL_SENT_
ALERT
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=send
level=[n] desc=[n]
msg="SSL Alert sent"
SSL Alert sent
ID Severity Subtype Macro Format Description
Page 638
45022 debug router LOG_ID_VSD_SSL_RCV_CH serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
handshake=ClientHello
msg=ClientHello ssl2=[n]
major=[n] minor=[n]
session_
id="[s]"[s][s][s][s][s][s]
SSL ClientHello received
45023 debug router LOG_ID_VSD_SSL_RCV_SH serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
handshake=ServerHello
msg=ServerHello major=[n]
minor=[n] cipher=[s]
session_id="[s]"[s][s][s]
SSL ServerHello received
45024 debug router LOG_ID_VSD_SSL_SENT_SH serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=send
handshake=ServerHello
msg=ServerHello major=[n]
minor=[n] cipher=[s]
session_id="[s]"[s][s][s]
SSL ServerHello sent
45025 error |
debug
router LOG_ID_VSD_SSL_RCV_
ALERT
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
level=[n] desc=[n]
msg="SSL Alert received"
SSL Alert received
45027 error router LOG_ID_VSD_SSL_INVALID_
CONT_TYPE
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
type=[n] msg="Invalid SSL
ContentType"
Invalid SSL ContentType
45029 error router LOG_ID_VSD_SSL_BAD_
CCS_LEN
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
msg="Bad length in SSL
ChangeCipherSpec"
SSL ChangeCipherSpec has
bad length
45031 error router LOG_ID_VSD_SSL_BAD_DH serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n]min=[n] max=[n]
received=[n] action=close
msg="[s]"
SSL Diffie-Hellman has bad
value
ID Severity Subtype Macro Format Description
Page 639
45032 error router LOG_ID_VSD_SSL_PUB_
KEY_TOO_BIG
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n]len=[n] max=[n]
action=close msg="[s]"
Certificate's public key is too
big for SSL offloading
45033 error router LOG_ID_VSD_SSL_NOT_
SUPPORT_CM
serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
msg="None of the offered
CompressionMethods are
supported"
None of the offered SSL
CompressionMethods are
supported
45056 notice system LOG_ID_FCC_EXCEED action=[s] status=[s]
license_limit=[n]
reason="[s]" repeat=[n]
msg="FortiClient license
maximum has been
reached."
forticlient license exceed msg
45057 information system LOG_ID_FCC_ADD action=[s] status=[s]
license_limit=[s] license_
used=[n] used_for_type=[n]
connection_type=[s]
count=[n] user="[s]" ip=[s]
name="[s]" forticlient_
id="[s]" msg="Add a
FortiClient Connection."
add forticlient connection msg
45058 information system LOG_ID_FCC_CLOSE close forticlient connection
msg
45059 notice system LOG_ID_FCC_UPGRADE_
SUCC
action=[s] status=[s]
ui="[s]" user="[s]" license_
limit=[s] msg="FortiClient
license has been
upgraded."
upgrade forticlient license msg
45060 error system LOG_ID_FCC_UPGRADE_
FAIL
action=[s] status=[s]
ui="[s]" user="[s]"
reason="[s]" msg="Failed
to upgrade FortiClient
license."
upgrade forticlient license
failed msg
45100 warning system LOG_ID_EC_REG_FAIL user="[s]" hostname="[s]"
ip=[n].[n].[n].[n] forticlient_
id=[s] interface=[s]
msg="FortiClient
registration failed due to
blocked UID."
FortiClient registration fail msg
45101 notice system LOG_ID_EC_REG_SUCCEED user="[s]" hostname="[s]"
ip=[n].[n].[n].[n] forticlient_
id=[s] interface=[s]
msg="FortiClient
registration succeeded."
FortiClient registration succeed
msg
ID Severity Subtype Macro Format Description
Page 640
45102 notice system LOG_ID_EC_REG_RENEWED user="[s]" hostname="[s]"
ip=[n].[n].[n].[n] forticlient_
id=[s] interface=[s]
msg="FortiClient
registration renewed."
FortiClient registration renew
msg
45103 notice system LOG_ID_EC_REG_BLOCK forticlient_id=[s]
msg="FortiClient is blocked
for registration."
FortiClient registration block
msg
45104 notice system LOG_ID_EC_REG_UNBLOCK forticlient_id=[s]
msg="FortiClient is
unblocked for registration."
FortiClient registration unblock
msg
45105 notice system LOG_ID_EC_REG_DEREG forticlient_id=[s]
msg="FortiClient is
de-registered."
FortiClient registration
de-register msg
45106 notice system LOG_ID_EC_REG_LIC_
UPGRADED
msg="FortiClient
registration license
upgraded."
FortiClient registration license
upgrade msg
45107 notice system LOG_ID_EC_CONF_
DISTRIBUTED
user="[s]" hostname="[s]"
ip=[n].[n].[n].[n] forticlient_
id=[s] interface=[s]
msg="FortiClient
configuration distributed."
FortiClient configuration
distribute msg
45108 notice system LOG_ID_EC_FTCL_UNREG user="[s]" hostname="[s]"
ip=[n].[n].[n].[n] forticlient_
id=[s] interface=[s]
msg="FortiClient
unregistered."
FortiClient unregister msg
45109 notice system LOG_ID_EC_FTCL_LOGOFF user="[s]" hostname="[s]"
ip=[n].[n].[n].[n] forticlient_
id=[s] interface=[s]
msg="FortiClient logged
off."
FortiClient logoff msg
45110 notice system LOG_ID_EC_FTCL_ENABLE_
NOTSYNC
user="[s]" hostname="[s]"
ip=[n].[n].[n].[n] forticlient_
id=[s] interface=[s]
msg="FortiClient SYNC_
WITH_FGT disabled."
FortiClient disable SYNC_
WITH_FGT msg
46000 notice system LOG_ID_VIP_REAL_SVR_ENA vip="[s]"
server=[n].[n].[n].[n] port=[n]
status=[s] action=enable
msg="ldb server enabled"
VIP realserver has been
enabled.
46001 alert system LOG_ID_VIP_REAL_SVR_
DISA
vip="[s]"
server=[n].[n].[n].[n] port=[n]
status=[s] action=disable
msg="ldb server disabled"
VIP realserver has been
disabled.
46002 notice system LOG_ID_VIP_REAL_SVR_UP vip="[s]"
server=[n].[n].[n].[n] port=[n]
status=[s] action=up
msg="ldb server up"
VIP realserver has become up.
ID Severity Subtype Macro Format Description
Page 641
46003 alert system LOG_ID_VIP_REAL_SVR_
DOWN
vip="[s]"
server=[n].[n].[n].[n] port=[n]
status=[s] action=down
msg="ldb server down"
VIP realserver has been down.
46004 notice system LOG_ID_VIP_REAL_SVR_
ENT_HOLDDOWN
vip="[s]"
server=[n].[n].[n].[n] port=[n]
status=[s] action=holddown
msg="ldb server entered
holddown period"
interval=[n](sec)
VIP realserver has started
holddown period.
46005 alert system LOG_ID_VIP_REAL_SVR_
FAIL_HOLDDOWN
vip="[s]"
server=[n].[n].[n].[n] port=[n]
status=[s] action=holddown
msg="ldb server health
checking failed during
holddown period"
VIP realserver has failed
holddown.
46006 debug system LOG_ID_VIP_REAL_SVR_FAIL vip="[s]"
server=[n].[n].[n].[n] port=[n]
status=[s]
monitor-name=[s]
monitor-type=[s]
action=check msg="ldb
server health checking
failed"
Health monitor has detected
VIP realserver health problem.
46084 error system LOG_EVENT_REPUTATION_
VDOM_PURGE_ERROR
action=reputation_purge
status=failure reason="[s]"
msg="Failed to complete
reputation db maintenance
for vdom [s]"
reputation tracking data
maintenance
46085 information system LOG_EVENT_REPUTATION_
VDOM_PURGE_SUCCESS
action=reputation_purge
status=success
msg="Completed
reputation db maintenance"
reputation tracking data
maintenance
46092 information system LOG_EVENT_REPUTATION_
ERASE_DATA_ERROR
action=reputation_clear
status=failure reason="[s]"
msg="Failed to erase
reputation db for vdom [s]"
reputation report
46093 information system LOG_EVENT_REPUTATION_
ERASE_DATA_SUCCESS
action=reputation_clear
status=success
msg="Erased reputation db
for vdom [s]"
reputation report
47201 emergency system LOG_ID_AMC_ENTER_
BYPASS
msg="The AMC card in slot
[s] has entered bypass
mode due to [s]."
AMC card entered bypass
mode
47202 emergency system LOG_ID_AMC_EXIT_BYPASS msg="The AMC card in slot
[s] has exited bypass mode
due to [s]."
AMC card exited bypass mode
47203 emergency system LOG_ID_ENTER_BYPASS msg="The bypass ports
pair have entered bypass
mode."
Bypass ports pair entered
bypass mode
ID Severity Subtype Macro Format Description
Page 642
47204 emergency system LOG_ID_EXIT_BYPASS msg="The bypass ports
pair have exited bypass
mode."
Bypass ports pair exited
bypass mode
48000 debug wad LOG_ID_WAD_SSL_RCV_HS session_id=[s] policyid=[n]
src=[n].[n].[n].[n] srcport=[n]
dst=[n].[n].[n].[n] dstport=[n]
action=receive
handshake="[s]"
SSL handshake received
48001 error wad LOG_ID_WAD_SSL_RCV_
WRG_HS
session_id=[s] policyid=[n]
src=[n].[n].[n].[n] srcport=[n]
dst=[n].[n].[n].[n] dstport=[n]
action=receive
msg="Incorrect SSL
handshake length. len:[n]"
SSL handshake has invalid
length
ID Severity Subtype Macro Format Description
Page 643