FortiGate ® Log Message Reference
FortiOS 4.0 MR3
The FortiGate Log Message Reference is published every maintenance release, and contains only information
that was gathered at the date of publication.
FortiGate Log Message Reference
Version 4.0 MR3
21 November 2011
01-430-112804-20111121
© Copyright 2011 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
ABACAS, APSecure, Dynamic Threat Prevention System (DTPS), FortiAnalyzer®, FortiASIC, FortiBIOS,
FortiBridge, FortiClient®, FortiDB™, FortiGate®, FortiGate Unified Threat Management System,
FortiGuard®, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog,
FortiMail®, FortiManager®, Fortinet®, FortiOS®, FortiPartner, FortiProtect, FortiReporter, FortiResponse,
FortiScan, FortiShield, FortiVoIP, FortiWeb, and FortiWiFi are trademarks of Fortinet, Inc. in the United
States and/or other countries. The names of actual companies and products mentioned herein may be the
trademarks of their respective owners.
Contents
Introduction
19
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How this reference is organized . . . . . . . . . . . . . . . . . . . . . . . . . .
19
19
Document conventions and other information . . . . . . . . . . . . . . . . . . . . .
20
Traffic
21
2 .
3 .
4 .
5 .
6 .
7 .
8 .
9 .
10
11
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Event-Administration
32001
32002
32003
32004
32006
32007
32008
32010
32011
32012
32013
32014
32015
32016
32017
32020
32021
32022
32086
32087
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
22
24
26
28
30
32
34
35
36
37
39
40
40
41
41
42
43
43
44
45
47
48
50
50
51
53
53
54
54
55
55
3
Contents
32140
32141
32095
32101
32102
32103
32104
32105
32120
32121
32122
32123
32124
32125
32126
32127
32128
32129
32130
32131
32132
32133
32134
32135
32136
32137
32138
32139
32140
32141
32142
32143
32144
32145
32148
32149
32150
32151
32152
32153
32154
32155
32156
32157
32158
32161
4
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
56
57
57
59
60
62
62
62
63
67
68
72
73
74
74
75
76
77
77
78
78
80
80
81
81
82
83
83
91
92
93
96
97
98
99
100
100
101
101
101
102
102
103
103
107
107
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
32162
32168
32170
32171
32172
32180
32200
32301
32302
32400
32401
32545
32546
32547
32548
32549
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Event-System
20001
20002
20003
20004
20007
20010
20031
20032
20033
20034
20035
20036
20037
20038
20039
20040
20041
20042
20043
20044
20045
20046
20047
20048
20049
20050
20051
5
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
108
108
109
111
113
114
114
115
115
115
116
117
117
117
118
118
119
120
122
122
123
123
123
124
124
124
124
125
125
126
126
126
127
127
127
128
128
128
128
129
129
129
129
130
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
20052
20053
20054
20055
20056
20057
20058
20059
20060
20061
20062
20063
20064
20065
20066
20067
20068
20069
20070
20071
20072
20073
20074
20075
20076
20077
20078
20079
20080
20081
20082
20083
20084
20090
20099
20100
20101
20110
20111
20200
20201
20202
20203
22000
22001
22002
6
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
130
130
130
131
131
131
131
132
132
132
132
133
133
133
133
134
134
134
135
135
135
136
136
136
136
137
137
137
137
138
138
138
139
139
139
140
140
142
142
142
143
143
144
144
145
145
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
22003
22004
22005
22006
22009
22010
22011
22012
22013
22100
22101
22102
22103
22200
22201
22202
22203
22800
22801
22802
22803
22804
22805
22806
22901
22902
22903
22911
22912
22913
22914
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Event-DHCP service
146
146
146
146
147
147
148
148
149
149
150
151
151
151
152
152
152
153
153
154
154
155
155
155
156
156
156
157
157
157
158
159
26001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
26002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Event-Firewall authentication
38001
38002
38003
38004
38005
38010
38011
7
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
161
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
162
164
167
167
169
169
170
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
38012
38020
38021
38022
38026
38027
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Event-Wireless
43520
43521
43522
43524
43525
43526
.
.
.
.
.
.
.
.
.
.
.
.
177
Event-IPsec negotiation
37120
37121
37122
37123
37124
37125
37126
37127
37128
37129
37130
37131
37132
37133
37134
37135
37136
37137
37138
37139
37184
37185
37186
37187
37188
37189
37190
37191
8
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
171
171
172
174
175
175
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
178
178
179
179
180
181
183
184
185
186
187
188
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
207
209
210
211
212
213
214
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
37192
37193
37194
37195
37196
37197
37198
37199
37200
37201
37202
37203
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Event-L2TP/PPP/PPPoE
29001
29002
29003
29004
29009
29015
29016
29022
29024
30004
30005
30006
30007
30008
30009
31004
31005
31006
31007
31008
31009
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
227
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Event-SSL VPN
39424
39425
39426
41984
41985
41986
41987
9
.
.
.
.
.
.
.
.
.
.
.
.
.
.
215
216
217
218
219
220
221
222
223
224
225
226
228
228
229
229
229
230
230
230
230
231
231
231
232
232
233
233
233
234
234
235
235
237
238
239
240
240
241
241
242
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
41988
39936
39937
39938
39939
39940
39941
39942
39943
39944
39945
39946
39947
39948
39949
39950
39951
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Event-VIP SSL
45001
45003
45005
45007
45009
45011
45012
45013
45015
45017
45019
45023
45027
45029
45031
45032
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Event-DNS
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
242
243
244
244
245
245
246
246
247
247
248
248
249
250
251
252
252
253
254
255
255
256
257
258
258
259
259
260
261
263
263
264
265
266
267
44288 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Event-config
269
44544 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
44545 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
44546 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
10
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
44547 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Event-auth
43008
43009
43010
43011
43012
43013
43014
43015
43016
43017
43018
43019
43020
43021
43022
43023
43024
43025
43026
43027
43028
43029
43030
273
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Event-wad
40960
48001
48003
48005
48007
48009
48011
48012
48013
48015
48017
48019
48023
48027
48029
48031
11
274
275
276
277
278
279
280
280
281
282
283
283
284
285
285
285
286
286
287
288
289
290
291
293
294
295
295
296
296
297
297
298
298
299
299
300
300
301
301
302
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
48032
48100
48101
48102
48123
48124
48127
48129
48131
48132
48200
48201
48205
48300
48301
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Event-LDB-monitor
46000
46001
46002
46003
46004
46005
46100
46101
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
303
304
304
305
305
306
307
307
308
308
309
309
310
310
311
313
Event-nac-quarantine
314
314
315
315
316
316
317
317
319
43776 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Event-his-performance
321
40704 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Event-HA
37888
37889
37890
37891
37892
37893
37894
37895
37896
37897
12
323
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
324
324
324
325
325
326
326
326
327
327
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
37898
37899
37900
37901
37902
37903
37904
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Event-pattern
328
328
329
329
330
330
331
333
41000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
41001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Event-RADIUS
38656
38657
38658
38659
38660
38661
38662
38663
38664
38665
38666
38667
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
337
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Event-notification
338
338
338
339
339
339
340
340
341
341
342
342
343
38400 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
38401 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
38402 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Event-amc-intf-bypass
347
47201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
47202 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Event-GTP
41216
41217
41218
41219
41220
41221
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
349
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
350
351
353
354
355
356
13
Contents
41222 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Event-MMS-Stats
359
43264 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Event-VoIP
361
44032
44033
44034
44035
44036
44037
44038
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Data Leak Prevention
24576
24577
24578
24579
. . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
377
Application Control
28672
28673
28674
28675
28676
28677
28678
28688
28689
28690
28704
28705
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
14
378
380
382
382
383
385
Antivirus
8192
8193
8194
8195
8196
8197
362
364
366
370
371
373
375
386
388
390
392
394
396
398
400
402
404
406
408
411
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
412
414
416
418
420
422
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
8198
8199
8457
8458
8448
8449
8450
8451
8452
8453
8454
8455
8456
8704
8705
8706
8707
8960
8961
8962
8963
8964
8965
8966
8967
8968
8969
8970
8971
8972
8973
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
16384
16385
16386
18432
18433
18434
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Attack
424
426
428
430
432
435
438
440
442
444
447
449
451
453
455
457
459
461
463
465
467
469
471
473
475
477
479
481
483
485
487
489
Email filter
490
492
494
496
498
500
503
20480 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
20481 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
20482 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
15
Contents
20483
20484
20491
20485
20486
20487
20488
20489
20490
20492
20493
20494
20495
20496
20497
20498
20499
20500
20501
20503
20504
20505
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Webfilter
12288
12289
12290
12291
12305
12544
12545
12546
12547
12548
12549
12550
12551
12552
12553
12554
12555
12556
12557
12558
12559
16
510
512
514
516
518
520
522
524
526
528
530
532
534
536
538
540
542
544
546
548
550
552
555
556
558
560
562
564
566
568
570
572
574
576
578
580
580
581
582
583
584
585
585
586
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Contents
13056
13312
13313
13314
12800
12801
13601
13602
13568
13573
13584
13315
13316
12802
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Netscan logs
4096
4097
4098
4099
4100
4101
4102
4103
4104
4105
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
615
DLP archives
32768
32776
32770
32772
32774
32769
32782
32783
32784
32785
32786
32787
32788
32789
32790
32791
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
588
590
592
594
596
598
600
602
604
606
608
610
612
614
616
616
617
618
619
619
620
620
621
622
623
624
626
628
630
632
634
636
638
641
644
647
649
652
655
658
661
17
Contents
32792 .
32793 .
32777 .
32794 .
32795 .
32796 .
32797 .
32798 .
32800 .
328001 .
32778 .
32779 .
32780 .
32781 .
32771 .
32773 .
32775 .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Appendix
663
665
667
669
671
673
675
677
679
683
685
687
689
691
693
695
697
700
Document conventions . . . . . . . .
IP addresses . . . . . . . . . . .
Example Network configuration .
Cautions, Notes and Tips . . . .
Typographical conventions . . . .
CLI command syntax conventions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
700
700
702
703
703
703
Entering FortiOS configuration data
Entering text strings (names). .
Entering numeric values . . . .
Selecting options from a list . .
Enabling or disabling options. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
705
705
706
706
706
.
.
.
.
.
Registering your Fortinet product. . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
Fortinet products End User License Agreement . . . . . . . . . . . . . . . . . . . . 706
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
Documentation . . . . . . . . . . . . . . . . . . . .
Fortinet Tools and Documentation CD . . . . . .
Fortinet Knowledge Base . . . . . . . . . . . .
Comments on Fortinet technical documentation
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
707
707
707
707
Customer service and technical support . . . . . . . . . . . . . . . . . . . . . . . . 707
18
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Introduction
This reference provides detailed information about all log messages that are recorded by
the FortiGate unit. It is intended for administrators that are already logging FortiGate
features and require information about a specific log message that was recorded, such as
an event-administration log message with the log ID 41990.
This chapter includes the following topics:
•
Before you begin
•
Document conventions and other information
Before you begin
Before you begin using this guide, take a moment to note the following:
•
The information in this reference applies to all FortiGate units and models currently
running FortiOS 4.0 and higher.
•
You have enabled logging of FortiGate features. If you have not chosen a log device, or
have not enabled logging of FortiGate features, see the Logging and Reporting chapter
in the FortiOS Handbook.
•
Each log message is written similar to how it appears in the log viewer table, but based
on the Raw format. For more information, see the Logging and Reporting chapter in
the FortiOS Handbook.
•
FortiOS Carrier log messages are included and is indicated within the table, in the
Firmware version row.
•
This reference contains detailed information for each log message field; however, this
reference contains only information gathered at publication and, as a result, not every
log message field contains detailed information. More detailed information will be
available in future releases of this reference.
•
The UTM-related logs, such as antivirus and IPS, are located in the new log file called
UTM log. This is reflected in the web-based manager, where you can view these log
messages in Log&Report > Log & Archive Access > UTM Log.
How this reference is organized
This document describes what log messages are recorded by the FortiGate unit.
The following chapters are grouped by log type with the exception of the event log, and
include only log messages for that log type. The event log type chapters are grouped by
subtype, for example event-system, due to the large amount of subtypes associated with
the event log.
•
Traffic
•
Event-Administration
•
Event-System
•
Event-DHCP service
•
Event-Firewall authentication
•
Event-Wireless
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
19
Document conventions and other information
•
Event-IPsec negotiation
•
Event-L2TP/PPP/PPPoE
•
Event-SSL VPN
•
Event-VIP SSL
•
Event-DNS
•
Event-config
•
Event-auth
•
Event-wad
•
Event-LDB-monitor
•
Event-nac-quarantine
•
Event-his-performance
•
Event-HA
•
Event-pattern
•
Event-RADIUS
•
Event-notification
•
Event-amc-intf-bypass
•
Event-GTP
•
Event-MMS-Stats
•
Event-VoIP
•
Data Leak Prevention
•
Application Control
•
Antivirus
•
Attack
•
Email filter
•
Webfilter
•
Netscan logs
•
DLP archives
Introduction
Document conventions and other information
The document conventions, as well as additional information, are located in the appendix
section of this reference. See “Appendix” on page 700.
20
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Traffic
Traffic log messages record the network traffic going through the FortiGate unit.
In the policyid field of traffic log messages, the number may be zero because any policy that is
automatically added by the FortiGate unit is indexed as zero. For more information, see the Fortinet
Knowledge Base article, Firewall policy=0.
2
3
4
5
6
7
8
9
10
11
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
21
Traffic
2
Message ID
2
Log SubType
Allowed
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Allowed traffic log message
Fields
Field Description
status
The session status. This field displays accept in this field, which indicates that
the session has been allowed by the unit.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
dir_disp
The direction of the sessions. Org displays if a session is not a child session
or the child session originated in the same direction as the master session.
Reply displays if a differen direction is taken from the master session.
tran_disp
The packet is source NAT translated (snat) or destination NAT translated
(dnat). This field can also contain noop.
src
The source IP address.
srcname
The name of the source or the source IP address.
src_port
The source port of the TCP or UDP traffic. The source protocol is zero for
other types of traffic.
dst
The destination IP address.
dstname
The destination name or destination IP address.
dst_country
The country name for the destination IP address. This name is used when
geography-based filtering is configured for the firewall address used in the
firewall policy.
dst_port
The destination port number of the TCP or UDP traffic. The destination port is
zero for other types of traffic.
tran_ip
The translated IP in NAT mode. For Transparent mode, it is zero.
tran_port
The translated port number in NAT mode. For Transparent mode, it is zero.
tran_sip
The translated source IP address.
tran_sport
The translated source port.
service
The IP network service that applies to the session or packet. The services
displayed correspond to the services configured in the firewall policy.
proto
The protocol number that applies to the session or packet. The protocol
number in the packet header that identifies the next level protocol. Protocol
number’s are assigned by the Internet Assigned Number Authority (IANA).
app_type
The application or program used. If there was no program used to create the
traffic, then it is empty and displays N/A. The following are the application
types that can appear in this field:
• N/A (is unknown
type)
• Skype
• WinNY
• AIM
• BitTorrent
• ICQ
• eDonKey
• MSN
• Gnutella
• Yahoo
• KaZaa
22
duration
This represents the value in seconds.
rule
The rule number.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Traffic
policyid
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate will have an index number
of zero.
custom
The log field that a user has created. This is referred to as a custom log field
because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if the
firewall policy does not use an identity-based policy; otherwise, it displays the
number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
sent
The total number of bytes sent.
rcvd
The total number of bytes received.
shaper_drop_sent
The number of sent traffic shaper bytes that were dropped.
shaper_drop_rcvd
The number of received traffic shaper bytes that were dropped.
perip_drop
The number of per-IP traffic shaper bytes that were dropped.
shaper_sent_name
The name of the traffic shaper sending the bytes.
shaper_rcvd_name
The name of the traffic shaper receiving the bytes.
perip_name
The name of the per-IP traffic shaper.
sent_pkt
The total number of packets sent during the session
rcvd_pkt
The total number of packets received during the session.
vpn
The name of the VPN tunnel used by the traffic.
vpn_type
The type of VPN tunnel that the traffic is flowing through. This field can be any
one of the following:
• ipsec-static
• ipsec-dynamic
• ipsec-ddns
• sslvpn
vpn_tunnel
The VPN tunnel.
src_int
The interface where the through traffic comes in. For outgoing traffic
originating from the firewall, it is unknown.
dst_int
The interface where the through traffic goes to the public or Internet.
SN
The session number of the log message.
app
The name of the application that triggered the action within the control list. For
example, SSL.
app_cat
The application category that the application is associated with.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
23
Traffic
3
Message ID
3
Log SubType
Violation
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
Traffic violation log message
Fields
Field Description
status
The status of the session. This field always displays deny in this field and indicates
that the session has been blocked by the unit.
vd
The virtual domain where the traffic was logged. If no virtual domains are enabled
and configured, this field contains the virtual domain, root.
src
The source IP address.
srcname
The name of the source or the source IP address.
src_port
The source port of the TCP or UDP traffic. The source protocol is zero for other
types of traffic.
dst
The destination IP address.
dstname
The destination name or destination IP address.
dst_country
The country name for the destination IP address. This name is used when
geography-based filtering is configured for the firewall address used in the firewall
policy.
dst_port
The destination port number of the TCP or UDP traffic. The destination port is zero
for other types of traffic.
service
The IP network service that applies to the session or packet. The services displayed
correspond to the services configured in the firewall policy.
proto
The protocol number that applies to the session or packet. The protocol number in
the packet header that identifies the next level protocol. Protocol number’s are
assigned by the Internet Assigned Number Authority (IANA).
app_type
The application or program used. If there was no program used to create the traffic,
then it is empty and displays N/A. The following are the application types that can
appear in this field:
• N/A (is unknown type)
• Skype
• WinNY
• AIM
• BitTorrent
• ICQ
• eDonKey
• MSN
• Gnutella
• Yahoo
• KaZaa
24
duration
This represents the value in seconds.
rule
The rule number.
policyid
The ID number of the firewall policy that applies to the session or packet. Any policy
that is automatically added by the FortiGate will have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom log field
because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if the firewall
policy does not use an identity-based policy; otherwise, it displays the number of the
identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sent
The total number of bytes sent.
rcvd
The total number of bytes received.
shaper_drop_sent
The number of sent traffic shaper bytes that were dropped.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Traffic
shaper_drop_rcvd
The number of received traffic shaper bytes that were dropped.
perip_drop
The number of per-IP traffic shaper bytes that were dropped.
shaper_sent_name
The name of the traffic shaper sending the bytes.
shaper_rcvd_name
The name of the traffic shaper receiving the bytes.
perip_name
The name of the per-IP traffic shaper.
vpn
The name of the VPN tunnel used by the traffic.
vpn_type
The type of VPN tunnel that the traffic is flowing through. This field can be any one
of the following:
vpn_tunnel
• ipsec-static
• ipsec-dynamic
• ipsec-ddns
• sslvpn
The VPN tunnel.
The type of VPN tunnel that the traffic is flowing through. This field can be any one
of the following:
src_int
The interface where the through traffic comes in. For outgoing traffic originating from
the firewall, it is unknown.
dst_int
The interface where the through traffic goes to the public or Internet.
SN
The session number of the log message.
app
The name of the application that triggered the action within the control list. For
example, SSL.
app_cat
The application category that the application is associated with.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
msg
The log message information. This is usually a sentence and explains the activity
and/or action taken.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display MSISDN
of the phone that sent the MMS message. This field will always display N/A in
FortiOS.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
25
Traffic
4
Message ID
4
Log Subtype
Traffic - Other
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Traffic other log message
Fields
Field Description
status
The status of the session. This field always displays start in this field and indicates
that the session has started.
vd
The virtual domain where the traffic was logged. If no virtual domains are enabled
and configured, this field contains the virtual domain, root.
src
The source IP address.
srcname
The name of the source or the source IP address.
src_port
The source port of the TCP or UDP traffic. The source protocol is zero for other
types of traffic.
dst
The destination IP address.
dstname
The destination name or destination IP address.
dst_country
The country name for the destination IP address. This name is used when
geography-based filtering is configured for the firewall address used in the firewall
policy.
dst_port
The destination port number of the TCP or UDP traffic. The destination port is zero
for other types of traffic.
tran_ip
The translated IP in NAT mode. For Transparent mode, it is zero.
tran_port
The translated port number in NAT mode. For Transparent mode, it is zero.
tran_sip
The translated source IP address.
tran_sport
The translated source port.
service
The IP network service that applies to the session or packet. The services
displayed corresponds to the services configured in the firewall policy.
proto
The protocol number that applies to the session or packet. The protocol number in
the packet header that identifies the next level protocol. Protocol number’s are
assigned by the Internet Assigned Number Authority (IANA).
app_type
The application or program used. If there was no program used to create the traffic,
then it is empty and displays N/A. The following are the application types that can
appear in this field:
• NA
• Skype
• WinNY
• AIM
• BitTorrent
• ICQ
• eDonKey
• MSN
• Gnutella
• Yahoo
• KaZaa
26
duration
This represents the value in seconds.
rule
The rule number.
policyid
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate will have an index number of
zero.
custom
The log field that a user has created. This is referred to as a custom log field
because the name can be anything, for example, hq.
sent
The total number of bytes sent.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Traffic
rcvd
The total number of bytes received.
shaper_drop_sent
The number of sent traffic shaper bytes that were dropped.
shaper_drop_rcvd
The number of received traffic shaper bytes that were dropped.
perip_drop
The number of per-IP traffic shaper bytes that were dropped.
shaper_sent_name
The name of the traffic shaper sending the bytes.
shaper_rcvd_name
The name of the traffic shaper receiving the bytes.
perip_name
The name of the per-IP traffic shaper.
vpn
The name of the VPN tunnel used by the traffic.
vpn_type
The type of VPN tunnel that the traffic is flowing through. This field can be any one
of the following:
• ipsec-static
• ipsec-dynamic
• ipsec-ddns
• sslvpn
The VPN tunnel.
vpn_tunnel
The type of VPN tunnel that the traffic is flowing through. This field can be any one
of the following:
src_int
The interface where the through traffic comes in. For outgoing traffic originating
from the firewall, it is unknown.
dst_int
The interface where the through traffic goes to the public or Internet.
SN
The session number of the log message.
app
The name of the application that triggered the action within the control list. For
example, SSL.
app_cat
The application category that the application is associated with.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always display
N/A in FortiOS.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
27
Traffic
5
Message ID
5
Log Subtype
Other
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Traffic allowed ICMP log message
Fields
Field Description
status
The session status. This field displays accept in this field, which indicates that
the session has been allowed by the unit.
vd
The virtual domain where the traffic was logged. If no virtual domains are
enabled and configured, this field contains the virtual domain, root.
dir_disp
The direction of the sessions. Org displays if a session is not a child session or
the child session originated in the same direction as the master session. Reply
displays if a differen direction is taken from the master session.
tran_disp
The packet is source NAT translated (snat) or destination NAT translated (dnat).
This field can also contain noop.
src
The source IP address.
srcname
The name of the source or the source IP address.
src_port
The source port of the TCP or UDP traffic. The source protocol is zero for other
types of traffic.
dst
The destination IP address.
dstname
The destination name or destination IP address.
dst_country
The country name for the destination IP address. This name is used when
geography-based filtering is configured for the firewall address used in the
firewall policy.
dst_port
The destination port number of the TCP or UDP traffic. The destination port is
zero for other types of traffic.
tran_ip
The translated IP in NAT mode. For Transparent mode, it is zero.
tran_port
The translated port number in NAT mode. For Transparent mode, it is zero.
tran_sip
The translated source IP address.
tran_sport
The translated source port.
service
The IP network service that applies to the session or packet. The services
displayed corresponds to the services configured in the firewall policy.
proto
The protocol number that applies to the session or packet. The protocol number
in the packet header that identifies the next level protocol. Protocol number’s are
assigned by the Internet Assigned Number Authority (IANA).
app_type
The application or program used. If there was no program used to create the
traffic, then it is empty and displays N/A. The following are the application types
that can appear in this field:
• NA
• Skype
• WinNY
• AIM
• BitTorrent
• ICQ
• eDonKey
• MSN
• Gnutella
• Yahoo
• KaZaa
28
duration
This represents the value in seconds.
rule
The rule number.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Traffic
policyid
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate will have an index number of
zero.
custom
The log field that a user has created. This is referred to as a custom log field
because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if the
firewall policy does not use an identity-based policy; otherwise, it displays the
number of the identity-based policy entry that the traffic matched. This number is
not globally unique, it is only locally unique within a given firewall policy.
sent
The total number of bytes sent.
rcvd
The total number of bytes received.
shaper_drop_sent
The number of sent traffic shaper bytes that were dropped.
shaper_drop_rcvd
The number of received traffic shaper bytes that were dropped.
perip_drop
The number of per-IP traffic shaper bytes that were dropped.
shaper_sent_name
The name of the traffic shaper sending the bytes.
shaper_rcvd_name
The name of the traffic shaper receiving the bytes.
perip_name
The name of the per-IP traffic shaper.
sent_pkt
The number of sent packets.
rcvd_pkt
The number of received packets.
vpn
The name of the VPN tunnel used by the traffic.
vpn_type
The type of VPN tunnel that the traffic is flowing through. This field can be any
one of the following:
• ipsec-static
• ipsec-dynamic
• ipsec-ddns
• sslvpn
vpn_tunnel
The VPN tunnel.
src_int
The interface where the through traffic comes in. For outgoing traffic originating
from the firewall, it is unknown.
dst_int
The interface where the through traffic goes to the public or Internet.
SN
The session number of the log message.
app
The name of the application that triggered the action within the control list. For
example, SSL.
app_cat
The application category that the application is associated with.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always display
N/A in FortiOS.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
29
Traffic
6
Message ID
6
Log Subtype
Other
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Deny internal ICMP log message
Fields
Field Description
status
The status of the session. This field always displays deny in this field and indicates
that the session has been blocked by the unit.
vd
The virtual domain where the traffic was logged. If no virtual domains are enabled
and configured, this field contains the virtual domain, root.
src
The source IP address.
srcname
The name of the source or the source IP address.
src_port
The source port of the TCP or UDP traffic. The source protocol is zero for other
types of traffic.
dst
The destination IP address.
dstname
The destination name or destination IP address.
dst_country
The country name for the destination IP address. This name is used when
geography-based filtering is configured for the firewall address used in the firewall
policy.
dst_port
The destination port number of the TCP or UDP traffic. The destination port is zero
for other types of traffic.
service
The IP network service that applies to the session or packet. The services
displayed corresponds to the services configured in the firewall policy.
proto
The protocol number that applies to the session or packet. The protocol number in
the packet header that identifies the next level protocol. Protocol number’s are
assigned by the Internet Assigned Number Authority (IANA).
app_type
The application or program used. If there was no program used to create the traffic,
then it is empty and displays N/A. The following are the application types that can
appear in this field:
• NA
• Skype
• WinNY
• AIM
• BitTorrent
• ICQ
• eDonKey
• MSN
• Gnutella
• Yahoo
• KaZaa
30
duration
This represents the value in seconds.
rule
The rule number.
policyid
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate will have an index number of
zero.
custom
The log field that a user has created. This is referred to as a custom log field
because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if the
firewall policy does not use an identity-based policy; otherwise, it displays the
number of the identity-based policy entry that the traffic matched. This number is
not globally unique, it is only locally unique within a given firewall policy.
sent
The total number of bytes sent.
rcvd
The total number of bytes received.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Traffic
shaper_drop_sent
The number of sent traffic shaper bytes that were dropped.
shaper_drop_rcvd
The number of received traffic shaper bytes that were dropped.
perip_drop
The number of per-IP traffic shaper bytes that were dropped.
shaper_sent_name
The name of the traffic shaper sending the bytes.
shaper_rcvd_name
The name of the traffic shaper receiving the bytes.
perip_name
The name of the per-IP traffic shaper.
vpn
The name of the VPN tunnel used by the traffic.
vpn_type
The type of VPN tunnel that the traffic is flowing through. This field can be any one
of the following:
• ipsec-static
• ipsec-dynamic
• ipsec-ddns
• sslvpn
vpn_tunnel
The VPN tunnel.
src_int
The interface where the through traffic comes in. For outgoing traffic originating
from the firewall, it is unknown.
dst_int
The interface where the through traffic goes to the public or Internet.
SN
The session number of the log message.
app
The name of the application that triggered the action within the control list. For
example, SSL.
app_cat
The application category that the application is associated with.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
msg
The log message information. This is usually a sentence and explains the activity
and/or action taken.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display MSISDN
of the phone that sent the MMS message. This field will always display N/A in
FortiOS.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
31
Traffic
7
Message ID
7
Log Subtype
Other
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
Deny external ICMP log message
Fields
Field Description
status
The status of the session. This field always displays deny in this field and
indicates that the session has been blocked by the unit.
vd
The virtual domain where the traffic was logged. If no virtual domains are
enabled and configured, this field contains the virtual domain, root.
src
The source IP address.
srcname
The name of the source or the source IP address.
src_port
The source port of the TCP or UDP traffic. The source protocol is zero for other
types of traffic.
dst
The destination IP address.
dstname
The destination name or destination IP address.
dst_country
The country name for the destination IP address. This name is used when
geography-based filtering is configured for the firewall address used in the
firewall policy.
dst_port
The destination port number of the TCP or UDP traffic. The destination port is
zero for other types of traffic.
tran_ip
The translated IP in NAT mode. For Transparent mode, it is zero.
tran_port
The translated port number in NAT mode. For Transparent mode, it is zero.
service
The IP network service that applies to the session or packet. The services
displayed corresponds to the services configured in the firewall policy.
proto
The protocol number that applies to the session or packet. The protocol number
in the packet header that identifies the next level protocol. Protocol number’s
are assigned by the Internet Assigned Number Authority (IANA).
app_type
The application or program used. If there was no program used to create the
traffic, then it is empty and displays N/A. The following are the application types
that can appear in this field:
• NA
• Skype
• WinNY
• AIM
• BitTorrent
• ICQ
• eDonKey
• MSN
• Gnutella
• Yahoo
• KaZaa
32
duration
This represents the value in seconds.
rule
The rule number.
policyid
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate will have an index number of
zero.
custom
The log field that a user has created. This is referred to as a custom log field
because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if the
firewall policy does not use an idenity-based policy; otherwise, it displays the
number of the identity-based policy entry that the traffic matched. This number
is not globally unique, it is only locally unique within a given firewall policy.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Traffic
sent
The total number of bytes sent.
rcvd
The total number of bytes received.
shaper_drop_sent
The number of sent traffic shaper bytes that were dropped.
shaper_drop_rcvd
The number of received traffic shaper bytes that were dropped.
perip_drop
The number of per-IP traffic shaper bytes that were dropped.
shaper_sent_name
The name of the traffic shaper sending the bytes.
shaper_rcvd_name
The name of the traffic shaper receiving the bytes.
perip_name
The name of the per-IP traffic shaper.
vpn
The name of the VPN tunnel used by the traffic.
vpn_type
The type of VPN tunnel that the traffic is flowing through. This field can be any
one of the following:
• ipsec-static
• ipsec-dynamic
• ipsec-ddns
• sslvpn
vpn_tunnel
The VPN tunnel.
src_int
The interface where the through traffic comes in. For outgoing traffic originating
from the firewall, it is unknown.
dst_int
The interface where the through traffic goes to the public or Internet.
SN
The session number of the log message.
app
The name of the application that triggered the action within the control list. For
example, SSL.
app_cat
The application category that the application is associated with.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always display
N/A in FortiOS.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
33
Traffic
8
34
Message ID
8
Log Subtype
Traffic - WAN opt
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
WAN optimization traffic log message
Fields
Field Description
vd
The virtual domain where the traffic was logged. If no virtual domains are
enabled and configured, this field contains the virtual domain, root.
src
The source IP address.
srcname
The name of the source or the IP address.
src_port
The source port of the TCP or UDP traffic. The source protocol is zero for other
types of traffic.
dst
The destination IP address.
dstname
The destination name or destination IP address.
dst_country
The country name for the destination IP address. This name is used when
geography-based filtering is configured for the firewall address used in the
firewall policy.
dst_port
The destination port number of the TCP or UDP traffic. The destination port is
zero for other types of traffic.
wanopt_app_type
The type of WAN optimization that was used. This field can contain any one of
the following:
• web-cache
• ftp
• cifs
• mapi
• tcp
• http
• web-proxy
• ftp-proxy
duration
This represents the value in seconds.
rule
The rule number.
policyid
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate will have an index number of
zero.
identidx
The identity-based policy identification number. This field displays zero if the
firewall policy does not use an identity-based policy; otherwise, it displays the
number of the identity-based policy entry that the traffic matched. This number
is not globally unique, it is only locally unique within a given firewall policy.
identity index.
wan_in
This field always displays WAN in.
wan_out
This field always displays WAN out.
lan_in
This field always displays LAN in.
lan_out
This field always displays LAN out.
src_int
The name of the interface used by the source.
dst_int
The name of the interface used by the destination.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Traffic
9
Message ID
9
Log Subtype
Web cache
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Web cache traffic log message
Fields
Field Description
vd
The virtual domain where the traffic was logged. If no virtual domains are
enabled and configured, this field contains the virtual domain, root.
src
The source IP address.
srcname
The name of the source or the source IP address.
src_port
The source port of the TCP or UDP traffic. The source protocol is zero for
other types of traffic.
dst
The destination IP address.
dstname
The destination name or destination IP address.
dst_country
The country name for the destination IP address. This name is used when
geography-based filtering is configured for the firewall address used in the
firewall policy.
dst_port
The destination port number of the TCP or UDP traffic. The destination port is
zero for other types of traffic.
wanopt_app_type
The WAN Opt application type.
•
web-cache
• cifs
•
tcp
• ftp
•
mapi
• http
•
web-proxy
ftp-proxy
duration
This represents the value in seconds.
rule
The rule number.
policyid
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate will have an index number
of zero.
identidx
The identity-based policy identification number. This field displays zero if the
firewall policy does not use an identity-based policy; otherwise, it displays the
number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
wan_in
This field always displays WAN in.
wan_out
This field always displays WAN out.
lan_in
This field always displays LAN in.
lan_out
This field always displays LAN out.
src_int
The name of the interface used by the source.
dst_int
The name of the interface used by the destination.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
35
Traffic
10
Message ID
10
Log Subtype
explicit-proxy-traffic
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Explicit proxy traffic log message
Fields
Field Description
vd
The virtual domain where the traffic was logged. If no virtual domains are
enabled and configured, this field contains the virtual domain, root.
src
The source IP address.
srcname
The name of the source or the source IP address.
src_port
The source port of the TCP or UDP traffic. The source protocol is zero for
other types of traffic.
dst
The destination IP address.
dstname
The destination name or destination IP address.
dst_port
The destination port number of the TCP or UDP traffic. The destination port is
zero for other types of traffic.
wanopt_app_type
The type of WAN Opt application. This can be any one of the following:
• web-cache
• cifs
• tfp
• ftp
• mapi
• http
• web-proxy
36
duration
This represents the value in seconds.
rule
The rule number.
policyid
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate will have an index number
of zero.
identidx
The identity-based policy identification number. This field displays zero if the
firewall policy does not use an identity-based policy; otherwise, it displays the
number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
wan_in
This field always displays WAN in.
wan_out
This field always displays WAN out.
lan_in
This field always displays LAN in.
lan_out
This field always displays LAN out.
src_int
The name of the interface used by the source.
dst_int
The name of the interface used by the destination.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Traffic
11
Message ID
11
Log Subtype
failed-conn
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
Failed connection attempts
Fields
Field Description
vd
The virtual domain where the traffic was logged. If no virtual domains are
enabled and configured, this field contains the virtual domain, root.
src
The source IP address.
srcname
The name of the source or the source IP address.
src_port
The source port of the TCP or UDP traffic. The source protocol is zero for
other types of traffic.
src_int
The source interface name.
dst
The destination IP address.
dstname
The destination name or destination IP address.
dst_port
The destination port number of the TCP or UDP traffic. The destination port is
zero for other types of traffic.
dst_int
The destination interface name.
policyid
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate will have an index number
of zero.
custom
The log field that a user has created. This is referred to as a custom log field
because the name can be anything, for example, hq.
action
The action that was taken by the unit. This can be any one of the following:
• dns – a DNS lookup
•
ip – an IP connection
• url – a URL connection
SN
The session number of the log message.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
37
Traffic
38
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
Event-Administration log messages record what administration users are configuring on the FortiGate unit,
and what is occurring on the FortiGate unit. For example, memory storage is becoming full.
32001
32087
32152
32003
32123
32153
32004
32124
32155
32008
32125
32156
32010
32126
32157
32010
32127
32158
32011
32128
32161
32012
32129
32162
32013
32130
32168
32014
32131
32170
32015
32132
32171
32016
32133
32172
32017
32134
32180
32020
32135
32200
32021
32136
32545
32022
32137
32546
32095
32138
32547
32101
32139
32548
32102
32140
32549
32103
32141
32104
32142
32105
32143
32016
32144
32017
32145
32120
32148
32121
32149
32122
32150
32086
32151
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
39
Event-Administration
32001
Message ID
32001
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An administrator successfully logged into the FortiGate unit.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
action
This field always contains login.
status
This field always contains success.
reason
The reason for the event. This field is either timeout or exit, depending on
the action taken.
profile
The administrator’s access profile.
msg
Administrator <admin_name> logged in successfully from
<ui(<ip_address>).
32002
40
Message ID
32002
Log Subtype
Admin
Severity
Alert
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what is in the msg field, the meaning can be any one of the
following:
• There is alarm testing occurring.
• The administrator failed to log in.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
Note: If this is an alarm test, this field will contain cli.
action
This field always contains login.
status
This field always contains failed
reason
The reason for the event. This field always contains test.
profile
The administrator’s access profile.
msg
This field contains any one of the following:
• Alarm testing
• Administrator <admin_name> login failed from <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32003
Message ID
32003
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what the msg field contains, the meaning can be any one of
the following:
• An administrator was successfully logged out because of inactivity. The
FortiGate unit automatically logged them out.
• An administrator successfully logged out of the user interface.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
action
This field always contains logout.
status
This field always contains success.
reason
The reason for the event. This field is either timeout or exit, depending on
the action taken.
msg
This field contains any one of the following:
• Administrator <admin_name> timed out from <ui(<ip_address>)>
• Administrator <admin_name> logged out from <ui<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains information.
32004
Message ID
32004
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The meaning can be one of the following, depending on the msg field:
• Alarm testing is occurring on the FortiGate unit.
• System has entered error-mode.
Fields
Field Description
action
This field always contains error-mode.
reason
The reason for the trigger. This field can contain self-test if the log message
is about alarm testing.
msg
This field contains any one of the following:
• Alarm testing is occurring on the FortiGate unit
• System enters error mode due to <string>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
41
Event-Administration
32006
42
Message ID
32006
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what is in the msg field, the meaning can be any one of the
following:
• The user has entered the specified virtual domain.
• The FortiGate unit ‘s system has started.
Fields
Field Description
user
The name of the user creating the traffic. In this log message, it is an
administrator, or an administrator that has the super_admin profile.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 access the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
action
This field always contains vdom-switch.
reason
This field always contains none.
msg
This field contains any one of the following:
• User <user_name> has entered the virtual domain
<virtual_domain_name>.
• FortiGate started
Message ID
32006
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit has started.
Fields
Field Description
msg
Fortigate started.
vd
The name of the virtual domain where the action occurred in. If no virtual
domain exist, this field always contains root.
pri
The priority level. This field always contains information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32007
Message ID
32007
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The super admin has left the specified virtual domain.
Fields
Field Description
user
The name of the user creating the traffic. In this log message, it is an
administrator, or an administrator that has the super_admin profile.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
action
This field always contains vdom-switch.
reason
This field always contains none.
msg
User <user_name> has left the virtual domain <virtual_domain_name>
Message ID
32007
Log Subtype
Admin
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit cannot store the configuration file because the local
drive does not have enough space left.
Fields
Field Description
msg
Cannot store config due to short of flash space: require <number_blocks>
blocks, only <number_blocks> free blocks left on flash disk.
32008
Message ID
32008
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The specified user has viewed the specified log files in memory or on the
disk.
Fields
Field Description
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
log
The name of the log file.
msg
This field can be any of the following:
• User <user_name. has viewed the memory logs from <ui>.
• User <user_name> has viewed disk logs from <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
43
Event-Administration
32010
44
Message ID
32010
Log Subtype
Admin
Severity
Emergency
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on the content in the msg field, the meaning can be any one of
the following:
• The log roll has reach the maximum number.
• The amount of logs exceeds the disk size and the rolled log file was
deleted.
• The log disk has reached a specific percentage point that, once passed,
the system will either overwrite the logs or stop logging.
• The log is full.
• The space in memory for logs is full.
Fields
Field Description
msg
This field contains any of the following:
• Disk has rolled the max number of times, it will not roll logs again until
deleting of the old rolled logs
• Disk log exceeds <percentage> of disk size. Deleted rolled log file name
<log_name>
• DLP archive is <percentage> full.System will overwrite old DLP archive.
• Log disk is <percentage> full. System will stop logging.
• Log is <percentage> full.
• Memory <percentage> log is <percentage> full.
• Disk logs exceeed full final warning threshold. Deleted rolled log file <file
name>
• Disk logs exceed full final warning threshold. Deleted rolled packet
directory <directory>
• Disk logs eceeed full final warning threshold. Deleted rolled dlp-archive
directory <directory>
Message ID
32010
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on the content in the msg field, the meaning can be any one of
the following:
• The system uploads the oldest log files because the storage is to
capacity.
• The system deletes the oldest log files, then uploads another group of log
files.
• The system deletes the uploaded log files.
Fields
Field Description
action
This field always contains delete. This only appears when the system has
deleted uploaded logs.
msg
This field contains any of the following:
• <string> is <string> full.System will upload oldest <number> logs.
• <string> is <string> full.System will delete oldest <number> uploaded
logs, and upload another oldest <number> un-uploaded logs.
• System deleted logs that are uploaded
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32011
Message ID
32011
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The disk log has rolled.
Fields
Field Description
action
The action the FortiGate unit took. This field always contains roll-log.
reason
The reason for rolling the log file. This field contains schedule because the
log was rolled at a specified date and time that was previously configured.
log
The type of log that was rolled. This field contains all.
msg
Disk log has rolled.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The level of priority. This field always contains notice.
log
This field always contains all.
Message ID
32011
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The disk log has rolled.
Fields
Field Description
action
The action the FortiGate unit took. This field always contains roll-log.
reason
The reason for rolling the log file. This field contains file-size.
log
The type of log that was rolled.
msg
Disk log has rolled.
Message ID
32011
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The disk log has rolled.
Fields
Field Description
action
The action the FortiGate unit took. This field always contains roll-log.
reason
The reason for rolling the log file. This field contains log-format-change.
log
The type of log that was rolled.
msg
Disk log has rolled.
Message ID
32011
Log Subtype
Admin
Severity
Emergency
Firmware version
FortiOS 4.0 MR3
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
45
Event-Administration
46
Meaning
Depending on the content in the msg field, this field contains any one of the
following:
• The system’s memory is full and that is why the system entered error
mode.
• The disk is filled to capacity with log files, and that is why the system
entered error mode.
• The system entered error mode but it is unclear as to why.
Fields
Field Description
action
The action the FortiGate unit took. This field always contains error-mode
reason
The reason for rolling the log file. This field contains memory-log-full, disklog full or unknown.
msg
This field contains any one of the following:
• CC error: Memory logs are full. System entered error mode.
• CC error: Disk logs are full. System entered error mode.
• CC error: Unknown. System entered error mode.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32012
Message ID
32012
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate system is exiting out of error mode.
Fields
Field Description
action
The action the FortiGate unit took. This field always contains exit-errormode.
msg
System existing out of error mode.
Message ID
32012
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The log disk is almost full, and will resume archiving log data.
Fields
Field Description
msg
Log disk is under <string> full. System will resume logging content archive
data.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
47
Event-Administration
32013
Message ID
32013
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A user has cleared the disk log from either the web-based manager or CLI.
Fields
Field Description
user
The name of the user creating the traffic.
log
The log identification number.
msg
User <user_name> has cleared disk log from <ui>
Message ID
32013
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any one
of the following:
• A user has deleted rolled log files.
• A user cleared all current logs.
• A user has cleared FortiGuard Analysis Service logs from the specified
location.
• A user has removed filtered data from memory logs.
• A user cleared logs associated with the FortiGuard Analysis Service.
• A user has removed filtered data from disk logs.
• A user has deleted one rolled log file from either the web-based manager
or CLI.
• A user has cleared current logs from the disk.
Fields
Field Description
user
The name of the user creating the traffic. For this log message, it can be
user or administrator.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
period
The period’s information. This field does not always show in all 32013 log
messages.
log
The log identification number.
msg
This field contains any one of the following:
• User <user_name> has deleted rolled <integer> log files from <ui>
• User <user_name> has cleared all current logs <percentage_memory>
from <ui>
• User <user_name> has cleared logs (FortiGuard Log) from <ui>
• A user has cleared FortiGuard logs from the specified location.
• User <administrator_name> has cleared logs (FortiGuard Analysis
Service) from <ui>
• User <user_name> has removed filtered data from memory logs from
<ui>
• User <user_name> has cleared logs (FortiGuard Analysis Service) from
<ui>
48
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
• User <user_name> has removed filtered data from disk logs from <ui>
• User <user_name> has deleted 1 rolled <rolled_interger> log file
(<log_file_name>) from <ui>
• User has deleted 1 rolled <string> log (disk) from <ui>
• User <user_name> has cleared current <string> log (disk) from <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
49
Event-Administration
32014
Message ID
32014
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any one
of the following:
• The FDS support license is expiring.
• The FDS AV license is expiring.
• The FDS IPS license is expiring.
• The FortiGuard customer support license expires in the specified number
of days.
• The FortiGuard Antivirus update license will expire in the specified
number of days.
• The FortiGuard IPS update license will expire in the specified number of
days.
• The FortiGuard web filtering license will expire in the specified number of
days.
• The FortiGuard anti-spam license will expire in the specified number of
days.
• The FortiGuard Analysis Service license will expire in the specified
number of days.
• The FortiGuard Management Service license will expire in the specified
number of days
Fields
Field Description
msg
This field contains any one of the following:
• FDS support license will expire in <integer> day(s)
• FDS AV license will expire in <integer> day(s)
• FDS IPS license will expire in <integer> day(s)
• FortiGuard customer support license will expire in <value> day(s)
• FortiGuard AV update license will expire in <value> day(s)
• FortiGuard IPS update license will expire in <value> day(s)
• FortiGuard web filtering license will expire in <value> day(s)
• FortiGuard anti-spam license will expire in <value> day(s)
• FortiGuard analysis service license will expire in <value> day(s)
• FortiGuard management service license will expire in <value> day(s)
32015
50
Message ID
32015
Log Subtype
Admin
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
Log disk is full.
Fields
Field Description
msg
Log disk is <percentage> full
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32016
Message ID
32016
Log Subtype
Admin
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGuard disk quota is full and the system will either overwrite or stop
logging when the quota is used.
Fields
Field Description
msg
FortiGuard disk quota is <value> use. System will {overwrite | no log} once
passed all quota is used.
Message ID
32016
Log Subtype
Admin
Severity
Emergency
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGuard Analysis Service disk quota is full and the system will either
overwrite or stop logging when the quota is used.
Fields
Field Description
msg
FortiGuard Analysis Service disk quota is <value> used. System will
{overwrite | no log} once passed all quota is used.
Message ID
32016
Log Subtype
Admin
Severity
Emergency
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGuard Analysis Service disk quota is full.
Fields
Field Description
msg
FortiGuard Analysis Service disk quota is <value> used.
Message ID
32016
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGuard Analysis Service disk quota is full.
Fields
Field Description
msg
FortiGuard Analysis Service disk quota is <value> used. System will
{overwrite | no log} once the full quota is used.
Message ID
32016
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit has stopped logging to the FortiGuard Analysis server
because of the amount of disk quota that has been used. Logging will
resume after an amount of time has passed, in seconds.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
51
Event-Administration
52
Fields
Field Description
msg
FortiGuard Analysis Service disk quota is <value> used. System stops
logging until <seconds> later.
Message ID
32016
Log Subtype
Admin
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The user failed to view logs from a specified location.
Fields
Field Description
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
msg
This field contains any one of the following:
• User <user_name> failed to access the <log_file_name> logs from <ui>
• User <user_name> failed to access the <log_file_name> logs from <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32017
Message ID
32017
Log Subtype
Admin
Severity
Alert
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any one
of the following:
• The FortiGuard daily quota is reached.
• The FortiGuard Analysis Service daily quota is full.
Fields
Field Description
msg
This field contains any one of the following:
• FortiGuard daily quota is reached. System stops logging until <value>
sec later.
• FortiGuard Analysis Service daily quota is reached. System stops logging
until <seconds> sec later.
32020
Log Subtype
Admin
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
A corrupted MAC packet was detected.
Fields
Field Description
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
action
The action information.
status
The status information.
reason
The reason information.
profile
The name of the profile that was used to detect and take action.
msg
Corrupted MAC packet detected.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
53
Event-Administration
32021
Message ID
32021
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The user disabled the virtual domain root from the web-based manager,
CLI or console.
Fields
Field Description
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
msg
User <user_name> disabled virtual domain root from <ui ip_address>>
32022
54
Message ID
32022
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator enabled a virtual domain.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
msg
User <admin_name> enabled virtual domain <vd_name> from
<ui(<ip_address>)>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32086
Message ID
32086
Log Subtype
Admin
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The system has been changed to Transparent mode (LCD) from the LCD
interface.
Fields
Field Description
user
The administrator who is creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
Note: In this log message, this field always contains lcd.
action
The action that was taken.
status
This field always contains success.
msg
System has been changed to transparent mode LCD via LCD.
32087
Message ID
32087
Log Subtype
Admin
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The system has been changed to NAT/Route mode (LCD) from the LCD
interface.
Fields
Field Description
user
The administrator who is creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
Note: In this log message, this field always contains lcd.
action
The action that was taken.
status
This field always contains success.
msg
System has been changed to NAT mode LCD via LCD.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
55
Event-Administration
32140
56
Message ID
32140
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator changed the operation mode to Transparent.
Fields
Field Description
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
field
This field contains mode.
old_value
The mode that the FortiGate unit was previously in. This field contains
either NAT or TP, depending on what mode the FortiGate unit was
previously in.
new_value
The mode that the FortiGate unit is now in. This field contains either NAT or
TP, depending on what mode the FortiGate unit was changed to.
msg
User <administrator_name> changed to TP opmode from
<ui>(<ip_address>
Message ID
32140
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator changed the global settings on the FortiGate unit,
allowing virtual domain configuration.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password
on the FortiGate-51B (IP address is 10.10.20.5). This field shows their
point-of-entry in this field, GUI(10.10.20.5).
action
The status of the virtual domain feature. This field always contains enable.
field
This field always contains virtual-domain.
msg
User <admin_name> changed global settings from <ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32141
Message ID
32141
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The specified interface received a new DHCP lease address.
Fields
Field Description
msg
interface <interface_name> gets a DHCP lease, ip:<ip_address>,
mask:<netmask>, gateway:<gateway_ip>, lease expires:<day_of_week>
<month> <date> <hh:mm:ss:> <yyyy>
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
pri
The priority level. This field is always information.
id
The identification number.
32095
Message ID
32095
Log Subtype
Admin
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The specified administrator has performed a specified action on the FortiGate
unit.
Fields
Field Description
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
action
The type of action that the FortiGate unit took. This field contains any one of the
following:
• reboot
• shutdown
• reload
• backup
• factory_reset
• restore (all types of configuration files)
• upgrade (upgrade the
firmware)
• switch_mode
• download (all types of
configuration files)
• upload
• clear_mlog (clear all log in
memory buffer)
• del_log (delete log)
• update (virus or IPS
signatures)
• downgrade (downgrade the firmware)
• del_session (delete session)
• bootup
status
This field contains either success or failure.
msg
<action_type OR file_name> by user <administrator_name> via <ui>
Note: The beginning of the sentence depends on what type of action was taken,
and if a file was downloaded or not.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
57
Event-Administration
58
Message ID
32095
Log Subtype
Admin
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
A user has downloaded a log file from the firewall from the within the web-based
manager.
Fields
Field Description
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
Note: In this log message, the location is the web-based manager.
action
The type of action that the FortiGate unit took. This field contains any one of the
following:
• reboot
• shutdown
• reload
• backup
• factory_reset
• restore (all types of configuration files)
• upgrade (upgrade the
firmware)
• switch_mode
• download (all types of
configuration files)
• upload
• clear_mlog (clear all log in
memory buffer)
• del_log (delete log)
• update (virus or IPS
signatures)
• downgrade (downgrade the firmware)
• del_session (delete session)
• bootup
status
This field contains either success or failure.
hash
The hash information.
file
The name of the log file.
msg
<action_type OR file_name> by user <administrator_name> via <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32101
Message ID
32101
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added a new access profile.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
profile
The name of the administration access profile that was created.
msg
User <administrator_name> added new access profile <string> from {GUI | CLI |
console}
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
pri
The priority level. This field always contains notice.
Message ID
32101
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator changed the configuration from the LCD interface.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
msg
<administrator_name> by <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
59
Event-Administration
32102
60
Message ID
32102
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added a local certificate and is being generated.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
msg
User <admin_name> made a change via <ui(<ip_address>)>: VPN local
certificate <cert_name> has been generated.
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
pri
The priority level. This field always contains information.
module
This field always contains VPN.
submodule
This field always contains cert-local.
Message ID
32102
Log Subtype
Admin
Severity
(Variable): can be any severity level
Firmware version
FortiOS 4.0 MR3
Meaning
A user has changed the configuration.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
module
The module information.
submodule
The submodule information.
msg
User <admin_name> made a change from <ui>
Message ID
32102
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A new firmware image is available from FortiGuard.
Fields
Field Description
user
This field always contains system.
action
The action that was taken. This field always contains firmware.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
status
The status of the firmware. This field always contains new.
msg
New firmware is available from FortiGuard.
Message ID
32102
Log Subtype
Admin
Severity
(Variable): can be any severity level
Firmware version
FortiOS 4.0 MR3
Meaning
A user has changed the configuration for a specific submodule from a specific
location.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
module
The module information.
submodule
The submodule information.
msg
User <admin_name> made a change via <ui>: <ip_address>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
61
Event-Administration
32103
Message ID
32103
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A user deleted an access profile.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
profile
The name of the access profile.
msg
User <administrator_name> deleted an access profile <profile_name> from
<string>
32104
Message ID
32104
Log Subtype
Admin
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
An administrator has failed to update the FortiGate unit.
Fields
Field Description
admin
The name of the administrator creating the traffic.
msg
FortiGate <string> failed
32105
62
Message ID
32105
Log Subtype
Admin
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any one of the
following:
• An administrator has update the databases and engines successfully.
• An administrator has updated AV database successfully.
• An administrator has updated the IDS database successfully.
Fields
Field Description
admin
The name of the administrator creating the traffic.
status
This field always contains update.
virdb
This field always contains yes.
msg
This field contains any one of the following:
• Fortigate <string> virdb(<value>) idsdb(<value>) aven(<value>) idsen(<value>)
from <string>
• Fortigate updated virdb (<value>)
• Fortigate updated idsdb (<value>)
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32120
Message ID
32120
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added a UTM profile.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
action
The type of action that occurred. In this log message, this field can contain add.
msg
Administrator <admin_name> added an <utm_profile_type> <utm_profile_name>
from <ui(<ip_address>)>.
Note: The UTM profile type can be a sensor, such as DLP or IPS.
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
pri
The priority level. This field always contains notice.
cmdb_obj
The type of profile that was used. For example, antivirus.profile.
name
The name of the profile that was used. For example, av_1.
Message ID
32120
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator edited the settings within another administrator.
Fields
Field Description
user
The name of the administrator who is creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
msg
Administrator <admin_name> edited the settings of administrator <admin_name>
from <ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
pri
The priority level. This field always contains notice.
name
The name of the administrator whose settings were modified within their account.
Message ID
32120
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added an admin user.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
63
Event-Administration
64
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
msg
User <admin_name> added an admin user <admin_name> from
<ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
pri
The priority level. This field always contains notice.
name
The name of the administrator who was added.
Message ID
32120
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added a new interface.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
msg
User <admin_name> added a new interface <interface_name> from
<ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
pri
The priority level. This field always contains notice.
intf
The name of the new interface. For example, interface_1
Message ID
32120
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator modified the settings within another administrator’s account.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
msg
Administrator <admin_name> edited the settings of administrator <admin_name>
from <ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
pri
The priority level. This field always contains notice.
name
The name of the administrator who had their settings modified by another
administrator.
Message ID
32120
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator modified the settings within another administrator’s account.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
msg
User <admin_name> added a user group <user_group_name> from
<ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
pri
The priority level. This field always contains notice.
name
The name of the new user group.
Message ID
32120
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added a new Directory Server (FSAE) entry.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
msg
User <admin_name> added a Directory Server (FSAE) entry <fsae_entry_name>
from <ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
pri
The priority level. This field always contains notice.
name
The name of the new FSAE entry.
server
The FSAE’s IP address.
Message ID
32120
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added a new report dataset.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
65
Event-Administration
66
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
name
The name of the report dataset.
msg
User <admin_name> added a report dataset <dataset_name> from <ui>
Message ID
32120
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added a new report chart widget.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
name
The name of the report chart.
msg
User <admin_user> added a report chart widget <chart_name> from <ui>
Message ID
32120
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added report summary entry.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
name
The name of the report summary entry that were added.
msg
User <admin_name> added a report summary entry <summary_entry> from <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32121
Message ID
32121
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator modified settings within a UTM profile.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
action
The type of action that occurred. This field always contains modify.
msg
Administrator <admin_name> changed a <utm_profile_type>
<utm_profile_name> from <ui(<ip_address>)>
Note: The UTM profile can be a sensor, such as DLP or IPS.
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
pri
The priority level. This field is always notice.
cmdb_obj
The type of profile that was used. For example, antivirus.profile.
name
The name of the profile that was used. For example, av_1.
Message ID
32121
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator changed the interface setting.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
intf
The name of the interface of the originating traffic.
field
This field contains either status or mtu.
old
This field contains either up or down.
new
This field contains either up or down.
msg
This field contains any one of the following:
• User <administrator_name> changed the status of interface {internal | external |
dmz | <other>...} from <ui>
• User <administrator_name> changed the mtu setting of interface
<interface_name> from <ui>
• User <administrator_name> changed the ip setting of the interface
<interface_name> from <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
67
Event-Administration
32122
68
Message ID
32122
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator deleted the specified interface.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
msg
User <administrator_name> deleted interface <interface_name> from
<ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
pri
The priority level. This field always contains notice.
intf
The name of the interface that was removed.
Message ID
32122
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator deleted the specified interface.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
name
The name of the administrator who was deleted.
msg
User <administrator_name> deleted an admin user <user_name> from <ui>
Message ID
32122
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An administrator deleted another administrator’s account.
Fields
Field Description
user
The administrator who is creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
msg
User <admin_name> deleted user <admin_user> from <ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
pri
The priority level. This field always contains notice.
name
The name of the administrator who was deleted by another administrator.
Message ID
32122
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator deleted an IPsec manualkey.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
name
The name of the manual key that was deleted by the administrator.
remote-gw
The IP address of the remote gateway.
msg
User <administrator_name> deleted an ipsec manualkey <manualkey_name>
from <ui>
Message ID
32122
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator deleted an FSAE entry.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
msg
User <administrator_name> deleted a Directory Service (FSAE) entry
<fsae_entry_name> from <ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
pri
The priority level. This field always contains notice.
name
The name of the entry that was remove from the list.
server
The removed FSAE’s IP address.
Message ID
32122
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
69
Event-Administration
70
Meaning
Depending on what appears in the msg field, the meaning can be any one of the
following:
• An administrator deleted a CA certificate.
• An administrator has removed all CA certificates.
• An administrator deleted a local certificate.
• An administrator deleted all local certificates.
• An administrator deleted a CRL certificate.
• An administrator deleted all CRLs.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
name
The name of the administrator who deleted or removed the certificate.
msg
This field contains any one of the following:
• User <administrator_name> removed a CA certificate <certificate_name> from
<ui>
• User <administrator_name> removed all CA certificates from <ui>
• User <administrator_name> deleted a local certificate <certificate_name> from
<ui>
• User <administrator_name> removed all local certificates from <ui>
• User <administrator_name> removed a CRL certificate <certifcate_name> from
<ui>
• User <administrator_name> removed all CRL certificates from <ui>
Message ID
32122
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator deleted a dataset.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
name
The name of the report dataset.
msg
User <admin_name> delete a report dataset <dataset_name> from <ui>
Message ID
32122
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator deleted a chart widget.
Fields
Field Description
user
The name of the administrator creating the traffic.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
name
The name of the report chart widget.
msg
User <admin_name> delete a report chart widget <chart_name> from <ui>
Message ID
32122
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator deleted a chart widget.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
name
The name of the report summary entry.
msg
User <admin_name> delete a report summary entry <summary_entry> from <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
71
Event-Administration
32123
72
Message ID
32123
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added the specified static route entry.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
status
The status of the route entry. This field contains up.
msg
User <administrator_name> added new static routing entry <seq_number> from
<ui(<ip_address>)>
dst
The destination IP address.
seq
The number that describes where the entry is in the static route entry table.
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
pri
The priority level. This field always contains notice.
device
The interface that will be using the static route.
distance
The distance number.
priority
The priority number.
flags
The flags information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32124
Message ID
32124
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator made the specified changes to the static route entry.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
seq
The sequence number or the number of the order of that entry within the list.
old_device
The previous interface.
old_distance
The previous hops’ number.
old_priority
The previous administrative priority.
old_dst
The previous destination IP address.
old_status
The previous status. This field contains either up or down.
old_flags
The previous flag string.
new_device
The new interface.
new_distance
The new hops’ number.
new_priority
The new administrative priority.
new_dst
The new destination IP address.
new_status
The new status. This field contains either up or down.
new_flags
The new flag information.
msg
User <administrator_name> changed the setting of a new static routing entry from
<ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
73
Event-Administration
32125
Message ID
32125
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator deleted the specified static route entry.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
seq
The NAT identification number. For example, the first entry in the table is 1, so this
field displays 1.
device
The interface.
distance
The hops’ number information.
priority
The administrative priority.
dst
The destination IP address.
status
The status. This field contains either up or down.
flags
The flag information.
msg
User <administrator_name> deleted a static routing entry from <ui>
32126
74
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An administrator added a firewall policy.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on the
FortiGate-51B (IP address is 10.10.20.5). This field shows their point-of-entry in
this field, GUI(10.10.20.5).
msg
User <administrator_name> added <iptype> firewall central-nat policy
<nat_id_number> from <ui(<ip_address>)>.
seq
The NAT identification number. For example, the first entry in the table is 1, so
this field dsplays 1.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
orig-addr
The original source IP address.
nat-ippool
The name of translated IP pool that was applied to the entry.
orig-port
The original source port number.
nat-port
The translated port number range.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32127
Message ID
32127
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An administrator modified a firewall policy.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
msg
User <admin_name> changed IPv4 firewall policy <policy_id_number>
from <ui(<ip_address>)>.
seq
The firewall policy identification number.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field is always notice.
sintf
The name of the source interface or zone applied to the firewall policy.
dstintf
The name of the destination interface or zone applied to the firewall policy.
saddr
The firewall policy’s select source address. For example if you selected all,
then all appears in this field.
daddr
The firewall policy’s selected destination address. For example, if you
selected all, then all appears in this field.
act
The type of action applied to the firewall policy. For example, ACCEPT.
nat
This field contains either no or yes.
iptype
The type of IP address. This can be ipv4 or ipv6, depending if you have
configured IPv4 addresses or IPv6 addresses.
schd
The type of firewall schedule that was selected for that firewall policy.
srv
The type of firewall service applied to the firewall policy. For example, ANY.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
75
Event-Administration
32128
76
Message ID
32128
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator deleted a firewall policy.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
seq
The firewall policy identification number.
sintf
The name of the source interface.
dintf
The name of the destination interface.
saddr
The source IP address.
daddr
The destination IP address.
schd
The name of the schedule.
srv
The network service.
act
The type of action applied to the firewall policy. For example, ACCEPT.
nat
This field contains either no or yes.
log
The log identification number.
iptype
The type of IP address, such as IPv6. This field always contains ipv6.
msg
User <administrator_name> deleted a firewall policy from <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32129
Message ID
32129
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added a local user.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
status
The status of the local user. This field always contains enable.
msg
User <admin_name. added local user <user_name> from
<ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
name
The name of the new local user.
32130
Message ID
32130
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added a new local administrator. The administrator
changed the specified settings for a local administrator.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
name
The name of the new local administrator.
old_status
The old_status information.
new_status
The new_status information.
passwd
The password information.
msg
User <administrator_name> changed a local user’s setting from <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
77
Event-Administration
32131
Message ID
32131
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added a new local administrator. The administrator
changed the specified settings for a local administrator.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
name
The name of the new administrator.
status
This field contains either enable or disable.
msg
User <administrator_name> deleted a local user <administrator_name>
deleted a local user from <ui>
32132
78
Message ID
32132
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added a RADIUS server.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
msg
User <admin_name> added radius server <radius_name> from
<ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
name
The name of the new RADIUS server.
server
The RADIUS server’s IP address.
Message ID
32132
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added a TACACS+ server
Fields
Field Description
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
msg
User <admin_name> added TACACS+ server <tacacs+_name> from
<ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
name
The name of the new TACACS+ server.
server
The TACACS+ server’s IP address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
79
Event-Administration
32133
Message ID
32133
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator made the specified changes to the RADIUS server entry
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
name
The name of the administrator.
old_server
The previous server’s IP address.
new_server
The new server’s IP address.
secret
The server’s encrypted password.
msg
User <administrator_name> changed a radius server
<radius_server_name> setting from <ui>
32134
80
Message ID
32134
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator deleted the RADIUS server from the server list.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
name
The name of the administrator.
server
The server’s IP address.
msg
User <administrator_name> deleted a radius server
<radius_server_name> from <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32135
Message ID
32135
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added a new LDAP server to the list.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
msg
User <admin_name> added ldap server <ldap_name> from
<ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
name
The name of the new LDAP server.
server
The LDAP server’s IP address.
32136
Message ID
32136
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator made the specified changes to an LDAP server entry.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
name
The name of the administrator.
old_server
The previous server’s IP address.
old_port
The previous server’s port number.
old_cn
The previous CN value.
old_dn
The previous DN value.
new_server
The new server’s IP address.
new_port
The new server’s port number.
new_cn
The new CN value.
new_dn
The new DN value.
msg
User <administrator_name> changed an ldap server <ldap_server_name>
setting from <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
81
Event-Administration
32137
82
Message ID
32137
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator deleted the LDAP server from the list.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
name
The name of the administrator.
server
The server’s IP address.
msg
User <administrator_name> deleted an ldap user from <ui>
Message ID
32137
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An IM/P2P user was deleted.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
name
The name of the administrator.
policy
The firewall policy identification number.
msg
User <user_name> deleted im/p2p <im/p2puser_name> user
<user_name> from <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32138
Message ID
32138
Log Subtype
Admin
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator either rebooted or shut down the FortiGate unit.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their pointof-entry in this field, GUI(10.10.20.5).
action
This field is either reboot or shutdown.
msg
User <administrator_name> rebooted the device from <ui>. The reason is
“<reason>”
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains critical.
32139
Message ID
32139
Log Subtype
Admin
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator reset the FortiGate unit to its default settings.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field contains factory-reset.
msg
User <administrator_name> reset to the factory settings from <ui>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains critical.
Message ID
32139
Log Subtype
Admin
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator or user formatted the log disk on the FortiGate unit.
Fields
Field Description
user
The name of the administrator creating the traffic.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
83
Event-Administration
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field always contains format-disk.
msg
User <administrator_name> formatted the log disk from <ui>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains critical.
Message ID
32139
Log Subtype
Admin
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator restored a firmware image.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field contains any one of the following:
• restore-image
• restore-configuration
• restore-all-configuration
84
msg
User <administrator_name> restored the image from <ui(<ip_address> ->
<ip_address>)
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains critical.
Message ID
32139
Log Subtype
Admin
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any one of
the following:
• The auto-install restored the configuration using the USB key.
• The auto-install restored the firmware image using the USB key.
Fields
Field Description
user
The name of the administrator creating the traffic. In this log message, this
field always contains auto-install. This means that the FortiGate unit
automatically installed the image itself.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
In this log message, this field always contains usb.
action
This field always contains restore-image.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
msg
This field contains any one of the following:
• User auto-install restored the configuration from usb (<ip_address>)
• User auto-install restored the image from usb (<ip_address> ->
<ip_address>)
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains critical.
Message ID
32139
Log Subtype
Admin
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
An administrator has updated either the virus engine and/or the IDS
database.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field contains update.
msg
This field contains any one of the following:
• User <administrator_name> requested a virus and IDS engine/definitions
update from <ui>
• User <administrator_name> requested an IDS engine/definitions update
from <ui>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains critical.
Message ID
32139
Log Subtype
Admin
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any one of
the following:
• The system encountered an error when trying to restore an image from the
FortiGuard Analysis and Management Service.
• The system restored an image from the FortiGuard Analysis and
Management Service.
• The system restored a template from the management station.
• The system failed to load a configuration file from the management
station.
Fields
Field Description
user
The name of the administrator creating the traffic. In this log message, this
field contains system.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field contains any one of the following:
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
85
Event-Administration
• restore-image
• restore-template
• restore-configuration
86
msg
This field contains any one of the following:
• System loaded an image from FortiGate Management, the new image has
an invalid CC signature.
• System restored the image from FortiGuard Management (<ip_address>
-> <ip_address>)
• System restored configuration template <template_name> from
management station.
• System failed to restore configuration from management station.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains critical.
Message ID
32139
Log Subtype
Admin
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any one of
the following:
• The administrator loaded an image with a valid RSA signature from a
FortiManager unit, which includes a new public key.
• The administrator loaded a firmware image from a FortiManager unit and
that image has an invalid or no RSA signature.
• The administrator loaded an image with a valid RSA signature from a
FortiManager unit.
• The administrator updated the firmware image from a FortiManager unit.
Fields
Field Description
user
The name of the administrator creating the traffic. In this log message, this
field contains system.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field always contains update-image.
msg
This field contains any one of the following:
• User <user_name> loaded an image from FortiManager, the new image
does have a valid RSA signature with new public key.
• User <user_name> loaded an image from FortiManager, the new image
has an invalid RSA signature.
• User <user_name> loaded an image from FortiManager, the new image
does have a valid signature.
• User <user_name> loaded an image from FortiManager, the new image
does not have a valid RSA signature.
• User <user_name> updated the image from FortiManager (<ip_address>
-> <Ip_address>)
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains critical.
Message ID
32139
Log Subtype
Admin
Severity
Critical
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator loaded a diagnostic application.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field contains loaded-diag-app.
msg
User <administrator_name> loaded a diagnostic application from <ui> with
serial number <serial_number>. The executable result= <string>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains critical.
Message ID
32139
Log Subtype
Admin
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any one of
the following:
• The system loaded an image that contains an invalid RSA signature.
• The administrator uploaded an image with an invalid RSA signature.
• The administrator uploaded an image with a valid RSA signature and new
public key.
• The administrator uploaded an image with a valid RSA signature.
• The administrator uploaded an image that does not have a valid RSA
signature.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field contains loaded-image.
msg
This field contains any one of the following;
• System loaded an image from FortiGuard Management, the new image
has an invalid RSA signature
• User <administrator_name> loaded an image from <ui>, the new image
has an invalid signature.
• User <administrator_name> loaded an image from <ui>, the new image
does have a valid RSA signature with a new public key.
• User <administrator_name> loaded an image from <ui>, the new image
does have a valid RSA signature.
• User <administrator_name> loaded an image from <ui>, the new image
does not have a valid RSA signature.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains critical.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
87
Event-Administration
Message ID
32139
Log Subtype
Admin
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
Depening on what is in the msg field, the meanning can be any one of the
following:
• The administrator restored a FortiClient firmware image.
• The administrator updated the firmware.
• The administrator restored a firmware image.
• The administrator successfully restored the configuration file.
• The administrator failed to restore the configuration file.
• The administrator restored a complete configuration.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field contains any one of the following: restore-forticlient.
• restore-forticlient
• update
• restore-image
• restore-configuration
• restore-all-configuration
88
msg
This field contains any one of the following:
• User <administrator_name> restored the image <image_name> from <ui>
• User <administrator_name> updated the firmware from <ui>
• User <administrator_name> restored image from <ui>(<ip_address> ->
<ip_address>)>
• User <administrator_name> restored the configuration from <ui>
• User <administrator_name> failed to restored the configuration from <ui>
• User <administrator_name> restored all the configuration from <ui>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains critical.
Message ID
32139
Log Subtype
Admin
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator either loaded a firmware image that does not support CC
mode or the image has an invalid CC signature.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field contains either loaded-image or update-image
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
msg
This field contains any one of the following:
• User <administrator_name> loaded the image from <ui> the new image
does not support CC mode.
• User <administrator_name> loaded an image from <ui>, the new image
has an invalid CC signature.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains critical.
Message ID
32139
Log Subtype
Admin
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator imported a certificate.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field contains import-certificate.
msg
User <administrator_name> imported the certificate from <ui>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains critical.
Message ID
32139
Log Subtype
Admin
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator loaded a firmware image from a FortiManager unit and
that image has an invalid RSA signature.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
Note: For this log message, the location is FortiManager.
action
This field always contains update-image.
msg
User <user_name> loaded an image from FortiManager, the new image has
an invalid RSA signature.
Message ID
32139
Log Subtype
Admin
Severity
Critical
Firmware version
FortiOS 4.0 MR3
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
89
Event-Administration
90
Meaning
Depending on what is in the msg field, the meaning can be any one of the
following:
• The system uploaded a firmware image from the FortiGuard Analysis and
Management Service, however, the image has an invalid CC signature.
• The system uploaded a firmware image from the FortiGuard Analysis and
Management Service, however, the image has an invalid RSA signature.
• The system uploaded a firmware image from the FortiGuard Analysis and
Management Service, and the image has a valid RSA signature with new
public key.
• The system uploaded a firmware image from the FortiGuard Analysis and
Management Service, and the image has a valid RSA signature.
• The system uploaded a firmware image from the FortiGuard Analysis and
Management Service, and the image does not has a valid RSA signature.
• The system restored a firmware image from FortiGuard Analysis and
Management Service.
Fields
Field Description
user
The name of the administrator creating the traffic. For this log message, the
user is the FortiGate system, or system.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field contains any one of the following: .
•
restore-image
•
restore-image
• loaded-image
msg
This field contains any one of the following:
• System loaded an image from FortiGuard Management, the new image
has an invalid CC signature.
• System loaded an image from FortiGuard Management, the new image
has an invalid RSAsignature.
• System loaded an image from FortiGuard Management, the new image
does have a valid RSA signature with new public key.
• System loaded an image from FortiGuard Management, the new image
does have a valid RSA signature.
• System loaded an image from FortiGuard Management, the new image
does not have a valid RSA signature.
• System restored the image from FortiGuard Management
(<firmware_build> -> <firmware_build>)
Message ID
32139
Log Subtype
Admin
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what is in the msg field, the meaning can be any one of the
following:
• The system restored the specified script.
• The system restored a configuration file from the management station.
• The system failed to restore a configuration file from the management
station.
• The system failed to upgrade a firmware image.
• The system failed to restore a firmware image from the management
station.
Fields
Field Description
user
The name of the administrator creating the traffic. For this log message, the
user is the FortiGate system, or system.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field contains any one of the following:
• restore-script
• restore-cfg
• restore-<string>
• update-image
msg
This field contains any one of the following:
• System restored script <script_name> from management station.
• System restored <string> file <string> from management station.
• System failed to restore <string> file <string> from management station.
• User <user_name> loaded an image from <ui>, System upgrade failed
due to failed operation file.
• System failed to restore <string> file <string> from management station.
Message ID
32139
Log Subtype
Admin
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what is in the msg field, the meaning can be any one of the
following:
• The administrator formatted the RAID disk.
• The administrator enabled the RAID disk.
• The administrator disabled the RAID disk.
Fields
Field Description
user
The name of the administrator creating the traffic. For this log message, the
user is the FortiGate system, or system.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field contains any one of the following:
• format-rebuild-level
• enable-raid
• disable-raid
msg
This field contains any one of the following:
• User <user-name> formatted the RAID disk from <ui>
• User <user_name> enabled RAID from <ui>
• User <user_name> disabled RAID from <ui>
32140
Message ID
32140
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator changed a global setting.
Fields
Field Description
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
91
Event-Administration
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
field
The type of field within the Administration Settings page that was
changed. For example, if you changed the idle timeout, located in
Timeout Settings, this field would contain timeout.
This field contains any one of the following:
• mode
• virtual-domain
• hostname
• ip-overlap
• timeout
• detection-interval
old_value
The previous setting for the type of field before it was changed. For
example, if you changed the idle timeout from the default time, 5m
would appear in this field.
new_value
The new setting for the type of field that was changed.
msg
User <administrator_name> changed <field_type> global setting to
<new_value> from <ui>.
Message ID
32140
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator changed the user authentication settings.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
field
The type of action that was taken. This field always contains authtimeout.
old_value
The previous timeout period within the authentication settings.
new_value
The new time out period within the authentication settings.
msg
User <admin_name> changed auth-timeout user setting to
<new_value> from <ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
32141
92
Message ID
32141
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The specified interface has received a new DHCP address. The
address expires at the specified time.
Fields
Field Description
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
id
The identification number.
msg
interface <interface_name> gets a DHCP lease, ip:<ip_address>,
mask:<netmask>, gateway:<gateway_address>, lease
expires:<name_day><name_month> <date> <hh:mm:ss> <yyyy>
32142
Message ID
32142
Log Subtype
Admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any
one of the following:
• The administrator backed up the current configuration to a file.
• The administrator backed up the specified file.
• The administrator failed to back up the specified file.
• The administrator backed up all the logs.
• A configuration file was automatically backed up to the management
station successfully.
• The administrator failed to back up all log files.
• The system backed up the configuration file to the FortiGuard
Analysis and Management Service, per a request from the FortiGuard
Analysis and Management Service portal.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
The type of action that was taken by the administrator. This field always
contains backup.
reason
The reason for the trigger. For this log message, the service portal of the
FortiGuard Analysis and Management Services was used.
msg
This field contains any one of the following.
• User <administrator_name> backed up the configuration from <ui>
• User <administrator_name> backed up <file_name> log from <ui>
• User <administrator_name> failed to backup <file_name> log from
<ui>
• User <administrator_name> backed up all the logs from <ui>
• Automatic configuration backup to Management Station succeeded
• User <administrator_name> failed to back up all the logs from <ui>
• System backed up configuration to Management Station per service
portal request.
Message ID
32142
Log Subtype
Admin
Severity
Warning
Firmware version
FortiOS 4.0 MR3
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
93
Event-Administration
94
Meaning
Depending on what appears in the msg field, the meaning can be any
one of the following:
• The administrator backed up a standardized error output by SCP.
• The administrator backed up a batch of mode commands by SCP.
• The administrator failed to update the antivirus package by SCP.
• The administrator successfully updated the antivirus package by SCP.
• The administrator successfully update the IPS package by SCP.
• The administrator failed to update the IPS package by SCP.
• The administrator failed to update the DLP fingerprint database by
SCP.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
Note: For this log message, location is FortiManager or the
FortiManager unit.
action
The type of action that was taken by the administrator. This field
contains either update or backup.
msg
This field contains any one of the following.
• User <user_name> backed up the result of batch mode commands by
SCP.
• User <user_name> backed up the result of batch mode commands by
SCP.
• User <user_name> failed to update AV package by SCP.
• User <user_name> updated AV package by SCP.
• User <user_name> failed to update IPS package by SCP.
• User <user_name> updated IPS package by SCP.
• User <user_name> failed to update DLP fingerprint database by SCP.
Message ID
32142
Log Subtype
Admin
Severity
Alert
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator deleted a configuration revision from the database.
Fields
Field Description
action
The type of action that was taken by the administrator. This field always
contains delete.
status
This field always contains success.
msg
<configuration_revision_name> has been deleted from revision
database.
Message ID
32142
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what is in the msg field, the meaning can be any one of
the following:
• The administrator backed up a configuration file to the management
station.
• The administrator deleted a configuration file from the local hard disk.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
The type of action that was taken by the administrator. This field is either
backup or delete.
status
This field always contains success.
msg
This field contains any one of the following:
• User <user_name> backed up the configuration from <ui> to
management station.
• User <user_name> delete the <string> from <string> from flash disk.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
95
Event-Administration
32143
96
Message ID
32143
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator loaded the wrong image type.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
The type of action that was taken by the administrator. This field always
contains loaded-image.
msg
User <administrator_name> loaded a wrong image from <ui>
Message ID
32143
Log Subtype
Admin
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator changed the policy routing entry.
Fields
Field Description
user
The name of administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
msg
User <administrator_name> changed policy routing entry
<incoming_interface> from <ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
old_iff
The previous incoming interface.
new_iff
The new incoming interface.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32144
Message ID
32144
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An administrator added a policy routing entry.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
msg
User <admin_name> added policy routing entry
<outgoing_interface_name> from <ui(<ip_address>)>
src
The source IP address.
dst
The destination IP address.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
iff
The “if” interface. In the policy routing entry, you must specify the
interface “if”.
ipproto
The IP protocol number.
ports
The destination port range. For example ports 1-65535.
off
The outgoing interface. This is the interface that was chosen in the
section Force traffic to: on the New Routing Policy page.
gw
The gateway IP address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
97
Event-Administration
32145
98
Message ID
32145
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An administrator deleted a policy routing entry.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
iff
The name of the incoming interface.
src
The source IP address.
dst
The destination IP address.
proto
The name of the protocol.
ports
The range of port numbers.
off
The outgoing interface.
gw
The gateway IP address.
msg
User <administrator_name> deleted a policy routing entry
Message ID
32145
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Found a new neighbor.
Fields
Field Description
msg
Found a new connection to <connection_name> (<connection_ip>)
Message ID
32145
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Lost a neighbor.
Fields
Field Description
msg
Found a new connection to <connection_name> (<connection_ip>)
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32148
Message ID
32148
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An administrator required a CRL update.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
The type of action that was taken. This field is always crl-update.
crl
The name of the CRL.
msg
User <administrator_name> requested a CRL update from <ui>
Message ID
32148
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The specified administrator changed a configuration.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
The type of action the administrator took.
obj
The object information.
entry
The entry information.
msg
Administrator <administrator_name> of <location> from {GUI CLI}
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
99
Event-Administration
32149
Message ID
32149
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A command failure occurred.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
ret
The ret value information.
msg
Command failed: <value>. Return code <value>
32150
100
Message ID
32150
Log Subtype
Admin
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
An administrator changed the password of another administrator.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
The action that was taken by the user. This field always contains
password-changed
field
This field always contains password.
msg
Admin user <admin_name> changed password of admin user
<admin_user>
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
pri
The priority level. This field always contains warning.
admin-user
The name of the administrator who had their password changed.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32151
Message ID
32151
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what is in the msg field, the meaning can be any one of
the following:
• A new firewall local-in policy was added.
• A new IPv6 firewll local-in policy was added.
Fields
Field Description
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
32152
Message ID
32152
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what is in the msg field, the meaning can be any one of
the following:
• A firewall local-in policy’s setting was changed.
• An IPv6 firewall local-in policy’s setting was changed.
Fields
Field Description
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
32153
Message ID
32153
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what is in the msg field, the meaning can be any one of
the following:
• A firewall local-in policy was deleted.
• An IPv6 firewall local-in policy was deleted.
Fields
Field Description
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
101
Event-Administration
32154
Message ID
32154
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator uploaded a FortiToken.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
msg
User <user_name> has uploaded a FortiToken file.
32155
102
Message ID
32155
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator has requested to activate the specified FortiToken.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
This field always contains fortitoken-activate.
serialno
The serial number of the FortiToken device.
msg
User <user_name> has requested to activate FortiToken <serialno>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32156
Message ID
32156
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiToken has been activiated by FortiGuard.
Fields
Field Description
action
This field always contains fortitoken-activate
serialno
The serial number of the FortiToken device.
status
The status of the activation process.
msg
Activation of FortiToken <serialno> <status>.
32157
Message ID
32157
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added an email filter IP black/white list entry.
Fields
Fields Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
status
The status of the UTM profile. This field always contains enabled.
ip
The IP address.
msg
User <admin_name> added antispam IP black/white entry <ip_address>
from <ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
Message ID
32157
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added an email address black/white list entry.
Fields
Fields Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
status
The status of the UTM profile. This field always contains enabled.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
103
Event-Administration
104
ip
The IP address.
msg
User <admin_name> added email black/white entry <email_address> from
<ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
email-pattern
The email address entry. For example, [email protected].
Message ID
32157
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added a banned word to the email filtering banned word
list.
Fields
Fields Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
status
The status of the UTM profile. This field always contains enabled.
msg
User <admin_name> added antispam banned word entry <banned_word>
from <ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
pattern
The banned word entry.
Message ID
32157
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added an URL address to the URL filter.
Fields
Fields Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
status
The status of the UTM profile. This field always contains enabled.
ip
The IP address.
msg
User <admin_name> added URL filter entry <url_address> from
<ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
url
The URL address that was entered.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
Message ID
32157
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added a banned word entry to the web content filter list.
Fields
Fields Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
status
The status of the UTM profile. This field always contains enabled.
msg
User <admin_name> added webfilter banned word entry <banned_word>
from <ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
word
The word or words that was added to the webfilter content filter list.
lang
The type of language applied to the entry. For example, Western.
pattern_type
The type of pattern applied to the word. For example, wildcard.
Message ID
32157
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added an email address to the email address black/white
list.
Fields
Fields Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
email-pattern
The email address of the new entry in the list.
status
The status of the UTM profile. This field always contains enabled.
msg
User <admin_name> added antispam email black/white entry
<email_address> from <ui(<ip_address>)>
Message ID
32157
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added an email address to the email address black/white
list.
Fields
Fields Description
user
The name of the administrator creating the traffic.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
105
Event-Administration
ui
106
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field always contains fortitoken-synchronize.
serialno
The serial number of the FortiToken device.
status
The status of the synchronization process.
msg
User <admin_name> resynchronized FortiToken <serialno> with result:
<status>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32158
Message ID
32158
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator deleted a word from within a web content filter list.
Fields
Fields Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
word
The web filter word that was deleted from within the list.
lang
The type of language that was chosen. For example, Western.
pattern_type
The type of pattern that was chosen, for example, Regular Expression.
status
The status of the word within the list before it was deleted. This field always
contains enabled.
msg
User <admin_name> deleted webfilter banned word entry <word> from
<ui(<ip_address>)>
32161
Message ID
32161
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator changed the specified sensor.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
msg
User <admin_name> changed sensor <ips_sensor_name>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
107
Event-Administration
32162
Message ID
32162
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator changed the specified sensor.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
msg
User <admin_name> changed sensor <dos_sensor_name>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level.
32168
108
Message ID
32168
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator failed to add a new entry because the VDOM property
limit has been reached.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
msg
Adding new entry failed: vdom property limit has been reached when user
<user_name> adds <vdom> from <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32170
Message ID
32170
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An administrator added a new multicast firewall policy.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
The type of action that occurred. This field can contain config-add.
status
The status of the action. This field contains success.
reason
The reason for taking the action. This field contains none.
msg
User <admin_name> added multicast firewall policy <policy_number>
from <ui(<ip_address>)>
new_id
The new firewall policy identification number for the new multicast firewall
policy.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
new_srcintf
The new source interface that was applied to the new multicast firewall
policy.
new_dintf
The new destination interface that was applied to the new multicast firewall
policy.
new_saddr
The new source address that was applied to the policy.
new_daddr
The new destination IP address. that was applied to the policy.
new_nat_addr
The new NAT IP address that was applied to the policy.
new_dnat_addr
The new DNAT IP address that was applied to the policy.
new_action
The type of action that was applied.
new_proto
The type of protocol that was applied.
new_start_port
The new start port number. For example port 1.
new_end_port
The new end port number. For example, port 655535
Message ID
32170
Log Subtype
Admin
Severity
Alert
Firmware version
FortiOS 4.0 MR3
Meaning
An alarm was triggered.
Fields
Field Description
action
The type of action that occurred. This field always contains alarm.
alarmid
The alarm’s identification number.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
109
Event-Administration
110
groupid
The group identification number.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32171
Message ID
32171
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An administrator modified a multicast firewall policy.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
The type of action that occurred. This field can contain config-edit.
status
The status of the action. This field contains success.
reason
The reason for taking the action. This field contains none.
msg
User <admin_name> changed multicast firewall policy <policy_number>
from <ui(<ip_address>)>
pol_id
The multicast firewall policy identification number.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
old_srcintf
The previous source interface.
old_dintf
The previous destination interface.
old_saddr
The previous source IP address.
old_daddr
The previous destination IP address.
old_action
The previous type of action that was applied.
old_start_port
The previous start port number.
old_end_port
The previous end port number.
new_srcintf
The new source interface that was applied to the new multicast firewall
policy.
new_dintf
The new destination interface that was applied to the new multicast firewall
policy.
new_saddr
The new source address that was applied to the policy.
new_daddr
The new destination IP address. that was applied to the policy.
new_nat_addr
The new NAT IP address that was applied to the policy.
new_dnat_addr
The new DNAT IP address that was applied to the policy.
new_action
The type of action that was applied.
new_proto
The type of protocol that was applied.
new_start_port
The new start port number. For example port 1.
new_end_port
The new end port number. For example, port 655535
Message ID
32171
Log Subtype
Admin
Severity
Alert
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
111
Event-Administration
112
Firmware version
FortiOS 4.0 MR3
Meaning
An alarm was triggered.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
The type of action that occurred. This field always contains alarm.-ack
alarmid
The alarm’s identification number.
groupid
The group identification number.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32172
Message ID
32172
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An administrator deleted a multicast firewall policy.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
This field can contain config-delete.
status
The status of the action. This field contains success.
reason
The reason for taking the action. This field contains none.
msg
User <admin_name> removed multicast firewall policy <policy_number>
from <ui(<ip_address>)>
old_id
The multicast firewall policy identification number.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
old_srcintf
The previous source interface.
old_dintf
The previous destination interface.
old_saddr
The previous source IP address.
old_daddr
The previous destination IP address.
old_action
The previous type of action. that was applied.
old_start_port
The previous start port number.
old_end_port
The previous end port number.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
113
Event-Administration
32180
Message ID
32180
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator failed to backup the configuration from the management
station, or the FortiGate unit’s automatic backup to the management
station failed.
The meaning can also be that there was a failed backup of the
configuration file after the system upgraded.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
This field contains backup.
status
The status of the action. This field contains failure.
msg
This field contains any one of the following:
• User <admin_name> failed to backup the configuration from <ui> to
management station.
• Automatic configuration backup to Management Station failed.
• Failed to backup configuration after system upgrading: <string>
32200
Message ID
32200
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator uploaded the new web filter list specified in the “upload”
field.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
upload
This field contains any one of the following:
• url-exempt-list
• url-block-list
• word-block-list
114
num
The num value information.
msg
User <administrator_name> uploaded <upload_type> from <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32301
Message ID
32301
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added a virtual domain.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field contains add-vdom.
msg
Virtual domain <vd_name> is added.
32302
Message ID
32302
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator deleted a virtual domain.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field always contains del-vdom.
msg
Virtual domain <vd_name> is deleted.
32400
Message ID
32400
Log Subtype
Admin
Severity
Alert
Firmware version
FortiOS 4.0 MR3
Meaning
The configuration changed.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
msg
Configuraiton is changed in the admin session.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
115
Event-Administration
32401
116
Message ID
32401
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator added an application control list.
Fields
Field Description
user
The administrator who is creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field contains add.
msg
Administrator <admin_name> added an application control list
<app_crtl_list_name> from <ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
name
The name of the application control list.
Message ID
32401
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The administrator modified settings within an application control list.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field always contains edit.
msg
Administrator <admin_name> edited an application control list
<default_app_name> from <ui(<ip_address>)>
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
pri
The priority level. This field always contains notice.
name
The name of the application control list.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Administration
32545
Message ID
32545
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The system was restarted because it was scheduled to.
Fields
Field Description
user
The name of the administrator creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field always contains reboot.
msg
System will reboot due to scheduled daily restart.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
32546
Message ID
32546
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The archive log files are being uploaded to the FortiAnalyzer unit.
Fields
Field Description
action
This field always contains upload_request
msg
Content Archive data has been uploaded to FortiAnalyzer.
32547
Message ID
32547
Log Subtype
Admin
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
The content archive file failed to upload.
Fields
Field Description
action
This field always contains upload_request
msg
Content Archive data failed to upload to <string>.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
117
Event-Administration
32548
Message ID
32548
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The upload of memory logs to a remote server failed because it reached the
maximum capacity.
Fields
Field Description
action
This field always contains upload_request
msg
Uploading memory logs to remote logging server(s) because it reached
<percentage> percent full
32549
118
Message ID
32549
Log Subtype
Admin
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The upload of memory logs to a remote server occurred as scheduled.
Fields
Field Description
action
This field always contains upload_request
msg
Uploading memory logs to remote logging server(s) as scheduled
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
Event-System log messages record events that occur in the FortiGate system, such as administrators
logging in and out, or events occurring on the interfaces.
20001
20058
20201
20002
20059
20202
20003
20060
20203
20004
20061
22000
20007
20062
22001
20010
20063
22002
20031
20064
22003
20032
20065
22004
20033
20066
22005
20034
20067
22006
20035
20068
22009
20036
20069
22010
20037
20070
22011
20038
20071
22012
20039
20072
22013
20040
20073
22100
20041
20074
22101
20042
20075
22102
20043
20076
22103
20044
20077
22800
20045
20078
22801
20046
20079
22802
20047
20080
22803
20048
20081
22804
20049
20082
22805
20050
20083
22806
20051
20084
22901
20052
20099
22902
20053
20100
22903
20054
20101
22911
20055
20110
22912
20056
20111
22913
20057
20200
22914
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
119
Event-System
20001
120
Message ID
20001
Log Subtype
System
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The routing information has changed because of the gateway’s status, up or
down.
Fields
Field Description
interface
This field contains any one of the following:
• internal
• external
• dmz
• other
status
This field contains either up or down.
msg
Ping server is {up | down}
Message ID
20001
Log Subtype
System
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any one of
the following:
• There is a problem contacting the modem. Verify the modem connection
and settings.
• The FortiGate unit has attempted to redial the IPS from the modem and
could not connect after the set number of redial attempts. You must reset the
modem to attempt the connection.
• The wireless user has been disconnected.
• A client was accepted.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contain root.
msg
This field contains any one of the following:
• Problem contacting the modem
• modem: Redial limit exceeded… giving up
• Client <wireless_user> is disassociated.
• Accepted associated from <client_name>
Message ID
20001
Log Subtype
System
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any one of
the following:
• Client <client_name> does 1X – The client does 1X
• Client <client_name> does WPA – The client does WPA.
Fields
Field Description
msg
This field contains any one of the following:
• Client <client_name> does 1X
• Client <client_name> does WPA
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
Message ID
20001
Log Subtype
System
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
Routing information is changed because the gateway is up/down.
Fields
Field Description
interface
The name of the interface.
status
The status information.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
Message ID
20001
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
A gateway’s status.
Fields
Field Description
interface
The name of the interface.
gw_group
The gateway group information.
status
The status information.
gw_status
The gateway status.
msg
The status of <gateway> for gateway group <gw_group> is <information>
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
121
Event-System
20002
Message ID
20002
Log Subtype
System
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The domain name configured for an alert email recipient cannot be resolved.
Verify the email addresses to ensure that it is correct.
Fields
Field Description
user
This field always contains system
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
The type of action taken by the FortiGate unit.
status
This field always contains failure.
msg
Can’t resolve the IP address of <email_address>
20003
122
Message ID
20003
Log Subtype
System
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Failed to send an alert email.
You can verify the email addresses configured for alert emails and see if that
solves the problem.
Fields
Field Description
user
This field always contains system
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
The type of action taken by the FortiGate unit. This field always contains
alert-email.
status
This field always contains failure.
count
The number of times the same event was detected within a short period of
time.
msg
Failed to send alert email from <ip_address> to <ip_address>.
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
20004
Message ID
20004
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The policy is too big for the system to handle.
Fields
Field Description
user
This field always contains system
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
status
This field always contains failure.
msg
Policy <policy_id> is too big for system, it’s installed partially.
20007
Message ID
20007
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The socket is exhausted.
Fields
Field Description
service
The type of service. This field always contains kernel.
status
This field always contains failure.
proto
The protocol information.
src
The source IP address.
src_port
The source port number.
nat
The NAT information.
dst
The destination IP address.
dst_port
The destination port number.
msg
NAT port is exhausted.
20010
Message ID
20010
Log Subtype
System
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
A RADIUS IPC error.
Fields
Field Description
msg
Unable to initialize RADIUS IPS (<value>)
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
123
Event-System
20031
Message ID
20031
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit’s flash memory is full in the specified sector.
You can delete logs stored to the local disk, and perform other maintenance
to free memory space.
Fields
Field Description
msg
Interface <interface_name> Out of memory in <memory_sector>.
20032
Message ID
20032
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit cannot find the specified interface by name.
You can check configuration of the interface and check any physical
connections to solve the problem.
Fields
Field Description
msg
Interface <interface_name> not found in <memory_sector>.
20033
Message ID
20033
Log Subtype
System
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An interface uses Mobile IPv6 extensions.
Fields
Field Description
msg
Using Mobile IPv6 extensions.
20034
124
Message ID
20034
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The minimum time allowed between sending unsolicited multicast router
advertisements from the specified interface (using Mobile IPv6 extensions)
must be configured within the specified range because it is not currently in the
specified range.
The range is specified in seconds.
Fields
Field Description
msg
MinRtrAdvInterval for <interface> must be between <start_range_seconds>
and <end_range_seconds>
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
Message ID
20034
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The minimum time allowed between sending unsolicited multicast router
advertisements from the specified interface (using Mobile IPv6 extensions)
must be configured within the specified range because it is not currently in the
specified range.
The range is specified in seconds.
Fields
Field Description
msg
MinRtrAdvInterval for <interface_name> must be between
<start_range_seconds> and <end_range_seconds>
20035
Message ID
20035
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The minimum time allowed between sending unsolicited multicast router
advertisements from the specified interface must be configured within the
specified range. Range is specified in seconds.
You can reconfigure the router according to MinRtrAdvInterval to solve this
problem.
Fields
Field Description
msg
MinRtrAdvInterval must be between <start_range_seconds> and
<end_range_seconds> for <interface_name>
20036
Message ID
20036
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The maximum time allowed between sending unsolicited multicast router
advertisements from the specified interface, using Mobile IPv6 extensions,
must be configured within the specified range.
The range is specified in seconds.
Fields
Field Description
msg
MaxRtrAdvInterval for <interface_name> must be between
<start_range_seconds> and <end_range_seconds>
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
125
Event-System
20037
Message ID
20037
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The maximum time allowed between sending unsolicited multicast router
advertisements from the specified interface must be configured within the
specified range. Range is specified in seconds.
You can reconfigure the router according to MaxRtrAdvInterval to solve this
problem.
Fields
Field Description
msg
MaxRtrAdvInterval must be between <start_range_seconds> and
<end_range_seconds> for <interface_name>
20038
Message ID
20038
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The value placed in MTU options sent by the router must be either zero or
between the specified range for the specified interface. A value of zero
indicates that no MTU options are sent.
You can reconfigure the router according to range to solve this problem.
Fields
Field Description
msg
AdvLinkMTU must be zero or between <start_range_bytes> and
<end_range_bytes> for <interface_name>
20039
126
Message ID
20039
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The value placed in MTU options sent by the router must be either zero or
greater than the specified value for the specified interface. A value of zero
indicates that no MTU options are sent.
You can reconfigure the router according to range to solve this problem.
Fields
Field Description
msg
AdvLinkMTU must be zero or greater than <value_bytes> for
<interface_name>
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
20040
Message ID
20040
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The value to be placed in the Reachable Time field in the Router
Advertisement message sent by the router must be less than the specified
value for the specified interface. A value of zero means unspecified by this
router.
You can reconfigure the router according to the specified value to solve this
problem.
Fields
Field Description
msg
AdvReachableTime must be less than <value> for <interface_name>
20041
Message ID
20041
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The default value to be placed in the CurHopLimit field in the Router
Advertisements message sent by the router must not be greater than the
specified value for the specified interface.
You can reconfigure the router according to the specified value to solve this
problem.
Fields
Field Description
msg
AdvCurHopLimit must not be greater than <value_hop_limit> for
<interface_name>
20042
Message ID
20042
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The value to be placed in the Router Lifetime field of Router Advertisements
sent from the interface in seconds, must be either zero or between the
specified range. A value of zero indicates that the router is not to be used as
a default router.
You can reconfigure the router according to the specified range to solve this
problem.
Fields
Field Description
msg
AdvDefaultLifetime for <interface_name> must be zero or between
<start_range_seconds> and <end_range_seconds>
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
127
Event-System
20043
Message ID
20043
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
HomeAgentLifetime in Router Advertisement packet is out of range.
You can reconfigure the router according to the specified range to solve this
problem.
Fields
Field Description
msg
HomeAgentLifetime must be between <value> and <value> for
<interface_name>
20044
Message ID
20044
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
AdvHomeAgentFlag and HomeAgentLifetime in Router Advertisement packet
must be set with HomeAgentInfo.
You can reconfigure the router according to the specified range to solve this
problem.
Fields
Field Description
msg
AdvHomeAgentFlag must be set with HomeAgentInfo
20045
Message ID
20045
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
Prefix length is too long.
You can adjust packet prefix length to solve this problem.
Fields
Field Description
msg
Invalid prefix length for <string>
20046
128
Message ID
20046
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The value to be placed in the Valid Lifetime in the Prefix Information option, in
seconds, must be greater than the AdvPreferredLifetime.
You can adjust packet prefix length to solve this problem.
Fields
Field Description
msg
AdvValidLifetime must be greater than AdvPreferredLifetime for <string>
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
20047
Message ID
20047
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon failed to create an IPv6 socket.
Fields
Field Description
msg
Can’t create socket (AF_INET6): <string>
20048
Message ID
20048
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon failed to set IPV6_PKTINFO option.
Fields
Field Description
msg
Setsockopt(IPv6_PKTINFO): <string>
20049
Message ID
20049
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon failed to set IPV6_CHECKSUM
option.
Fields
Field Description
msg
Setsockopt(IPV6_CHECKSUM): <string>
20050
Message ID
20050
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon failed to set IPV6_UNICAST_HOPS
option.
Fields
Field Description
msg
Setsockopt(IPV6_UNICAST_HOPS): <string>
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
129
Event-System
20051
Message ID
20051
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon failed to set
IPV6_MULTICAST_HOPS option.
Fields
Field Description
msg
Setsockopt(IPV6_MULTICAST_HOPS): <string>
20052
Message ID
20052
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon failed to set IPV6_HOPLIMIT option.
Fields
Field Description
msg
Setsockopt (IPV6_HOPLIMIT): <string>
20053
Message ID
20053
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon failed to set ICMPV6_FILTER option.
Fields
Field Description
msg
Setsockopt(ICMPV6_FILTER): <string>
20054
130
Message ID
20054
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon received the specified signal and is
going to exit.
Fields
Field Description
msg
radvd receive signal=<value_signal>\n
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
20055
Message ID
20055
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon cannot create query to interface by
using cmf_query_create().
Fields
Field Description
msg
Can not create query to interface at <string>:<string>:<value>!
20056
Message ID
20056
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon encounters an internal error when it
uses cmf_query_for_each().
Fields
Field Description
msg
Interfal error in cmf_query_for_each()!
20057
Message ID
20057
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon failed to find a virtual interface by
interface index.
Fields
Field Description
msg
Interface <string>:<value> not found in the list!
20058
Message ID
20058
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon reloaded or unloaded the specified
interface.
Fields
Field Description
msg
This field contains any one of the following:
• Interface <string>: <value> reloaded!
• Interface <string>:<value> unloaded!
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
131
Event-System
20059
Message ID
20059
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon received a packet with no pkt_info.
Fields
Field Description
msg
Received packet with no pkt_info!
20060
Message ID
20060
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon received an ICMPv6 packet with
invalid length.
Fields
Field Description
msg
Received icmpv6 packet with invalid length: <value_bytes>
20061
Message ID
20061
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon received an unwanted type of
ICMPv6 packet.
Fields
Field Description
msg
icmpv6 filter failed
20062
132
Message ID
20062
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon received an ICMPv6 RA packet with
invalid length.
Fields
Field Description
msg
Received icmpv6 RA packet with invalid length. <value_bytes>
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
20063
Message ID
20063
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon received ICMPv6 RA packet with
non-linklocal source address..
Fields
Field Description
msg
Received icmpv6 RA packet with non-linklocal source address
20064
Message ID
20064
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon received ICMPv6 RS packet with
invalid length.
Fields
Field Description
msg
Received icmpv6 RS packet with invalid length: <value_bytes>
20065
Message ID
20065
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon received ICMPv6 RS/RA packet with
invalid code.
Fields
Field Description
msg
Received icmpv6 RS/RA packet with invalid code: <value_code>
20066
Message ID
20066
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon received ICMPv6 RS/RA packet with
wrong hoplimit.
Fields
Field Description
msg
Received RS or RA with invalid hoplimit <value_hops> from
<interface_name>
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
133
Event-System
20067
Message ID
20067
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The AdvCurHopLimit on the specified FortiGate interface does not agree with
the value on the specified remote interface. A value of zero means
unspecified by this router.
You should configure the interfaces with the same AdvCurHopLimit value to
correct the problem.
Fields
Field Description
msg
Our AdvCurHopLimit on <interface_name> doesn’t agree with
<interface_name>
20068
Message ID
20068
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The AdvManagerFlag value (True/False) on the specified FortiGate interface
does not agree with the value on the specified remote interface.
You should configure the interface with the same AdvManagerFlag value.
Fields
Field Description
msg
Our AdvManagerFlag on <interface_name> doesn’t agree with
<interface_name>
20069
134
Message ID
20069
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The AdvOtherConfigFlag value (True/False) on the specified FortiGate
interface does not agree with the value on the specified remote interface.
You should configure the interfaces with the same AdvOtherConfigFlag
value.
Fields
Field Description
msg
Our AdvOtherConfigFlag on <interface_name> doesn’t agree with
<interface_name>
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
20070
Message ID
20070
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The AdvReachableTime configured on the specified FortiGate interface does
not agree with the value on the specified remote interface. A value of zero
means unspecified by this router. The value must be no greater than
3,600,000 seconds or 1 hour.
You should configure the interfaces with the same AdvReachableTime value.
Fields
Field Description
msg
Our AdvReachableTime on <interface_name> doesn’t agree with
<interface_name>
20071
Message ID
20071
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The AdvRetransTimer value on the specified FortiGate interface does not
agree with the value on the specified remote interface. A value of zero means
unspecified (by this router).
You should configure the interfaces with the same AdvRetransTimer value.
Fields
Field Description
msg
our AdvRetransTimer on <interface_name> doesn’t agree with
<interface_name>
20072
Message ID
20072
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon found extra data in an RA packet
from the specified source.
Fields
Field Description
msg
trailing garbage in RA on <interface_name> from <interface_name>
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
135
Event-System
20073
Message ID
20073
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon found in an RA packet with no option
data from the specified source.
Fields
Field Description
msg
zero length option in RA on <interface_name> from <interface_name>
20074
Message ID
20074
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The option length is greater than the total length in an RA packet from the
specified source.
Fields
Field Description
msg
option length greater than total length in RA on <interface_name> from
<interface_name>
20075
Message ID
20075
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The AdvLinkMTU value on the specified FortiGate interface does not agree
with the specified remote interface. A value of zero indicates that no MTU
options are sent.
You should configure the interfaces with the same AdvLinkMTU value.
Fields
Field Description
msg
our AdvLinkMTU on <interface_name> doesn’t agree with <interface_name>
20076
136
Message ID
20076
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The AdvValidLifetime value on the specified FortiGate interface does not
agree with the value on the specified remote interface.
You should configure the interfaces with the same AdvValidLifetime value.
Fields
Field Description
msg
our AdvValidLifetime on <interface_name> for <value> doesn’t agree with
<interface_name>
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
20077
Message ID
20077
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The AdvPreferredLifetime value on the specified FortiGate interface does not
agree with the value on the specified remote interface.
You should configure the interfaces with the same AdvPreferredLifetime
value.
Fields
Field Description
msg
our AdvPreferredLifetime on <interface_name> for <value> doesn’t agree
with <interface_name>
20078
Message ID
20078
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon found the specified invalid option in
an RA packet from the specified source from a remote site.
Fields
Field Description
msg
Invalid option <value_option> in RA on <interface_name> from <location>
20079
Message ID
20079
Log Subtype
System
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon is ready to serve.
Fields
Field Description
msg
radvd started\n
20080
Message ID
20080
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
Recvmsg() in the IPv6 router advertisement daemon failed.
Fields
Field Description
msg
recvmsg: <string>
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
137
Event-System
20081
Message ID
20081
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The IPv6 router advertisement daemon received a packet with a wrong
IPV6_HOPLIMIT.
Fields
Field Description
msg
received a bogus IPV6_HOPLIMIT from the kernel! len=<value_bytes>,
data=<value>
20082
Message ID
20082
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any one of
the following:
• The wrong IPv6 router advertisement daemon received a packet with a
wrong IPV6_PKINFO.
• The IPv6 router advertisement daemon failed to check whether we’ve
joined the all-routers multicast group.
Fields
Field Description
msg
This field contains any one of the following:
• received a bogus IPV6_PKINFO from the kernel! len=<value_bytes>,
index=<value_index>
• Problem checking all-routers membership on <interface_name>
20083
138
Message ID
20083
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The rounting advertisement failed to check if joined the all-routers
membership group.
Fields
Field Description
msg
problem checking all-routers membership on <interface_name>
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
20084
Message ID
20084
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any one of
the following:
• Sendmsg () in the IPv6 router advertisement daemon failed.
• Sendmsg () in radvd failed.
Fields
Field Description
msg
sendmsg: <string>
20090
Message ID
20090
Log Subtype
System
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The interface link status has changed.
Fields
Field Description
intf
The name of the interface.
status
The status of the interface.
msg
interface <interface_name> link status is <status_type>
20099
Message ID
20099
Log Subtype
System
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The interface link status has changed.
Fields
Field Description
action
This field is always interface-stat-change.
status
This field contains either DOWN or UP.
msg
This field contains any one of the following:
• Link monitor: Interface <interface_name> was turned down
• Link monitor: Interface <interface_name> was turned up
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
139
Event-System
20100
Message ID
20099
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
FortiGuard Web Filtering category has been updated.
Fields
Field Description
msg
The FortiGuard Web Filtering category list has been updated. Please verify
the protection profile settings are still correct.
20101
140
Message ID
20101
Log Subtype
System
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Status of the file upload.
Fields
Field Description
action
This field always contains upload.
status
The status of the upload.
hash
The hash information.
file
The name of the file that was uploaded.
user
The name of the user creating the traffic.
server
The name of the server.
port
The number of the port.
msg
<file_name> upload reached the <string> state \n
Message ID
20101
Log Subtype
System
Severity
Variable
Firmware version
FortiOS 4.0 MR3
Meaning
File upload error.
Fields
Field Description
action
This field always contains upload.
status
The status of the upload.
file
The name of the file that was uploaded.
user
The name of the user creating the traffic.
server
The name of the server.
port
The number of the port.
Message ID
20101
Log Subtype
System
Severity
Critical.
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
Firmware version
FortiOS 4.0 MR3
Meaning
FortiGuard license is expired. You need to renew the FortiGuard license.
Fields
Field Description
msg
FortiGuard license is expired.
Message ID
20101
Log Subtype
System
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Status of the uploaded file.
Fields
Field Description
action
The type of upload being performed.
status
The status of the upload.
file
The name of the file that was uploaded.
user
The name of the user creating the traffic.
server
The IP address of the server.
port
The name of the port.
msg
<file_name> upload reached the <server_ip_address> state <status_name>
Message ID
20101
Log Subtype
System
Severity
Variable
Firmware version
FortiOS 4.0 MR3
Meaning
File upload error.
Fields
Field Description
action
This field always contains upload.
error
The type of error that occurred during the file’s uploading process.
file
The name of the file that was uploaded.
user
The name of the user creating the traffic.
server
The IP address of the server.
port
The name of the port.
msg
<file_name> upload error\ \n
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
141
Event-System
20110
Message ID
20110
Log Subtype
System
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A hp_api log message.
Fields
Field Description
msg
hp_api: Connection to ESPd has been initialized.
20111
Message ID
20111
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
A hp_api log message.
Fields
Field Description
msg
hp_api: Connection to ESPd has been reset, exiting.
20200
142
Message ID
20200
Log Subtype
System
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An administrator initiated a self-test type from a specific location.
Fields
Field Description
user
The name of the user creating the traffic. In this log message, it is the
administrator that is creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field always contains self-test.
test
The type of test that was taken.
msg
Administrator <administrator_name> initiates the <test_type> self-test from
<ui>
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
20201
Message ID
20201
Log Subtype
System
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An administrator initiated all self-tests from a specified location.
Fields
Field Description
user
The name of the user creating the traffic. In this log message, it is the
administrator that is creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
action
This field always contains self-test.
test
This field always contains all.
msg
Administrator <administrator_name> initiates all self-tests from <ui>
20202
Message ID
20202
Log Subtype
System
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The daemon started.
Fields
Field Description
action
This field always contains daemon-startup.
daemon
The type of daemon used.
pid
The PID number.
msg
Daemon <daemon_type> started.
Message ID
20202
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
There was an error when either partitioning the disk or formatting the disk.
Fields
Field Description
msg
Partitioning or formatting error (<string>) partition=<partition>
format=<format> label=<label>
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
143
Event-System
20203
Message ID
20203
Log Subtype
System
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The daemon was shut down.
Fields
Field Description
action
This field always contains daemon-shutdown.
daemon
The type of daemon used.
pid
The PID number.
msg
Daemon <daemon_type> shutdown.
22000
\
144
Message ID
22000
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any one of
the following:
• Packet lengths do not match.
• The packet length does not match what is specified in the request header.
Fields
Field Description
msg
This field contains any one of the following:
• Packet length does not match that specified in the request header.
• lengths of packets does not match
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
22001
Message ID
22001
Log Subtype
System
Severity
Warning/Information
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any one of
the following:
• The specified version of the URL agent is not supported.
• The specified version of the protocol is not supported.
• An administrator started to convert the current SQL format.
Fields
Field Description
action
The action that was taken.
admin
The name of the administrator.
ui
The location of the point-of-entry the user used to access the FortiGate unit
so that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
status
This field always contains started.
msg
This field contains any one of the following:
• version <agent_version_num> is not supported.
• Protocol version <version_number> is not supported.
• Administrator <administrator_name> started to convert existing logs to SQL
format from <ui>
22002
Message ID
22002
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any one of
the following:
• Only HTTP is supported.
• Requests other than HTTP, HTTPS, FTP, MAIL, and AV are not supported.
• Request other than HTTP, HTTPS, FTP, MAIL, and AV are not supported.
• The conversion of the existing SQL logs failed.
• The administrator failed to conver the existing logs into SQL format.
Fields
Field Description
action
The action that was taken.
status
This field always contains failed.
reason
This field contains either sql-db-not-running or cannot-send-request.
msg
This field contains any one of the following:
• Other request <request_type> than http is not supported.
• Other requests <string> than http & ftp is not supported.
• Request type <type> is not supported
• Conversion of existing logs to SQL format failed to start because SQL DB is
not running.
• Conversion of existing logs to SQL format failed to start because request
cannot be sent.
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
145
Event-System
22003
Message ID
22003
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
Failed to set up a signal handler.
Fields
Field Description
msg
sigaction(<signal_handler>)failed: <string>
22004
Message ID
22004
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what the msg field contains, the meaning can be any one of
the following:
• The system failed to create a socket or failed to create a socket.
• The system failed to create a socket or failed to create a HA socket.
Fields
Field Description
msg
This field contains any one of the following:
• Socket () failed: <string>
• Socket () failed: <string>
22005
Message ID
22005
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The system failed to create a UDP socket to receive URL requests.
Fields
Field Description
msg
This field contains any one of the following:
• Failed to create a udp socket to relay URL requests: <string>
• failed to create a <value>/udp socket to receive URL request
22006
146
Message ID
22006
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The system failed to register for cmdb events.
Fields
Field Description
msg
Failed to register for cmdb events.
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
22009
Message ID
22009
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
Could not find antivirus profile by using ID.
Fields
Field Description
name
The name of the antivirus profile.
status
This field always contains failure.
msg
failed to find its AV protection profile
22010
Message ID
22010
Log Subtype
System
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what is in the msg field, it can contain any one of the following:
• The url filter has failed to send the rating result back to HTTP proxy.
• The HTTP proxy has crashed.
• The sendto () failed.
Fields
Field Description
process
The type of process that is being performed by the FortiGate unit.
reason
The reason for the trigger.
msg
This field contains any one of the following:
• <string> failed to send rating result
• failed to send urlfilter packet
• failed to send urlfilter packet because queue was full
• failed to send urlfilter packet <sent_number> times
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
147
Event-System
22011
Message ID
22011
Log Subtype
System
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The conversion of existing log files to SQL log files in the specified VDOM
started.
Fields
Field Description
action
The action that was taken.
status
This field always contains started.
files
The name of the logs files that are being converted.
msg
Conversion of existing logs to SQL format for vdom <vdom_name> started.
22012
148
Message ID
22012
Log Subtype
System
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what is in the msg field, the meaning can be any one of the
following:
• The SQL log database is full and cannot format any more logs.
• The SQL conversion failed because the log could not be opened.
Fields
Field Description
action
The action that was taken.
status
This field always contains failed.
reason
This field contains either sql-log-full or cannot-open-file.
file
The name of the log file being converted.
msg
This field contains any one of the following:
• Conversion of <log_file_name> to SQL format failed because SQL log is
full.
• Conversion of <log_file_name> to SQL format failed because the log file
cannto be opened.
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
22013
Message ID
22013
Log Subtype
System
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The conversion process finished and the logs are now in SQL format in the
specified VDOM.
Fields
Field Description
action
The action that was taken.
status
This field always contains ended
converted_files
The names of the converted log files.
entry
The entry information.
msg
Conversion of existing logs to SQL format for vdom <vdom_name> has been
finished.
22100
Message ID
22100
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
Quarantine has dropped a FortiAnalyzer transfer job due to limited memory.
Fields
Field Description
file
The name of the file.
size
The size of the file.
limit
The number of the set limit.
avail
The number for avail.
action
This field always contains content-archive.
status
This field always contains drop.
reason
This field always contains memory-limit.
msg
File <file_name> is not transferred to FortiAnalyzer due to exceeding memory
usage limit.
Message ID
22100
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
Quarantine dropped FortiAnalyzer transfer jobs because there was limited
available memory.
Fields
Field Description
count
The number of times the same event was detected within a short period of
time.
duration
The duration, or time lapse, in seconds.
limit
The number of the set limit.
used
The amount used.
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
149
Event-System
action
This field always contains content-archive.
status
This field always contains drop.
reason
This field always contains memory-limit.
msg
In the past <seconds> seconds, <value> files were not transferred to
FortiAnalyzer due to exceeding memory usage limit.
22101
150
Message ID
22101
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
Quarantine has dropped a FortiAnalyzer transfer job due to memory limit.
Fields
Field Description
file
The name of the file.
size
The size of the file.
limit
The number of the set limit.
avail
The number for avail.
action
This field always contains content-archive.
status
This field always contains drop.
reason
This field always contains memory-limit.
msg
File <file-name> is not transferred to FortiAnalyzer due to exceeding memory
usage limit.
Message ID
22101
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
Quarantine has dropped a FortiAnalyzer transfer job due to memory limit.
Fields
Field Description
file
The name of the file.
size
The size of the file.
action
This field always contains content-archive.
status
This field always contains fail.
msg
Failed to transfer file <file_name> to FortiAnalyzer <ip_address>
Message ID
22101
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
Failed to send a file to the FortiAnalyzer unit.
Fields
Field Description
file
The name of the file.
size
The size of the file.
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
action
The type of action taken by the FortiGate unit.
status
This field always contains fail.
msg
Failed to transfer file <file_name> to FortiAnalyzer <ip_address>
22102
Message ID
22102
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
Erroneous SMART status.
Fields
Field Description
msg
Log disk failure is imminent, logs should be backed up
22103
Message ID
22103
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGuard log buffer was reset because of a system overload. Current
log data and possibly old log data may be lost.
You must reopen FortiGuard log pipe to solve the issue.
Fields
Field Description
reason
This field always contains buffer-overflow.
msg
This field contains any one of the following:
• FortiGuard Log buffer is reset due to a buffer overflow (system overload).
Some log data may be lost.
• FortiGuard Analysis Service buffer is reset due to a buffer overflow (system
overload). Some log data may be lost.\”
22200
Message ID
22200
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The specified certificate will automatically update itself after a specified
number of days is up.
Fields
Field Description
user
This field always contains system.
action
This field always contains certificate-update.
status
This field always contains warning.
cert
The name of the certificate.
msg
CA certificate <certificate_name> will auto-update in <number_days> days.
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
151
Event-System
22201
Message ID
22201
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The specified certificate will automatically regenerate itself after a specified
number of days is up.
Fields
Field Description
user
This field always contains system.
action
This field always contains certificate-regenerate.
status
This field always contains warning.
cert
The name of the certificate.
msg
Local certificate <certificate_name> will auto-regenerate in <number_days>
days.
22202
Message ID
22202
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The certificate failed to automatically update.
Fields
Field Description
user
This field always contains system.
action
This field always contains certificate-update
status
This field always contains failure.
cert
The name of the certificate.
msg
The log message information. This usually contains a sentence and explains
the activity and/or action taken.
22203
152
Message ID
22203
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The specified certificate will automatically regenerate itself after a specified
number of days is up.
Fields
Field Description
user
This field always contains system.
action
This field always contains certificate-regenerate.
status
This field always contains failure.
cert
The name of the certificate.
msg
The log message information. This usually contains a sentence and explains
the activity and/or action taken.
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
22800
Message ID
22800
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
Scan services entered conserve mode.
Note: Not all of the fields may appear with every 22800 log message.
Fields
Field Description
service
The name of the service.
mode
The mode information.
conserve
This field always contains on.
total
The total information.
free
The free information.
entermargin
The entermargin information.
exitmargin
The exitmargin information.
msg
This field contains any one of the following:
• The system has entered conserve mode” conserve=on total=<value>
free=<value> entermargin=<value> exitmargin=<value>
• Scan services session fail mode.
• Scan services entered conserve mode.
22801
Message ID
22801
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what is in the msg field, the meaning can be any one of the
following:
• The system exited conserve mode.
• The scan services exited conserve mode.
Fields
Field Description
service
The type of service used.
conserve
This field contains either on or exit.
total
The total information.
free
The free information.
entermargin
The enter margin information.
exitmargin
The exit margin information.
msg
This field can be any one of the following:
• The system exited conserve mode.
• The system has entered conserve mode.
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
153
Event-System
22802
Message ID
22802
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
System services entered conserve mode.
Fields
Field Description
service
The type of service used.
sysconserve
This field always contains on.
total
The total information.
free
The free information.
entermargin
The enter margin information.
exitmargin
The exit margin information.
msg
The system has entered system conserve mode
22803
154
Message ID
22803
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
System services exited conserve mode.
Fields
Field Description
service
The type of service used.
sysconserve
This field always contains exit.
total
The total information.
free
The free information.
entermargin
The enter margin information.
exitmargin
The exit margin information.
msg
The system exited system conserve mode
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
22804
Message ID
22804
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The status of the license has changed.
Fields
Field Description
service
This field always contains license.
status
The status information of the license.
msg
License status changed to <status>
22805
Message ID
22805
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The status of the license could not be validated.
Fields
Field Description
service
This field always contains license.
status
This field always contains warning.
msg
License could not be validated for over 4 hours.
22806
Message ID
22806
Log Subtype
System
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
There is a duplicate of the license.
Fields
Field Description
service
This field always contains license.
status
This field always contains warning.
msg
Detected duplicate license in use.
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
155
Event-System
22901
Message ID
22901
Log Subtype
System
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit is connected to the FortiAnalyzer unit.
Fields
Field Description
action
This field always contains connect.
status
This field always contains success.
reason
The reason for the trigger.
msg
Connected to FortiAnalyzer <ip_address>
22902
Message ID
22902
Log Subtype
System
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit has been disconnected from the FortiAnalyzer unit.
Fields
Field Description
action
This field always contains disconnect.
status
This field always contains success.
reason
The reason for the trigger.
msg
Disconnected from FortiAnalyzer <ip_address>
22903
156
Message ID
22903
Log Subtype
System
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit failed to connect to the FortiAnalyzer unit.
Fields
Field Description
action
This field always contains connect.
status
This field always contains failure.
reason
The reason for the trigger.
msg
Failed to connect to FortiAnalyzer <ip_address>
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-System
22911
Message ID
22911
Log Subtype
System
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGuard Analysis Service server is up.
Fields
Field Description
server
This field contains either Home or Alter.
action
This field always contains up.
msg
FortiGuard Analysis Service {Home | Alter} server is up
22912
Message ID
22912
Log Subtype
System
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGuard Analysis Service server is down.
Fields
Field Description
server
This field contains either Home or Alter.
action
This field always contains down.
msg
FortiGuard Analysis Service {Home | Alter} server is down
22913
Message ID
22913
Log Subtype
System
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGuard Analysis Service server has been disconnected.
Fields
Field Description
server
This field contains either Home or Alter.
action
This field always contains disconnect.
msg
FortiGuard Analysis Service {Home | Alter} server is disconnected
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
157
Event-System
22914
158
Message ID
22914
Log Subtype
System
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGuard Analysis Service server was changed to “disable” on the
FortiGuard Analysis and Management Service portal web site.
Fields
Field Description
server
This field contains either Home or Alter.
action
This field always contains change.
msg
FortiGuard Analysis Service server is changed to {Home | Alter}.
FortiGate 4.0 MR3 Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-DHCP service
Event-DHCP service log messages record DHCP service events.
26001
Message ID
26001
Log Subtype
DHCP service
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
A DHCP service occurred.
Fields
Field Description
dhcp_msg
Information about the DHCP server.
dir
The direction information.
mac
The MAC IP address with 2x.
ip
The IP address.
lease
The lease information.
hostname
The host name information.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
26002
Message ID
26002
Log Subtype
DHCP service
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any one of
the following:
• No shared network found.
• The IP address range spans multiple subnets.
• The IP address range does not belong to the net.
Fields
Field Description
dhcp_msg
Information about the DHCP server.
dir
The direction information.
mac
The MAC IP address with 2x at the end.
ip
The IP address.
lease
The lease information.
hostname
The host name information.
msg
This field contains any one of the following:
• No shared network for network <interface_name> (ip_address)
• Address range <ip_address> to <ip_address>, netmask
<netmask_address> spans <string>!
• Address range <ip_address> to <ip_address> netmask
<netmask_address> not on net <string>!
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
159
Event-DHCP service
160
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Firewall authentication
Event-Firewall authentication log messages record authentication events that occur within the FortiGate
firewall.
38001
38002
38003
38004
38005
38010
38011
38012
38020
38021
38022
38026
38027
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
161
Event-Firewall authentication
38001
162
Message ID
38001
Log Subtype
Firewall Authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The specified administrator succeeded in authentication.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
This field always contains authenticate.
status
This field always contains success.
msg
User <user_name> succeeded in authentication
Message ID
38001
Log Subtype
Firewall Authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The specified AD group succeeded in authentication.
Fields
Field Description
ipproto
The IP protocol information.
src
The source IP address.
dst
The destination IP address.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
adgroup
The name of the AD group.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
This field always contains FSAE-auth.
status
This field always contains success.
msg
AD group <adgroup_name> user <user_name> succeeded in
authentication.
Message ID
38001
Log Subtype
Firewall Authentication
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Firewall authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The specified AD domain group failed in authentication.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
domain
The domain name.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
This field always contains NTML-auth.
status
This field always contains failure
reason
The reason that the trigger occurred.
msg
AD domain <domain_name> user <user_name> failed in
authentication.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
163
Event-Firewall authentication
38002
164
Message ID
38002
Log Subtype
Firewall Authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The specified user failed in concurrent check.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
This field is always authenticate.
status
This field always contains failure.
msg
User <user_name> failed in concurrent check.
Message ID
38002
Log Subtype
Firewall Authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The specified user failed in authentication.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
This field is always authenticate.
status
This field always contains failure.
msg
User <user_name> failed in authentication
Message ID
38002
Log Subtype
Firewall Authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The specified user failed in authentication.
Fields
Field Description
ipproto
The IP protocol information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Firewall authentication
src
The source IP address.
dst
The destination IP address.
policyid
The firewall policy identification number.
adgroup
The name of the AD group.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
This field always contains FSAE-auth.
status
This field always contains failure.
reason
The reason that the trigger occurred.
msg
AD group <group_name> user <user_name> failed in authentication.
Message ID
38002
Log Subtype
Firewall Authentication
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The user failed to was blacked out for a specified amount of time because
of abnormal behavior.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 access the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
dst
The destination IP address.
action
This field always contains authenticate
status
This field always contains blackout.
reason
This field always contains abnormal.
msg
User from <ip_address> was blacked out for <time_seconds> seconds
due to abnormal behavior.
Message ID
38002
Log Subtype
Firewall Authentication
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The user failed to authenticate within the allowed time frame.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
user
The name of the user creating the traffic.
service
The IP network service that applies to the session or packet. The services
displayed correspond to the services configured in the firewall policy.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
165
Event-Firewall authentication
action
166
This field always contains authenticate
status
This field always contains timeout.
reason
This field always contains timeout.
src
The source IP address.
srcname
The name of the source. This can be the source’s IP address; however, it
can also be N/A.
dst
The destination IP address.
dstname
The name of the destination. This can be the destination’s IP address;
however it can also be N/A.
msg
User failed to authenticate within the allowed period.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Firewall authentication
38003
Message ID
38003
Log Subtype
Firewall Authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The specified administrator failed authentication and is locked out
because they tried too many times.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
This field always contains authenticate.
status
This field always contains lockout.
msg
User at <ip_address> failed authentication too many times.
38004
Message ID
38004
Log Subtype
Firewall Authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A successful FSAE log in event.
Fields
Field Description
user
The name of the user creating the traffic.
src
The source IP address.
server
The name or IP address of the server.
action
This field always contains FSAE-logon.
status
This field always contains success.
msg
FSAE-logon event from <ip_address>: user <user_name> logged on
<ip_address>
Message ID
38004
Log Subtype
Firewall Authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A successful FSAE log in event.
Fields
Field Description
user
The name of the user creating the traffic.
src
The source IP address.
server
The name or IP address of the server.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
167
Event-Firewall authentication
168
action
This field always contains FSAE-logoff.
status
This field always contains success.
msg
FSAE-logoff event from <ip_address>: user <user_name> logged off
<ip_address>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Firewall authentication
38005
Message ID
38005
Log Subtype
Firewall Authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The policy authentication of the specified user has timed out.
Fields
Field Description
src
The source IP address.
user
The name of the user creating the traffic.
group
The name of the user group creating the traffic.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
action
This field always contains authenticate.
status
This field always contains timeout.
msg
Policy authentication of user <user_name> has timed out.
38010
Message ID
38010
Log Subtype
Firewall Authentication
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The specified user failed authentication when creating a FortiGuard Web
Filtering override.
Fields
Field Description
initiator
The initiator information.
status
This field always contains failure.
reason
This field always contains credentials.
src
The source IP address.
dst
The destination IP address.
msg
User <user_name> failed authentication when creating a FortiGuard Web
Filtering overrride from <ip_address>
Message ID
38010
Log Subtype
Firewall Authentication
Severity
Alert
Firmware version
FortiOS 4.0 MR3
Meaning
The encryption for EVP failed.
Fields
Field Description
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
169
Event-Firewall authentication
action
This field always contains encryption.
cipher
This field always contains aes-128-cbc.
status
This field always contains failed.
msg
EVP encryption failed.
38011
170
Message ID
38011
Log Subtype
Firewall Authentication
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGuard Web Filtering override table is full and cannot contain
anymore overrides.
Fields
Field Description
initiator
The initiator information.
status
This field always contains failure.
reason
This field always contains table_add_failed.
src
The source IP address.
dst
The destination IP address.
msg
FortiGuard Web Filtering override table is full.
Message ID
38011
Log Subtype
Firewall Authentication
Severity
Alert
Firmware version
FortiOS 4.0 MR3
Meaning
The decryption for EVP failed.
Fields
Field Description
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
This field always contains decryption.
cipher
This field always contains aes-128-cbc.
status
This field always contains failed.
msg
EVP decryption failed.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Firewall authentication
38012
Message ID
38012
Log Subtype
Firewall Authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A FortiGuard Web Filtering override was successfully created.
Fields
Field Description
initiator
The initiator information.
status
This field always contains success.
reason
This field always contains none.
src
The source IP address.
dst
The destination IP address.
action
This field always contains authentication.
scope
The scope information.
scope_data
The scope data information
rule_type
The rule type information.
rule_data
The rule data information.
offsite
The offsite information.
expiry
The expiry information.
msg
User <user_name> added webfilter override entry <entry_name> from
<location>.
38020
Message ID
38020
Log Subtype
Firewall Authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A FortiClient checking event occurred.
Fields
Field Description
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
dst
The destination IP address.
msg
Log message information.
Message ID
38020
Log Subtype
Firewall Authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A FortiClient checking event occurred.
Fields
Field Description
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
171
Event-Firewall authentication
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
msg
Log message information.
38021
172
Message ID
38021
Log Subtype
Firewall Authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The quota for per IP shaper was exceeded.
Fields
Field Description
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
This field always contains ip-traffic-shaper.
status
This field always contains blocked.
shaper
The name of the traffic shaper.
bps
The bps information.
giga
The Gigabyte number.
mega
The mega number.
bytes
The number of bytes.
msg
Traffic exceed per ip traffic shaper quota, ip: <ip_address>
Message ID
38021
Log Subtype
Firewall Authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The quota for per IP shaper was exceeded.
Fields
Field Description
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
This field always contains policy-traffic-shaper.
status
This field always contains blocked.
shaper
The name of the traffic shaper.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
bps
The bps information.
giga
The Gigabyte number.
mega
The mega number.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Firewall authentication
bytes
The number of bytes.
msg
Traffic exceed shared traffic shaper quota, policy id:
<firewall_policy_id_number>.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
173
Event-Firewall authentication
38022
174
Message ID
38022
Log Subtype
Firewall Authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The shared traffic shaper data was logged.
Fields
Field Description
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
This field always contains ip-traffic-shaper
status
This field always contains allowed.
shaper
The name of the traffic shaper.
bps
The bps information.
giga
The Gigabyte number.
mega
The mega number.
bytes
The number of bytes.
msg
Per ip traffic shaper statistic data is logged, ip: <ip_address>
Message ID
38022
Log Subtype
Firewall Authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The shared traffic shaper data was logged.
Fields
Field Description
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
This field always contains policy-traffic-shaper
status
This field always contains allowed.
shaper
The name of the traffic shaper.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
bps
The bps information.
giga
The Gigabyte number.
mega
The mega number.
bytes
The number of bytes.
msg
Shared traffic shaper statistic data is logged, policy id:
<firewall_policy_id_number>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Firewall authentication
38026
Message ID
38026
Log Subtype
Firewall Authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The Endpoint License Distribution has indicated that there are a specified
number of keys assigned with a specified IP address.
Fields
Field Description
msg
Endpoint License Distribution: active license keys left; key <key_number>
assigned to endpoint with ip=<ip_address>
38027
Message ID
38027
Log Subtype
Firewall Authentication
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An endpoint application was detected.
Fields
Field Description
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
dst
The destination IP address.
action
The action taken by the FortiGate unit.
msg
Log message information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
175
Event-Firewall authentication
176
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Wireless
Event-Wireless log messages record wireless events that occur with FortiGate units that have WiFi
capabilities.
43520
43521
43522
43524
43525
43526
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
177
Event-Wireless
43520
Log Subtype
Wireless
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A wireless system activity occurred.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domain
exists, this field always contains root.
action
The information about the action that was taken.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
43521
Log Subtype
Wireless
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A wireless rogue AP activity occurred.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domain
exists, this field always contains roots.
ssid
The service set identifier.
bssid
The basic service set identifier
rate
The data rate number.
radio-band
The radio band information.
channel
The channel number.
action
The information about the action that was taken.
manuf
The name of the manufacturer.
security-mode
The type of security mode.
rssi
The RSSI number.
noise
The noise number.
live
The live number.
age
The age number.
on-wire
This is either no or yes.
detection-method
The type of detection method being used. This can be any one of the following:
• N/A
• sta
• mac adjancency
178
sta-mac
The station MAC information.
ap-scan
The WTP that scanned the station.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Wireless
43522
Log Subtype
Wireless
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A physical AP activity occurred.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
sn
The phsyical AP unit’s serial number.
ap
The name of the physical AP.
ap_profile
The name of the AP profile.
ip
The IP address of the AP unit.
action
The information about the action that was taken.
reason
The reason for taking the specified action.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
43524
Log Subtype
Wireless
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A wireless client activity occurred.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
sn
The physical AP unit’s serial number.
ap
The physical AP name.
vap
The virtual AP name.
ssid
The service set identifier.
mac
The client wireless MAC address.
security
This field contains any one of the following:
• open
• wep64
• wep128
• wpa-psk
• wpa-radius
• wpa
• wpa2
• wpa2-auto
action
The information about the action that was taken.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
179
Event-Wireless
43525
Log Subtype
Wireless
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
A wireless rogue AP activity occurred.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domain
exists, this field always contains roots.
ssid
The service set identifier.
bssid
The basic service set identifier
rate
The data rate number.
radio-band
The radio band information.
channel
The channel number.
action
The information about the action that was taken.
manuf
The name of the manufacturer.
security-mode
The information about the security mode.
rssi
The RSSI number.
noise
The noise number.
live
The live number.
age
The age number.
on-wire
This is either no or yes.
detection-method
The type of detection method being used. This can be any one of the following:
• N/A
• sta
• mac adjancency
180
sta-mac
The station MAC information.
ap-scan
The WTP that scanned the station.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-Wireless
43526
Log Subtype
Wireless
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A physical AP radio activity.
Fields
Field Description
vd
The name of the virtual domain where the action occured in. If no virtual
domains exist, this field always contains root.
sn
The physical AP unit’s serial number.
ap
The name of the physical AP unit.
ip
The IP address of the AP unit.
radio-id
The radio identification number.
action
The information about the action that was taken.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
181
Event-Wireless
182
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
Event-IPsec negotiation log messages record IPsec activities and events.
37120
37184
37121
37185
37122
37186
37123
37187
37124
37188
37125
37189
37126
37190
37127
37191
37129
37192
37130
37193
37131
37194
37132
37195
37133
37196
37134
37197
37135
37198
37136
37199
37137
37200
37138
37201
37139
37202
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
37203
183
Event-IPsec negotiation
37120
Log Subtype
IPsec
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Notification of an IPsec negotiation of Phase 1.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
negotiate IPsec phase 1
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the Xauthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
xauth_result
184
This field contain either XAUTH authentication successful or XAUTH
authentication failed.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37121
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
Negotiation error of an IPsec Phase 1.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
negotiate IPsec phase 1
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the Xauthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
xauth_result
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
This field contain either XAUTH authentication successful or XAUTH
authentication failed.
185
Event-IPsec negotiation
37122
Log Subtype
IPsec
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Notification of an IPsec negotiation of Phase 2.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
negotiate IPsec phase 1
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the Xauthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
role
This field contains either responder or initiator.
esp_transform
This field contains any one of the following;
esp_auth
186
• ESP_NULL
• ESP_3DES
• ESP_DES
• ESP_AES
This field contains any one of the following;
• no authentication
• HMAC_MD5
• HMAC_SHA1
• HMAC_SHA256
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37123
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
Negotiation error of an IPsec Phase 2.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
negotiate IPsec phase 1
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the Xauthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
role
This field contains either responder or initiator.
esp_transform
This field contains any one of the following;
esp_auth
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
• ESP_NULL
• ESP_3DES
• ESP_DES
• ESP_AES
This field contains any one of the following;
• no authentication
• HMAC_MD5
• HMAC_SHA1
• HMAC_SHA256
187
Event-IPsec negotiation
37124
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
IPsec Phase 1 error.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
msg
negotiate IPsec phase 1
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the Xauthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
error_reason
peer_notif
188
This field contains any one of the following:
• invalid certificate
• peer notification
• invalid SA payload
• not enough key material for tunnel
• probable preshared key
• encapsulated mode mismatch
• mismatch
• no matching gateway for new request
• peer SA proposal not match
• aggressive vs main mode
• local policy
• mismatch for new request
This field, peer notification, can contain any one of the following:
• NOT-APPLICABLE
• INVALID-CERTIFICATE
• INVALID-PAYLOAD-TYPE
• BAD-CERT-REQUEST-SYNTAX
• DOI-NOT-SUPPORTED
• INVALID-CERT-AUTHORITY
• SITUATION-NOT-SUPPORTED
• INVALID-HASH-INFORMATION
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
• INVALID-COOKIE
• AUTHENTICATION-FAILED
• INVALID-MAJOR-VERSION
• INVALID-SIGNATURE
• INVALID-MINOR-VERSION
• ADDRESS-NOTIFICATION
• INVALID-EXCHANGE-TYPE
• NOTIFY-SA-LIFETIME
• INVALID-FLAGS
• CERTIFICATE-UNAVAILABLE
• INVALID-MESSAGE-ID
• UNSUPPORTED-EXCHANGE-TYPE
• INVALID-PROTOCOL-ID
• UNEQUAL-PAYLOAD-LENGTHS
• INVALID-SPI
• CONNECTED
• INVALID-TRANSFORM-ID
• RESPONDER-LIFETIME
• ATTRIBUTES-NOT-SUPPORTED
• REPLAY-STATUS
• NO-PROPOSAL-CHOSEN
• INTIAL-CONTACT
• BAD-PROPOSAL-SYNTAX
• R-U-THERE
• PAYLOAD-MALFORMED
• R-U-THERE-ACK
• INVALID-KEY-INFORMATION
• HEARTBEAT
• INVALID-ID-INFORMATION
• RETRY-LIMIT-REACHED
• INVALID-CERT-ENCODING
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
189
Event-IPsec negotiation
37125
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
IPsec Phase 2 error.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
negotiate IPsec phase 1
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the Xauthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
error_reason
190
This field contains any one of the following:
• invalid certificate
• peer notification
• invalid SA payload
• not enough key material for tunnel
• probable preshared key
• encapsulated mode mismatch
• mismatch
• no matching gateway for new request
• peer SA proposal not match
• aggressive vs main mode
• local policy
• mismatch for new request
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37126
Log Subtype
IPsec
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
IPsec not state error.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
msg
negotiate IPsec phase 1
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the Xauthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
error_reason
This field contains any one of the following:
• invalid certificate
• not enough key material for tunnel
• invalid SA payload
• encapsulated mode mismatch
• probable preshared key mismatch • no matching gateway for new request
• peer SA proposal not match local • aggressive vs main mode mismatch for
policy
new request
• peer notification
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
191
Event-IPsec negotiation
37127
Log Subtype
IPsec
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Progress of an IPsec phase 1 notification.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
negotiate IPsec phase 1
action
This field contains any one of the following;
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the Xauthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
init
This field can either be local or remote.
mode
This field contains any one of the following;
• aggressive
• xauth
• main
• xauth_client
• quick
192
dir
This field can be either outbound or inbound.
stage
The stage number.
role
This field contains either responder or initiator.
result
This field contains any one of the following:
• ERROR
• DONE
• OK
• PENDING
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37128
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
Progress of an IPsec Phase 1 error.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
negotiate IPsec phase 1
action
This field contains any one of the following;
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the Xauthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following;
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
init
This field contains either local or remote.
mode
This field contains any one of the following:
• aggressive
• xauth
• main
• xauth_client
• quick
dir
The direction of the traffic. This field contains either outbound or inbound.
stage
The stage number.
role
This field contains either responder or initiator.
result
This field contains any one of the following:
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
• ERROR
• DONE
• OK
• PENDING
193
Event-IPsec negotiation
37129
Log Subtype
IPsec
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Progress of an IPsec Phase 2 notification.
Fields
Field Description
msg
negotiate IPsec phase 1
action
This field contains any one of the following;
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the XAuthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
init
This field can either be local or remote.
mode
This field contains any one of the following;
• aggressive
• xauth
• main
• xauth_client
• quick
194
dir
The direction of the traffic. This field contains either outbound or inbound.
stage
The stage number.
role
This field contains either responder or initiator.
result
This field contains any one of the following:
• ERROR
• DONE
• OK
• PENDING
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37130
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
The progress status of an IPsec Phase 2 error.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
progress IPsec phase 2
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the XAuthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following;
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
init
This field can either be local or remote.
mode
This field contains any one of the following:
• aggressive
• xauth
• main
• xauth_client
• quick
dir
The direction of the traffic. This field contain either outbound or inbound.
stage
The stage number.
role
This field contains either responder or initiator.
result
This field contains any one of the following:
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
• ERROR
• DONE
• OK
• PENDING
195
Event-IPsec negotiation
37131
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
A notification of IPsec ESP.
Fields
Field Description
msg
IPsec ESP.
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the Xauthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
error_num
196
This field contains any one of the following:
• Invalid ESP packet detected
• Invalid ESP packet detected (invalid padding
length)
• Invalid ESP packet detected
(HMAC validation failed)
• Invalid ESP packet detected (replayed packet)
• Invalid ESP packet detected
(invalid padding)
• Received ESP packet with unknown SPI
spi
The spi information.
seq
The seq information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37132
Log Subtype
IPsec
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
A notification of IPsec ESP error.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains exist,
this field always contains root.
msg
IPsec ESP.
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the Xauthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
error_num
This field contains any one of the following:
• Invalid ESP packet detected
• Invalid ESP packet detected (invalid padding
length)
• Invalid ESP packet detected
(HMAC validation failed)
• Invalid ESP packet detected (replayed packet)
• Invalid ESP packet detected
(invalid padding)
• Received ESP packet with unknown SPI
spi
The spi information.
seq
The seq information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
197
Event-IPsec negotiation
37133
Log Subtype
IPsec
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An administrator installed IPsec SA.
Fields
Field Description
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
Install IPsec SA
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
198
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the XAuthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
role
This field contains either responder or initiator.
in_spi
The in_spi information.
out_spi
The out_spi information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37134
Log Subtype
IPsec
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An administrator deleted an IPsec Phase 1 SA.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
delete IPsec phase 1 SA.
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the XAuthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
199
Event-IPsec negotiation
37135
Log Subtype
IPsec
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An administrator deleted an IPsec Phase 1 SA.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
delete IPsec phase 2 SA.
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
200
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the Xauthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
enc_spi
The enc_spi information.
dec_spi
The desc_spi information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37136
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec DPD failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
msg
IPsec DPD failure
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the XAuthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
201
Event-IPsec negotiation
37137
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec connection failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
IPsec connection failure
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the XAuthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
202
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37138
Log Subtype
IPsec
Severity
Notification
Firmware version FortiOS 4.0 MR3
Meaning
An IPsec connection status changed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
IPsec connection status change
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the Xauthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
tunnel_ip
The tunnel’s IP address.
tunnel_id
The tunnel’s identification number.
tunnel_type
The type of tunnel. This field always contains IPsec.
duration
This represents the value in seconds.
sent
The total number of bytes sent.
rcvd
The total number of bytes received.
next_stat
The next_stat information.
tunnel
The tunnel information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
203
Event-IPsec negotiation
37139
Log Subtype
IPsec
Severity
Notification
Firmware version FortiOS 4.0 MR3
Meaning
An IPsec Phase 2 status changed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
IPsec phase 2 status change
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
204
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
xauth_user
The name of the XAuth user.
xauth_group
The name of the XAuthentication group.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
phase2_name
The name given to the phase 2 configuration.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37184
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec connection failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
negotiate IPsec phase 1
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
peer_notif
This field, peer notification, can contain any one of the following:
• NOT-APPLICABLE
• INVALID-CERTIFICATE
• INVALID-PAYLOAD-TYPE
• BAD-CERT-REQUEST-SYNTAX
• DOI-NOT-SUPPORTED
• INVALID-CERT-AUTHORITY
• SITUATION-NOTSUPPORTED
• INVALID-HASH-INFORMATION
• INVALID-COOKIE
• AUTHENTICATION-FAILED
• INVALID-MAJOR-VERSION • INVALID-SIGNATURE
• INVALID-MINOR-VERSION
• ADDRESS-NOTIFICATION
• INVALID-EXCHANGE-TYPE • NOTIFY-SA-LIFETIME
• INVALID-FLAGS
• CERTIFICATE-UNAVAILABLE
• INVALID-MESSAGE-ID
• UNSUPPORTED-EXCHANGE-TYPE
• INVALID-PROTOCOL-ID
• UNEQUAL-PAYLOAD-LENGTHS
• INVALID-SPI
• CONNECTED
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
205
Event-IPsec negotiation
• INVALID-TRANSFORM-ID
• RESPONDER-LIFETIME
• ATTRIBUTES-NOTSUPPORTED
• REPLAY-STATUS
• NO-PROPOSAL-CHOSEN
• INTIAL-CONTACT
• BAD-PROPOSAL-SYNTAX
• R-U-THERE
• PAYLOAD-MALFORMED
• R-U-THERE-ACK
• INVALID-KEY
INFORMATION
• HEARTBEAT
• INVALID-ID-INFORMATION • RETRY-LIMIT-REACHED
• INVALID-CERT-ENCODING
206
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37185
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec connection failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
negotiate IPsec phase 1
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
peer_notif
This field contains any one of the following:
• NOT APPLICABLE
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
• ATTRIBUTES-NOT-SUPPORTED
• INVALID-PAYLOAD-TYPE
• NO-PROPOSAL-CHOSEN
• DOI-NOT-SUPPORTED
• BAD-PROPOSAL-SYNTAX
• SITUATION-NOT SUPPORTED
• PAYLOAD-MALFORMED
• INVALID-COOKIE
• INVALID-KEY-INFORMATION
• INVALID-MAJOR-VERSION
• INVALID-ID-INFORMATION
• INVALID-MINOR-VERSION
• INVALID-CERT-ENCODING
• INVALID-MINOR-VERSION
• INVALID-CERTIIFCATE
• INVALID-EXCHANGE-TYPE
• BAD-CERT-REQUEST-SYNTAX
• INVALID-FLAGS
• INVALID-CERT-AUTHORITY
• INVALID-MESSAGE-ID
• INVALID-HASH-INFORMATION
• INVALID-PROTOCOL-ID
• AUTHENTICATION-FAILED
• INVALID-SPI
• INVALID-SIGNATURE
207
Event-IPsec negotiation
• INVALID-TRANSFORM-ID
• ADDRESS-NOTIFICATION
• NOTIFY-SA-LIFETIME
• RESPONDER-LIFETIME
• CERTIFICATE-UNAVAILABLE
• REPLAY-STATUS
• UNSUPPORTED-EXCHANGETYPE
• INITIAL-CONTACT
• UNEQUAL-PAYLOAD-LENGTHS • R-U-THERE
208
• CONNECTED
• R-U-THERE-ACK
• HEARTBEAT
• RETRY-LIMIT-REACHED
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37186
Log Subtype
IPsec
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec Phase 2 negotiation notification.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
vritual domains exist, this field always contains root.
msg
negotiate IPsec phase 2
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
role
This field contains either responder or initiator.
esp_transform
This field contains any one of the following:
esp_auth
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
• ESP_NULL
• ESP_3DES
• ESP_DES
• ESP_AES
This field contains any one of the following:
• no authentication
• HMAC_MD5
• HMAC_SHA1
• HMAC_SHA256
209
Event-IPsec negotiation
37187
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec Phase 2 negotiation notification.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
negotiate IPsec phase 2
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
role
This field contains either responder or initiator.
esp_transform
This field contains any one of the following:
esp_auth
210
• ESP_NULL
• ESP_3DES
• ESP_DES
• ESP_AES
This field contains any one of the following:
• no authentication
• HMAC_MD5
• HMAC_SHA1
• HMAC_SHA256
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37188
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec Phase 1 negotiation error.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. if no virtual
domains exist, this field always contains root.
msg
IPsec phase 1 error
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
error_reason
This field contains any one of the following:
• invalid certificate
• peer notification
• invalid SA payload
• not enough key material for tunnel
• probable preshared key
mismatch
• encapsulation mode mismatch
• peer SA proposal not match
local policy
• no matching gateway for new request
• aggressive vs main mode
mismatch for new request
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
211
Event-IPsec negotiation
37189
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec Phase 1 negotiation error.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no vritual domains
exist, this field always contains root.
msg
IPsec phase 2 error
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
error_reason
This field contains any one of the following:
• invalid certificate
• peer notification
• invalid SA payload
• not enough key material for tunnel
• probable preshared key
mismatch
• encapsulation mode mismatch
• peer SA proposal not match
local policy
• no matching gateway for new request
• aggressive vs main mode
mismatch for new request
212
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37190
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec no state error.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
IPsec no state error
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
error_reason
This field contains any one of the following:
• invalid certificate
• peer notification
• invalid SA payload
• not enough key material for tunnel
• probable preshared key
mismatch
• encapsulation mode mismatch
• peer SA proposal not match
local policy
• no matching gateway for new request
• aggressive vs main mode
mismatch for new request
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
213
Event-IPsec negotiation
37191
Log Subtype
IPsec
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec Phase 1 progress notification.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
progress IPsec phase 1
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
init
This field contains either local or remote.
exch
This field contains any one of the following:
• SA_INIT
• CREATE_CHILD
• AUTH
dir
This field contains either outbound or inbound.
role
This field contains either responder or initiator.
result
version
214
This field contains one of the following:
• ERROR
• DONE
• OK
• PENDING
The version of the IPsec, which is IKEv2.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37192
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec Phase 1 progress error.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If
no virtual domains exist, this field always contains root.
msg
progress IPsec phase 1
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example,
ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
init
This field contains either local or remote.
exch
This field contains any one of the following:
• SA_INIT
• CREATE_CHILD
• AUTH
dir
The direction of the traffic. This field contains either outbound or
inbound.
role
This field contains either responder or initiator.
result
This field contains one of the following:
version
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
• ERROR
• DONE
• OK
• PENDING
The version of the IPsec, which is IKEv2.
215
Event-IPsec negotiation
37193
Log Subtype
IPsec
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec Phase 2 progress notification.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
progress IPsec phase 2
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
init
This field contains either local or remote.
exch
This field contains any one of the following:
• SA_INIT
• CREATE_CHILD
• AUTH
dir
The direction of the traffic. This field contains either outbound or inbound.
role
This field contains either responder or initiator.
result
This field contains one of the following:
version
216
• ERROR
• DONE
• OK
• PENDING
The version of the IPsec, which is IKEv2.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37194
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec Phase 2 progress error.
Fields
Field Description
msg
progress IPsec phase 2
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
init
This field contains either local or remote.
exch
This field contains any one of the following:
• SA_INIT
• CREATE_CHILD
• AUTH
dir
The direction of the traffic. This field contains either outbound or inbound.
role
This field contains either responder or initiator.
result
This field contains one of the following:
version
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
• ERROR
• DONE
• OK
• PENDING
The version of the IPsec, which is IKEv2.
217
Event-IPsec negotiation
37195
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec ESP notification.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
IPsec ESP
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
error_num
218
This field contains any one of the following:
• Invalid ESP packet detected
• Invalid ESP packet detected. (invalid
padding length)
• Invalid ESP packet detected
(HMAC validation failed)
• Invalid ESP packet detected (replayed
packet)
• Invalid ESP packet detected
(invalid padding)
• Received ESP packet with unknown SPI
spi
The spi information.
seq
The seq information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37196
Log Subtype
IPsec
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec ESP error.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
IPsec ESP
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
error_num
This field contains any one of the following:
• Invalid ESP packet detected • Invalid ESP packet detected. (invalid
padding length)
• Invalid ESP packet detected • Invalid ESP packet detected (replayed
(HMAC validation failed)
packet)
• Invalid ESP packet detected • Received ESP packet with unknown SPI
(invalid padding)
spi
The spi information.
seq
The seq information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
219
Event-IPsec negotiation
37197
Log Subtype
IPsec
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Installation of IPsec SA occurred.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
install IPsec SA
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
220
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
role
This field contains either responder or initiator.
in_spi
The in_spi information.
out_spi
The out_spi information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37198
Log Subtype
IPsec
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Removed an IPsec Phase 1 SA.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If
no virtual domains exist, this field always contains root.
msg
delete IPsec phase 1SA
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example,
ssl_vpn1.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
221
Event-IPsec negotiation
37199
Log Subtype
IPsec
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Removed an IPsec Phase 2 SA.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in.
If no virtual domains exist, this field always contains root.
msg
delete IPsec phase 2 SA
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
222
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example,
ssl_vpn1.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37200
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec DPD failure occurred.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If
no virtual domains exist, this field always contains root.
msg
IPsec DPD failure
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example,
ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
223
Event-IPsec negotiation
37201
Log Subtype
IPsec
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec connection failure occurred.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
IPsec connection failure
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down}
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example,
ssl_vpn1.
status
This field contains any one of the following:
• success
• esp_error
• failure
• dpd_failure
• negotiate_error
224
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-IPsec negotiation
37202
Log Subtype
IPsec
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec connection status changed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
IPsec connection status change
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
tunnel_ip
The VPN tunnel’s IP address.
tunnel_id
The VPN tunnel’s identification number.
tunnel_type
The type of VPN tunnel. This field contains IPsec.
duration
This represents the value in seconds.
sent
The total number of bytes sent.
rcvd
The total number of bytes received.
next_stat
The next_stat information.
tunnel
The tunnel information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
225
Event-IPsec negotiation
37203
Log Subtype
IPsec
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An IPsec phase 2 status change.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
IPsec phase 2 status change
action
This field contains any one of the following:
• negotiate
• tunnel-up
• error
• tunnel-down
• install_sa
• tunnel-stats
• delete_phase1_sa
• phase2-up
• delete_IPsec_sa
• phase2-down
• dpd
226
rem_ip
The remote IP address.
loc_ip
The local IP address.
rem_port
The remote port number.
loc_port
The local port number.
out_intf
The interface that is outbound.
cookies
The cookies for that IPsec session.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vpn_tunnel
The name of the VPN tunnel that was used. For example,
ssl_vpn1.
phase2_name
The name of the Phase 2 configuration.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-L2TP/PPP/PPPoE
Event-L2TP/PPP/PPPoE log messages record events and activities that occur with the Internet and
modem protocols, L2TP, PPP, and PPPoE.
29001
31006
29002
31007
29003
31008
29004
31009
29009
29015
29016
29022
29024
30004
30005
30006
30007
30008
30009
31004
31005
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
227
Event-L2TP/PPP/PPPoE
29001
Message ID
29001
Log Subtype
L2TP/PPTP/PPPoE
Severity
Variable
Firmware version
FortiOS 4.0 MR3
Meaning
PPPd log message.
Fields
Field Description
user
The name of the user creating the traffic.
local
The local IP address.
remote
The remote IP address.
assigned
The assigned IP address.
stat
The stat information.
msg
The log message information. This is usually a sentence and
explains the activity and/or action taken.
29002
228
Message ID
29002
Log Subtype
L2TP/PPTP/PPPoE
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
PPPd authentication message.
Fields
Field Description
user
The name of the user creating the traffic.
local
The local IP address.
remote
The remote IP address.
assigned
The assigned IP address.
action
This field always contains auth_success.
msg
User <user_name> using <auth> with authentication protocol
<protocol_information>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-L2TP/PPP/PPPoE
29003
Message ID
29003
Log Subtype
L2TP/PPTP/PPPoE
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The user failed authentication when trying to connect.
Fields
Field Description
local
The local IP address.
remote
The remote IP address.
assigned
The assigned IP address.
action
This field always contains auth_failed.
msg
<user_name> is trying to connect using <auth> with
authentication protocol <protocol_information>, failed.
29004
Message ID
29004
Log Subtype
L2TP/PPTP/PPPoE
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The maximum number of PPTP connections has been
reached.
Fields
Field Description
status
This field always contains failure.
action
This field always contains connect.
msg
PPTP: the maximum number of connections has been
reached. No more clients can connect.
29009
Message ID
29009
Log Subtype
L2TP/PPTP/PPPoE
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A PPPoE status report.
Fields
Field Description
gateway_ip
The gateway IP address.
assigned_IP
The assigned IP address.
mtu
The MTU information.
msg
PPPoE status report.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
229
Event-L2TP/PPP/PPPoE
29015
Message ID
29015
Log Subtype
L2TP/PPTP/PPPoE
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
PPP has received bad options.
Fields
Field Description
msg
Peer IP is the same as an interface IP <interface>.
IP(<interface_ip_address>).
29016
Message ID
29016
Log Subtype
L2TP/PPTP/PPPoE
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
PPP has received bad options.
Fields
Field Description
msg
Local IP is the same as an interface IP <interface>.
IP(<interface_ip_address>)
29022
Message ID
29022
Log Subtype
L2TP/PPTP/PPPoE
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
No IP address is currently available.
Fields
Field Description
status
This field always contains failure.
action
This field always contains connect.
msg
PPTP: No IP addresses left to assign in virtual domain:
<virtual_domain_name>
29024
230
Message ID
29024
Log Subtype
L2TP/PPTP/PPPoE
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
Not enough memory available.
Fields
Field Description
status
This field always contains failure.
action
This field always contains start.
msg
failed to expand pptp config list due to not enough memory.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-L2TP/PPP/PPPoE
30004
Message ID
30004
Log Subtype
L2TP/PPTP/PPPoE
Severity
Variable
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on the msg field, the meaning can be any one of
the following:
• The PPTPD successfully started.
• An PPPTP log message.
Fields
Field Description
action
This field always contains start.
status
This field always contains success.
msg
This field contains any one of the following:
• PPTPD: started successfully
• The log message information, which is usually a sentence
explaining the activity and/or action taken.
30005
Message ID
30005
Log Subtype
L2TP/PPTP/PPPoE
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
The PPTPD failed to start.
Fields
Field Description
action
This field always contains start.
status
This field always contains failure.
reason
failed to create socket
msg
PPTPD failed to start because failed to create socket.
30006
Message ID
30006
Log Subtype
L2TP/PPTP/PPPoE
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The PPTPD successfully exited.
Fields
Field Description
action
This field always contains exit.
status
This field always contains success.
msg
PPTPD exited successfully.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
231
Event-L2TP/PPP/PPPoE
30007
Message ID
30007
Log Subtype
L2TP/PPTP/PPPoE
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
All PPTPD connections were closed because the PPTP
setting changed.
Fields
Field Description
action
This field always contains disconnect.
status
This field always contains success.
reason
PPTP setting is changed.
msg
PPTPD closed all client connections in vdom <vdom_name>
because PPTP setting was changed.
Message ID
30007
Log Subtype
L2TP/PPTP/PPPoE
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
The PPTPD disconnected.
Fields
Field Description
action
This field always contains disconnect.
status
This field always contains success.
reason
failed to find the interface by device index
msg
PPTPD closed all client connections in vdom <vdom_name>
because failed to find the interface by device index.
30008
232
Message ID
30008
Log Subtype
L2TP/PPTP/PPPoE
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
PPTPD client connection.
Fields
Field Description
action
This field always contains connect
status
This field always contains success.
msg
Client <ip_address> control connection started.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-L2TP/PPP/PPPoE
30009
Message ID
30009
Log Subtype
L2TP/PPTP/PPPoE
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
PPTPD client disconnected.
Fields
Field Description
action
This field always contains disconnect.
status
This field always contains success.
msg
Client <client_name> control connection finished.
31004
Message ID
31004
Log Subtype
L2TP/PPTP/PPPoE
Severity
Variable
Firmware version
FortiOS 4.0 MR3
Meaning
An L2TP log message.
Fields
Field Description
msg
The log message information. This is usually a sentence and
explains the activity and/or action taken.
31005
Message ID
31005
Log Subtype
L2TP/PPTP/PPPoE
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
L2TP exited successfully.
Fields
Field Description
action
This field always contains exit.
status
This field always contains success.
msg
L2TPD exited successfully.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
233
Event-L2TP/PPP/PPPoE
31006
Message ID
31006
Log Subtype
L2TP/PPTP/PPPoE
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
L2TP closed all client connections in a specified VDOM
because L2TP setting was changed.
Fields
Field Description
action
This field always contains disconnect.
status
This field always contains success.
reason
L2TP setting changed.
msg
L2TPD closed all client connections in vdom <vdom_name>
because L2TP setting was changed.
Message ID
31006
Log Subtype
L2TP/PPTP/PPPoE
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
L2TP closed all client connections in a specified VDOM
because failed to find interface by device index.
Fields
Field Description
action
This field always contains disconnect.
status
This field always contains success.
reason
interface not found
msg
L2TPD closed all client connections in vdom <vdom_name>
because failed to find interface by device index.
31007
234
Message ID
31007
Log Subtype
L2TP/PPTP/PPPoE
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
An L2TP client connection. There are no more available IP
addresses to assign in the specified VDOM.
Fields
Field Description
action
This field always contains connect.
status
This field always contains failure
reason
no ip available
msg
No IP addresses left to assign in virtual domain:
<vdom_name>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-L2TP/PPP/PPPoE
31008
Message ID
31008
Log Subtype
L2TP/PPTP/PPPoE
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An L2TP connection started.
Fields
Field Description
action
This field always contains connect.
status
This field always contains success.
msg
Client <client_name> control connection started
(id<ip_address>), assigned ip <ip_address>.
31009
Message ID
31009
Log Subtype
L2TP/PPTP/PPPoE
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An L2TP connection has finished.
Fields
Field Description
action
This field always contains disconnect.
status
This field always contains success.
msg
Client <client_name> control connection(id<ip_address>)
finished.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
235
Event-L2TP/PPP/PPPoE
236
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-SSL VPN
Event SSL-VPN log messages record SSL-VPN user, administration and session events.
39424
39944
39425
39945
39426
39946
41984
39947
41985
39948
41986
39949
41987
39950
41988
39951
39936
39937
39939
39940
39941
39942
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
237
Event-SSL VPN
39424
238
Message ID
39424
Log Sub-type
sslvpn-user
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL-VPN web access user has log into the system successfully.
Fields
Field Description
action
The status of the SSL VPN tunnel. This field contains tunnel-up, which indicates
that the SSL VPN tunnel is currently up and running.
tunnel_type
The type of SSL VPN tunnel. The field contains ssl-web, which indicates that it is
an SSL VPN web access tunnel.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
The destination host information.
reason
The reason that the trigger occurred.
msg
SSL tunnel established.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-SSL VPN
39425
Message ID
39425
Log Sub-type
sslvpn-user
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL-VPN tunnel was shut down.
Fields
Field Description
action
The status of the SSL VPN tunnel. This field contains tunnel-down, which
indicates that the SSL VPN tunnel is currently down, or not running.
tunnel_type
The type of SSL VPN tunnel that was accessed. The field contains ssl-web,
which indicates that it is an SSL VPN web access tunnel.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
The destination host information.
reason
The reason that the trigger occurred.
duration
This represents the value in seconds.
sent
The total number of bytes sent.
rcvd
The total number of bytes received.
msg
SSL tunnel shutdown.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
239
Event-SSL VPN
39426
Message ID
39426
Log Type
sslvpn-user
Severity
Alert
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL VPN user has failed to log in.
Fields
Field Description
action
The action of an SSL VPN user. This field contains ssl-login-fail, which
indicates that a user tried to log in using the SSL VPN tunnel but failed.
tunnel_type
The type of SSL VPN tunnel that was accessed. This field contains ssl-web,
which indicates that it is an SSL VPN web access tunnel.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
The destination host information.
reason
The reason that the trigger occurred.
msg
SSL user failed to logged in.
41984
Message ID
41984
Log Type
sslvpn-admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL-VPN admin user successfully uploaded a certificate.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
action
This field contains info.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accesses the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
msg
A certificate is loaded.
cert-type
This field contains any one of the following:
• CA
• CRL
240
• Local
• Remote
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-SSL VPN
41985
Message ID
41985
Log Type
sslvpn-admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL-VPN admin removed a certificate.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
action
This field contains info.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
msg
A certificate is removed.
cert-type
This field contains any one of the following:
• CA
• CRL
• Local
• Remote
41986
Message ID
41986
Log Type
sslvpn-admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL-VPN admin regenerated a certificate.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
action
This field contains info.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
msg
A certificate is regenerated.
cert-type
This field contains any one of the following:
• CA
• CRL
status
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
• Local
• Remote
This field contains success.
241
Event-SSL VPN
41987
Message ID
41987
Log Type
sslvpn-admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL-VPN admin updated a certificate.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
action
This field contains info.
cert-type
This field contains any one of the following:
• CA
• CRL
• Local
• Remote
status
This field contains success.
name
The name of the certificate.
method
The method information.
msg
A certificate is updated.
41988
242
Message ID
41988
Log Type
sslvpn-admin
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL-VPN admin changed a setting.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
action
This field contains info.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so
that they could change, add, or remove a setting. For example, the user
admin_123 accessed the web-based manager to change their password on
the FortiGate-51B (IP address is 10.10.20.5). This field shows their point-ofentry in this field, GUI(10.10.20.5).
msg
User changed SSL setting.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-SSL VPN
39936
Message ID
39936
Log Type
sslvpn-session
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
SSL VPN web tunnel statistics.
Fields
Field Description
action
The status of the SSL VPN tunnel. This field contains tunnel-stats.
tunnel_type
The type of SSL VPN tunnel. This field contains ssl-web, which indicates that it is
an SSL VPN web access tunnel.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
The destination host information.
next_stats
The information of the next statistics.
duration
This represents the value in seconds.
sent
The number of bytes sent.
rcvd
The number of bytes received.
reason
The reason that the trigger occurred.
msg
SSL web tunnel statistics.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
243
Event-SSL VPN
39937
Message ID
39937
Log Type
sslvpn-session
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL VPN web application was blocked.
Fields
Field Description
action
This field contains ssl-web-deny.
tunnel_type
The type of SSL VPN tunnel. This field contains ssl-web-deny. This indicates that
the SSL VPN was blocked and users were denied access.
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
The destination host information.
app-type
The type of application that triggered the action within the control list.
msg
SSL web application blocked.
39938
244
Message ID
39938
Log Type
sslvpn-session
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL VPN web application was activated.
Fields
Field Description
action
The status of the SSL VPN tunnel. This field contains ssl-web-pass.
tunnel_type
The type of SSL VPN tunnel. This field contains ssl-web, which indicates that it
is for web access.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
The destination host information.
app-type
The type of application that triggered the action within the control list.
msg
SSL web application timeout.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-SSL VPN
39939
Message ID
39939
Log Type
sslvpn-session
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL VPN web application timed out.
Fields
Field Description
action
The status of the SSL VPN tunnel. This field contains ssl-web-timeout, which
indicates that the web application timed out.
tunnel_type
The type of tunnel. This field contains ssl-web, which indicates that it is an SSL
VPN web tunnel.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
The destination host information.
app-type
The type of application that triggered the action within the control list.
msg
SSL web application timeout.
39940
Message ID
39940
Log Type
sslvpn-session
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL VPN web application was closed.
Fields
Field Description
action
The status of the SSL VPN web application. This field contains ssl-web-close,
which indicates that the application closed.
tunnel_type
The type of tunnel. This field contains ssl-web, which indicates that it is an SSL
VPN web tunnel.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
The destination host information.
app-type
The type of application that triggered the action within the control list.
msg
SSL web application closed.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
245
Event-SSL VPN
39941
Message ID
39941
Log Type
sslvpn-session
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The SSL VPN system is busy.
Fields
Field Description
action
The status of the SSL VPN tunnel. This field contains ssl-sys-busy.
tunnel_type
The type of SSL VPN tunnel. This field contains ssl-web which indicates it is an
SSL VPN tunnel with web access.
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
The destination host information.
reason
The reason that the trigger occurred.
msg
SSL system busy.
39942
246
Message ID
39942
Log Type
sslvpn-session
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A new SSL VPN certification was successfully verified.
Fields
Field Description
action
The status of the SSL VPN tunnel. This field contains ssl-cert.
tunnel_type
The type of SSL VPN tunnel. This field contains ssl, which indicates that it is an SSL
VPN tunnel.
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
The destination host information.
reason
The reason that the trigger occurred.
msg
SSL new SSL certificate verification success.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-SSL VPN
39943
Message ID
39943
Log Type
sslvpn-session
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A new connection was made.
Fields
Field Description
action
The status of the SSL VPN tunnel. This field contains ssl-new-con, which indicates
a new SSL VPN tunnel connection was created.
tunnel_type
The type of SSL VPN tunnel. This field contains ssl, which indicates that it is an SSL
VPN tunnel.
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
The destination host information.
reason
The reason that the trigger occurred.
msg
SSL new connection.
39944
Message ID
39944
Log Type
sslvpn-session
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
SSL alerts
Fields
Field Description
action
The status of the SSL VPN tunnel. This field contains ssl-alert.
tunnel_type
The type of SSL VPN tunnel. This field contains ssl, which indicates that this is an
SSL VPN tunnel.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
The destination host information.
alert
The alert information.
desc
The description information.
msg
SSL alerts
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
247
Event-SSL VPN
39945
Message ID
39945
Log Type
Session
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL VPN exit failed.
Fields
Field Description
action
The status of the SSL VPN tunnel. This field contains ssl-exit-fail.
tunnel_type
The type of SSL VPN tunnel. This field contains ssl, which indicates that it is an
SSL VPN tunnel.
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
The destination host information.
reason
The reason that the trigger occurred.
msg
SSL exit fail.
39946
248
Message ID
39946
Log Type
sslvpn-session
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL VPN exit error.
Fields
Field Description
action
The status of the SSL VPN tunnel. This field contains ssl-exit-error.
tunnel_type
The type of SSL VPN tunnel. This field contains ssl, which indicates that it is an
SSL VPN tunnel.
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
The destination host information.
reason
The reason that the trigger occurred.
msg
SSL exit error
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-SSL VPN
39947
Message ID
39947
Log Type
sslvpn-session
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL VPN tunnel was established.
Fields
Field Description
action
The status of the SSL VPN tunnel. This field contains tunnel-up, which indicates
that the current SSL VPN tunnel is up and running .
tunnel_type
The type of SSL VPN tunnel. This field contains ssl-tunnel, which indicates that it
is an SSL VPN tunnel.
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
The destination host information.
reason
The reason that the trigger occurred.
msg
SSL tunnel established.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
249
Event-SSL VPN
39948
250
Message ID
39948
Log Type
sslvpn-session
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The SSL VPN tunnel was shut down.
Fields
Field Description
action
The status of the SSL VPN tunnel. This field contains tunnel-down, which
indicates that the SSL VPN is no longer connected or running.
tunnel_type
The type of SSL VPN tunnel. This field contains ssl-tunnel.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
Destination host.
duration
This represents the value in seconds.
sent
The total number of bytes that were sent.
rcvd
The total number of bytes that were received.
reason
The reason that the trigger occurred.
msg
SSL tunnel shutdown.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-SSL VPN
39949
Message ID
39949
Log Type
sslvpn-session
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
SSL tunnel statistics.
Fields
Field Description
action
The status of the SSL VPN tunnel. This field contains tunnel-stats.
tunnel_type
The type of SSL VPN tunnel. This field contains ssl-tunnel, which indicates that
it is an SSL VPN tunnel.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
The destination host information.
next_stats
The next statistical number.
duration
This represents the value in seconds.
sent
The total number of bytes that were sent.
rcvd
The total number of bytes that were received.
reason
The reason that the trigger occurred.
msg
SSL tunnel statistics
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
251
Event-SSL VPN
39950
Message ID
39950
Log Type
sslvpn-session
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
SSL VPN tunnel unknown tag.
Fields
Field Description
action
The status of the SSL VPN tunnel. This field contains ssl-tunnel-unknown-tag.
tunnel_type
The type of SSL VPN tunnel. This field contains ssl-tunnel, which indicates that
it is an SSL VPN tunnel.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
The destination host information.
reason
The reason that the trigger occurred.
msg
SSL tunnel unknown tag
39951
252
Message ID
39951
Log Type
sslvpn-session
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL tunnel error.
Fields
Field Description
action
The status of the SSL VPN tunnel. This field contains ssl-tunnel-error.
tunnel_type
The type of SSL VPN tunnel. This field contains ssl-tunnel, which indicates
that it is an SSL VPN tunnel.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
tunnel_id
The tunnel identification number.
remote_ip
The remote IP address.
tunnel_ip
The tunnel IP address.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
dst_host
The destination host information.
reason
The reason that the trigger occurred.
msg
SSL tunnel error.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VIP SSL
Event-VIP SSL log messages record VIP activities.
45001
45003
45005
45007
45009
45011
45012
45013
45015
45017
45019
45023
45027
45029
45031
45032
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
253
Event-VIP SSL
45001
Message ID
45001
Log Subtype
VIP SSL
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
The SSL received an incorrect handshake message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
vip
The virtual IP address.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains received.
expected
This field contains any one of the following:
• HelloRequest
• ClientHello
• ServerHello
• NewsSessionTicket
• Certificate
• ServerKeyExchange
• CertificateRequest
• ServerHelloDone
• CertificateVerify
• ClientKeyExchange
• Finished
received
This field contains any one of the following, especially if the record is
corrupted:
• HelloRequest
• ClientHello
• ServerHello
• NewsSessionTicket
• Certificate
• ServerKeyExchange
• CertificateRequest
• ServerHelloDone
• CertificateVerify
• ClientKeyExchange
• Finished
msg
254
Incorrect SSL handshake message.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VIP SSL
45003
Message ID
45003
Log Subtype
VIP SSL
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL handshake message has a bad length.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
vip
The virtual IP address.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains close.
handshake
The handshake information.
msg
Bad length in SSL handshake.
45005
Message ID
45005
Log Subtype
VIP SSL
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An RSA verification of Diffie-Hellman parameters failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
vip
The virtual IP address.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains close.
msg
RSA verification of Diffie-Hellman parameters failed.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
255
Event-VIP SSL
45007
256
Message ID
45007
Log Subtype
VIP SSL
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
A Hash in the SSL Finished does not match the calculated hash.
Each hash value in the local and remote log fields are hex encoded.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
vip
The virtual IP address.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
local
The local information.
remote
The remote information.
action
This field always contains close.
msg
Hash in SSL Finished does not match calculated hash
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VIP SSL
45009
Message ID
45007
Log Subtype
VIP SSL
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
The SSL decryption failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate unit will have an index number
of zero.
vip
The virtual IP address.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains close.
reason
This field contains any one of the following:
• status_bad_pad_len=1 – indicates that the received SSL Record did not
comply with RFC 4336 section 6.2.3.2 on padding_length
• status_bad_pad_value=2 – indicates that the received SSL Record did not
comply with RFC 4346 section 6.2.3.2 on padding
• status_bad_mac=3 – indicates that the MAC in the received SSL Record did
not match the MAC calculated by the FortiGate unit for that SSL Record.
• status_internal_error=4 – indicates that there was an internal error
msg
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
SSL decryption failure
257
Event-VIP SSL
45011
Message ID
45011
Log Subtype
VIP SSL
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL minor version is below the configured minimum value.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate unit will have an index number
of zero.
vip
The virtual IP address.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains close.
min-minor
The min-minor information.
recv-minor
The recv-minor information.
msg
SSL minor below minimum configured value.
45012
258
Message ID
45012
Log Subtype
VIP SSL
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The SSL maximum connection limit was reached.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate unit will have an index number
of zero.
vip
The virtual IP address.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains close.
msg
SSL maximum connections reached.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VIP SSL
45013
Message ID
45013
Log Subtype
VIP SSL
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
None of the offered SSL CipherSuites are supported.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate unit will have an index number
of zero.
vip
The virtual IP address.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains close.
msg
None of the offered CipherSuites are supported
45015
Message ID
45015
Log Subtype
VIP SSL
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
The SSL handshake has an invalid length.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate unit will have an index number
of zero.
vip
The virtual IP address.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains receive.
len
The length information.
msg
Incorrect SSL handshake length
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
259
Event-VIP SSL
45017
260
Message ID
45017
Log Subtype
VIP SSL
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
The SSL handshake was too long.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate unit will have an index number
of zero.
vip
The virtual IP address.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains receive.
handshake
The handshake information.
len
The length information.
max
The maximum length information.
msg
SSL Handshake too long
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VIP SSL
45019
Message ID
45019
Log Subtype
VIP SSL
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL alert message was sent.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate unit will have an index number
of zero.
vip
The virtual IP address.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains send.
level
The level information.
desc
This field contains any one of the following:
• fts_alert_desc_close_notify=0 – notifies the recipient that the sender
will not send any more messages on this connection
• fts_alert_desc_unexpected_message=10 – an inappropriate message
was received; this is usually fatal and should be observed closely
• fts_alert_desc_bad_record_mac=20 – is returned if a record is received
with an incorrect MAC
• fts_alert_desc_decryption_failed=21 – may be returned if a
TLSCiphertext decrypted in an invalid way; either it was not an even multiple of
the block length or its padding values, when checked, were not correct (always
fatal)
• fts_alert_desc_record_overflow=22 – a TLSCiphertext record was
received that had a length more than 2^14+2048 bytes, or a record decypted to a
TLSCompressed record with more than 2^14+1024 bytes (always fatal)
• fts_alert_desc_handshake_failure=40 – indicates the sender was
unable to negotiate an acceptable set of security parameters given the options
available (fatal error)
• fts_alert_desc_no_certificate=41 – indicates there is no available
certificate
• fts_alert_desc_illegal_parameter=47 – a field in the handshake was
out of range or inconsistent with other fields (always fatal)
• fts_alert_desc_decord_error=50 – a message could not be decoded
because some field was out of the specified range or the length of the message
was incorrect (always fatal)
• fts_alert_desc_decrypt_error=51 – a handshake cryptographic
operation failed, including being unable to correctly verify a signature, decrypt a
key exchange, or validate a finished message
• fts_alert_desc_protocol_version=70 – the protocol version the client
has attempted to negotiate is recognized but not supported (always fatal)
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
261
Event-VIP SSL
• fts_alert_desc_internal_error=80 – an internal error unrelated to the
peer or correctness of the protocol (always fatal)
msg
262
SSL Alert sent
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VIP SSL
45023
Message ID
45023
Log Subtype
VIP SSL
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL alert was received.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate unit will have an index number
of zero.
vip
The virtual IP address.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains receive.
level
The level information.
desc
The description information.
msg
SSL Alert received
45027
Message ID
45027
Log Subtype
VIP SSL
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An invalid SSL ContentType occurred.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate unit will have an index number
of zero.
vip
The virtual IP address.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains receive.
type
The type information.
msg
Invalid SSL ContentType
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
263
Event-VIP SSL
45029
264
Message ID
45029
Log Subtype
VIP SSL
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL ChangeCipherSpec has a bad length.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate unit will have an index number
of zero.
vip
The virtual IP address.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains close.
msg
Bad length in SSL ChangeCipherSpec
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VIP SSL
45031
Message ID
45031
Log Subtype
VIP SSL
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL ChangeCipherSpec has a bad length.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate unit will have an index number
of zero.
vip
The virtual IP address.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
humin
This field always contains close.
max
The maximum information.
received
The received information.
action
This field always contains close.
msg
The log message information. This is usually a sentence and explains the activity
and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
265
Event-VIP SSL
45032
266
Message ID
45032
Log Subtype
VIP SSL
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
A certificate’s public key is too big for SSL off-loading.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate unit will have an index number
of zero.
vip
The virtual IP address.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
hulen
This field is always close.
max
The maximum information.
action
This field always contains close.
msg
The log message information. This is usually a sentence and explains the activity
and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-DNS
Event-DNS log messages record DNS response activity.
44288
Message ID
44288
Log Subtype
Event-DNS
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A DNS response log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
policy_id
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate unit will
have an index number of zero.
src
The source IP address.
dst
The destination IP address.
src_int
The name of the source interface.
dst_int
The name of the destination interface.
user
The name of the user creating the traffic.
group
The name of the gorup creating the traffic.
dns_name
The name of the DNS sesrver.
dns_ip
The IP address of the DNS server.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
267
Event-DNS
268
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-config
Event-config log messages record configuration changes that an administrator or user makes to the
FortiOS configuration.
44544
44545
44546
44547
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
269
Event-config
44544
Message ID
44544
Log Sub-type
Event-config
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A configuration path log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user changing the configuration setting.
ui
The user interface.
action
This can be any one of the following:
• add
• edit
• delete
• clear
• move
• rename
• clone
• abort
cfg_tid
The configuration transaction identification number.
cfg_path
The configuration path.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
44545
270
Message ID
44545
Log Sub-type
Event-config
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A configuration object log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user changing the configuration setting.
ui
The user interface.
action
This can be any one of the following:
• add
• edit
• delete
• clear
• move
• rename
• clone
• abort
cfg_tid
The configuration transaction identification number.
cfg_path
The configuration path.
cfg_obj
The configuration object.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-config
44546
Message ID
44546
Log Sub-type
Event-config
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A configuration attributes log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user changing the configuration setting.
ui
The user interface.
action
This can be any one of the following:
• add
• edit
• delete
• clear
• move
• rename
• clone
• abort
cfg_tid
The configuration transaction identification number.
cfg_path
The configuration path.
cfg_attr
The configuration attributes.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
271
Event-config
44547
272
Message ID
44547
Log Sub-type
Event-config
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A configuration object attributes log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user changing the configuration setting.
ui
The user interface.
action
This can be any one of the following:
• add
• edit
• delete
• clear
• move
• rename
• clone
• abort
cfg_tid
The configuration transaction identification number.
cfg_path
The configuration path.
conf_obj
The configuration object.
cfg_attr
The configuration attributes.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
Event-auth log messages record authentication activity, including FSAE activity and NTLM authentication.
43008
43023
43009
43024
43010
43025
43011
43025
43012
43026
43013
43027
43014
43028
43015
43029
43016
43030
43017
43018
43019
43020
43021
43022
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
273
Event-auth
43008
Message ID
43008
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The authentication was successful.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
dst
The destination IP address.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
ui
The user interface.
action
The action that was taken. This can be any one of the following:
• authentication
• FSAE-auth
• FSAE-logon
• FSAE-logoff
• NTLM-auth
status
274
The status of the authentication session. This can be any one of the
following:
• success
• failure
• timed_out
• locked_out
reason
The reason for recording the activity.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
43009
Message ID
43009
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The authentication session failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
dst
The destination IP address.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
ui
The user interface.
action
The action that was taken. This can be any one of the following:
• authentication
• FSAE-auth
• FSAE-logon
• FSAE-logoff
• NTLM-auth
status
The status of the authentication session. This can be any one of the
following:
• success
• failure
• timed_out
• locked_out
reason
The reason for recording the activity.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
275
Event-auth
43010
Message ID
43010
Log Subtype
auth
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The authentication locked out.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
dst
The destination IP address.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
ui
The user interface.
action
The action that was taken. This can be any one of the following:
• authentication
• FSAE-auth
• FSAE-logon
• FSAE-logoff
• NTLM-auth
status
276
The status of the authentication session. This can be any one of the
following:
• success
• failure
• timed_out
• locked_out
reason
The reason for recording the activity.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
43011
Message ID
43011
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The authentication timed out.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
dst
The destination IP address.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
ui
The user interface.
action
The action that was taken. This can be any one of the following:
• authentication
• FSAE-auth
• FSAE-logon
• FSAE-logoff
• NTLM-auth
status
The status of the authentication session. This can be any one of the
following:
• success
• failure
• timed_out
• locked_out
reason
The reason for recording the activity.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
277
Event-auth
43012
Message ID
43012
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
FSAE authentication was successful.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
dst
The destination IP address.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
user
The name of the user creating the traffic.
adgroup
The name of the active directory group.
group
The name of the group creating the traffic.
ui
The user interface.
action
The action that was taken. This can be any one of the following:
• authentication
• FSAE-auth
• FSAE-logon
• FSAE-logoff
• NTLM-auth
status
278
The status of the authentication session. This can be any one of the
following:
• success
• failure
• timed_out
• locked_out
reason
The reason for recording the activity.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
43013
Message ID
43013
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The FSAE authentication failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
dst
The destination IP address.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
user
The name of the user creating the traffic.
adgroup
The name of the active directory group.
group
The name of the group creating the traffic.
ui
The user interface.
action
The action that was taken. This can be any one of the following:
• authentication
• FSAE-auth
• FSAE-logon
• FSAE-logoff
• NTLM-auth
status
The status of the authentication session. This can be any one of the
following:
• success
• failure
• timed_out
• locked_out
reason
The reason for recording the activity.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
279
Event-auth
43014
Message ID
43014
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The FSAE user logged on.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
user
The name of the FSAE user who is logggin on.
server
The IP address of the FSAE server.
action
The action that was taken. This can be any one of the following:
• authentication
• FSAE-auth
• FSAE-logon
• FSAE-logoff
• NTLM-auth
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
43015
Message ID
43015
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The FSAE user logged off.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
user
The name of the FSAE user who is logggin on.
server
The IP address of the FSAE server.
action
The action that was taken. This can be any one of the following:
• authentication
• FSAE-auth
• FSAE-logon
• FSAE-logoff
• NTLM-auth
msg
280
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
43016
Message ID
43016
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The NTLM authentication was successful.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
dst
The destination IP address.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
user
The name of the user creating the traffic.
adgroup
The name of the active directory group.
group
The name of the group creating the traffic.
ui
The user interface.
action
The action that was taken. This can be any one of the following:
• authentication
• FSAE-auth
• FSAE-logon
• FSAE-logoff
• NTLM-auth
status
The status of the authentication session. This can be any one of the
following:
• success
• failure
• timed_out
• locked_out
reason
The reason for recording the activity.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
281
Event-auth
43017
Message ID
43017
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The NTLM authentication failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
dst
The destination IP address.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
user
The name of the user creating the traffic.
adgroup
The name of the active directory group.
group
The name of the group creating the traffic.
ui
The user interface.
action
The action that was taken. This can be any one of the following:
• authentication
• FSAE-auth
• FSAE-logon
• FSAE-logoff
• NTLM-auth
status
282
The status of the authentication session. This can be any one of the
following:
• success
• failure
• timed_out
• locked_out
reason
The reason for recording the activity.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
43018
Message ID
43018
Log Subtype
auth
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGuard override failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
dst
The destination IP address.
initiator
The initiator information.
status
The status of the authentication session. This can be any one of the
following:
• success
• failure
• timed_out
• locked_out
reason
The reason for recording the activity.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
43019
Message ID
43019
Log Subtype
auth
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGuard override failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
dst
The destination IP address.
initiator
The initiator information.
status
The status of the authentication session. This can be any one of the
following:
• success
• failure
• timed_out
• locked_out
reason
The reason for recording the activity.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
283
Event-auth
43020
Message ID
43020
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGuard override was successful.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
dst
The destination IP address.
initator
The initiator information.
status
This can be any one of the following:
• success
• failure
• timed_out
• locked_out
reason
The reason that the activity or action occurred.
scope
This can be any one of
the following:
• user
• user_group
• ip
• profile
unhandled
284
scope_data
The scope data information.
rule_type
This can be any one of the following:
• directory
• domain
• rating
• unhandled
rule_data
The rule data information.
offsite
This can be either yes, meaning the offsite was allowed, or no, meaning
the offsite was not allowed.
expiry
The expiry information.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
43021
Message ID
43021
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Endpoint checking event.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
dst
The destination IP address.
ui
The user interface.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
43022
Message ID
43022
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Endpoint license distribution.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
dst
The destination IP address.
ui
The user interface.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
43023
Message ID
43023
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Endpoint detection.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
dst
The destination IP address.
ui
The user interface.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
285
Event-auth
43024
Message ID
43024
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Endpoint detection.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
dst
The destination IP address.
ui
The user interface.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
43025
Message ID
43025
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The authentication was successful.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
dst
The destination IP address.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
ui
The user interface.
action
The action that was taken. This can be any one of the following:
• authentication
• FSAE-auth
• FSAE-logon
• FSAE-logoff
• NTLM-auth
status
286
The status of the authentication session. This can be any one of the
following:
• success
• failure
• timed_out
• locked_out
reason
The reason for recording the activity.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
43026
Message ID
43026
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The authentication failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
dst
The destination IP address.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
ui
The user interface.
action
The action that was taken. This can be any one of the following:
• authentication
• FSAE-auth
• FSAE-logon
• FSAE-logoff
• NTLM-auth
status
The status of the authentication session. This can be any one of the
following:
• success
• failure
• timed_out
• locked_out
reason
The reason for recording the activity.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
287
Event-auth
43027
Message ID
43027
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The authentication session timed out.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
dst
The destination IP address.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
ui
The user interface.
action
The action that was taken. This can be any one of the following:
• authentication
• FSAE-auth
• FSAE-logon
• FSAE-logoff
• NTLM-auth
status
288
The status of the authentication session. This can be any one of the
following:
• success
• failure
• timed_out
• locked_out
reason
The reason for recording the activity.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
43028
Message ID
43028
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The authentication session failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
dst
The destination IP address.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
ui
The user interface.
action
The action that was taken. This can be any one of the following:
• authentication
• FSAE-auth
• FSAE-logon
• FSAE-logoff
• NTLM-auth
status
The status of the authentication session. This can be any one of the
following:
• success
• failure
• timed_out
• locked_out
reason
The reason for recording the activity.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
289
Event-auth
43029
Message ID
43029
Log Subtype
auth
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGuard override was successful.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
dst
The destination IP address.
initator
The initiator information.
status
This can be any one of the following:
• success
• failure
• timed_out
• locked_out
reason
The reason the activity or action occurred.
scope
This can be any one of
the following:
• user
• user_group
• ip
• profile
unhandled
290
scope_data
The scope data information.
rule_type
This can be any one of the following:
• directory
• domain
• rating
• unhandled
rule_data
The rule data information.
offsite
This can be either yes, meaning the offsite was allowed, or no, meaning
the offsite was not allowed.
expiry
The expiry information.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-auth
43030
Message ID
43030
Log Subtype
auth
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGuard override failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The source IP address.
dst
The destination IP address.
initiator
The initiator information.
status
The status of the authentication session. This can be any one of the
following:
• success
• failure
• timed_out
• locked_out
reason
The reason for recording the activity.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
291
Event-auth
292
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
Event-wad log messages record WAN optimization events, such as a user adding an WAN optimization
rule as well as web proxy events.
40960
48102
48001
48123
48003
48124
48005
48124
48007
48127
48009
48129
48011
48131
48012
48132
48013
48200
48015
48201
48017
48205
48019
48300
48023
48301
48027
48029
48031
48032
48100
48101
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
293
Event-wad
40960
Message ID
40960
Log Subtype
wad
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A web proxy forward server error.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
fwserver_name
The name of the web proxy server.
addr_type
The type of address used, for example FQDN. This field contains either IP
or FQDN.
ip
The IP address.
fqdn
The FQDN address.
port
The port number.
msg
The log message is any one of the following:
• Failed to connection to forward server.
• Successfully connected to forward server.
294
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
48001
Message ID
48001
Log Subtype
wad
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
The SSL received an incorrect handshake message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains receive.
expected
The expected information.
received
The received information.
msg
Incorrect SSL handshake message.
48003
Message ID
48003
Log Subtype
wad
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
The SSL handshake message contains a bad length.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains close.
handshake
The handshake information.
msg
Bad length in SSL handshake.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
295
Event-wad
48005
Message ID
48005
Log Subtype
wad
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
The RSA verification of Diffie-Hellman parameters failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains close.
msg
RSA verification of Diffie-Hellman parameters failed.
48007
296
Message ID
48007
Log Subtype
wad
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
The hash in SSL FInished does not match the calculated hash.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
local
The local information.
remote
The remote information.
action
This field always contains close.
msg
Hash in SSL Finished does not match calculated hash.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
48009
Message ID
48009
Log Subtype
wad
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL decryption failure occurred.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains close.
reason
The reason that the trigger occurred.
msg
SSL decryption failure.
48011
Message ID
48011
Log Subtype
wad
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL minor version is less than the configured minimum value.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have
an index number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains close.
min-minor
The min-minor information.
recv-minor
The recv-minor information.
msg
SSL minor below minimum configured value.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
297
Event-wad
48012
Message ID
48012
Log Subtype
wad
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The maximum limit of SSL connections were reached.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains close.
msg
SSL maximum connections reached.
48013
298
Message ID
48013
Log Subtype
wad
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
There is no support for the offered CipherSuites.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains close.
msg
None of the offered CipherSuites are supported.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
48015
Message ID
48015
Log Subtype
wad
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
The SSL handshake does not have a valid length.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an
index number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains receive.
len
The length information.
msg
Incorrect SSL handshake length.
48017
Message ID
48017
Log Subtype
wad
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
The SSL handshake is too long.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains receive.
handshake
The handshake information.
len
The length information.
max
The maximum length information.
msg
SSL Handshake too long
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
299
Event-wad
48019
Message ID
48019
Log Subtype
wad
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL alert message was sent.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains send.
level
The level information.
desc
The description information.
msg
SSL Alert sent
48023
300
Message ID
48023
Log Subtype
wad
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL alert message was received.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains receive.
level
The level information.
desc
The description information.
msg
SSL Alert received.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
48027
Message ID
48027
Log Subtype
wad
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An invalid SSL content type was received.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have
an index number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains receive.
type
The type information.
msg
Invalid SSL ContentType.
48029
Message ID
48029
Log Subtype
wad
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL ChangeCipherSpec has bad length.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
action
This field always contains close.
msg
Bad length in SSL ChangeCipherSpec.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
301
Event-wad
48031
302
Message ID
48031
Log Subtype
wad
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
An SSL ChangeCipherSpec has bad length.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
min
The minimum information.
max
The maximum information.
received
The received information.
action
This field always contains close.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
48032
Message ID
48032
Log Subtype
wad
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
The certificate’s public key is too big for SSL offloading to handle.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
len
The length information.
max
The maximum length information.
action
This field always contains close.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
303
Event-wad
48100
Message ID
48100
Log Subtype
wad
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
Cert authentication has failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
msg
authentication failed: cert authentication failed.
48101
304
Message ID
48101
Log Subtype
wad
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
Authentication failed because of an incorrect private shared key.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
authgrp
The authentication group information.
host
The host information.
msg
authentication failed: incorrect psk.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
48102
Message ID
48102
Log Subtype
wad
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
Authentication failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
authgrp
The authentication group information.
peer
The peer information.
msg
authentication failed: <reason>
48123
Message ID
48123
Log Subtype
wad
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A WAN optimization rule was changed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
msg
A wan-opt rule has changed.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
305
Event-wad
48124
306
Message ID
48124
Log Subtype
wad
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A WAN optimization rule was added.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
msg
A wan-opt rule is added.
Message ID
48124
Log Subtype
wad
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A WAN optimization rule was removed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
id
The identification information.
msg
User <user_name> deleted a wad rule <rule_name> from <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
48127
Message ID
48127
Log Subtype
wad
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A web cache name was entered or a host name was entered.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
msg
This field contains one of the following:
• user <user_name> set web proxy name.
• user<user_name> set wan acceleration host-id
48129
Message ID
48129
Log Subtype
wad
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any
one of the following:
• The specified user set the WAN-opt storage.
• The specified user deleted the WAN-opt storage entry.
• The specified user set the byte cache storage.
• The specified user set the web cache storage.
• The specified user deleted the disk storage entry.
• The ISCSI target is set.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
action
The action information. This field does not appear for all 48129 log
messages.
name
The name information.
msg
This field contains one of the following:
• user <user_name> set wanopt storage <storage> size=<size_amount>
• Administrator <user_name> disk storage <disk_storage> from <ui>
• user <user_name> delete disk storage entry
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
307
Event-wad
48131
Message ID
48131
Log Subtype
wad
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A user added a WAN accelerator SSL server.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
name
The name information.
msg
User <user_name> added a wan accelerator ssl server setting
<ssl_server_setting> from <ui>.
48132
308
Message ID
48132
Log Subtype
wad
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A user removed a WAN accelerator SSL server.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
name
The name information.
msg
User <user_name> deleted a wan accelerator ssl server setting
<ssl_server_setting> from <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
48200
Message ID
48200
Log Subtype
wad
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A user added a network peer.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
name
The name information.
msg
User <user_name> added network accelerator peer <peer_name> from
<ui>
48201
Message ID
48201
Log Subtype
wad
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A user deleted a peer.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
name
The name information.
msg
User <user_name> deleted a network accelerator peer entry
<peer_name> from <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
309
Event-wad
48205
Message ID
48205
Log Subtype
wad
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A user deleted an authentication group entry.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example,
the user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
auth-group
The authentication group information.
msg
User <user_name> deleted a network accelerator auth-group entry
<auth_group_name> from <ui>
48300
310
Message ID
48300
Log Subtype
wad
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The server side, FortiGate, is not properly configured.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
rule-id
The identification number of the rule.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
msg
auto detection failed: server side ftg is not properly configured.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-wad
48301
Message ID
48301
Log Subtype
wad
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
An unexpected application type was detected.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
serial
The serial number of the firewall session on which the event happened.
policy
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
rule-id
The identification number of the rule.
app-type
The type of application that triggered the action within the control list.
src
The source IP address.
src-port
The source port number.
dst
The destination IP address.
dst-port
The destination port number.
msg
unexpected application type. Please report.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
311
Event-wad
312
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-LDB-monitor
Event-LDB-monitor log messages record VIP activities.
46000
46001
46002
46003
46004
46005
46100
46101
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
313
Event-LDB-monitor
46000
Message ID
46000
Log Subtype
ldb-monitor
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The VIP real server was enabled.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
vip
The name of the virtual IP list used.
server
The IP address of the server.
port
The port number.
status
The status information.
action
This field always contains enable.
msg
ldb server enabled.
46001
314
Message ID
46001
Log Subtype
ldb-monitor
Severity
Alert
Firmware version
FortiOS 4.0 MR3
Meaning
The VIP real server was disabled.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
vip
The name of the virtual IP list used.
server
The IP address of the server.
port
The port number.
status
The status information.
action
This field always contains disable.
msg
ldb server disabled.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-LDB-monitor
46002
Message ID
46002
Log Subtype
ldb-monitor
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The VIP real server is now up.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
vip
The name of the virtual IP list used.
server
The IP address of the server.
port
The port number.
status
The status information.
action
This field always contains up.
msg
ldb server up.
46003
Message ID
46003
Log Subtype
ldb-monitor
Severity
Alert
Firmware version
FortiOS 4.0 MR3
Meaning
The VIP real server is down.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
vip
The name of the virtual IP list used.
server
The IP address of the server.
port
The port number.
status
The status information.
action
This field always contains down.
msg
ldb server down
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
315
Event-LDB-monitor
46004
Message ID
46004
Log Subtype
ldb-monitor
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The VIP real server has started a hold down period.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
vip
The name of the virtual IP list used.
server
The IP address of the server.
port
The port number.
status
The status information.
action
This field always contains holddown.
msg
ldb server entered holddown period
interval
The hold-down interval period in seconds.
46005
316
Message ID
46000
Log Subtype
ldb-monitor
Severity
Alert
Firmware version
FortiOS 4.0 MR3
Meaning
The VIP realserver failed during the hold down period.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
vip
The name of the virtual IP list used.
server
The IP address of the server.
port
The port number.
status
The status information.
action
This field always contains holddown
msg
ldb server health checking failed during holddown period.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-LDB-monitor
46100
Message ID
46100
Log Subtype
ldb-monitor
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A load balance server monitor was added.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
name
The name information.
msg
User <user_name> added load balance monitor
<load_balance_monitor_name> from <ui>
46101
Message ID
46100
Log Subtype
ldb-monitor
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A load balance server monitor was added.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate
unit so that they could change, add, or remove a setting. For example, the
user admin_123 accesses the web-based manager to change their
password on the FortiGate-51B (IP address is 10.10.20.5). This field
shows their point-of-entry in this field, GUI(10.10.20.5).
name
The name information.
msg
User <user_name> deleted a load balance server monitor
<load_balance_monitor_name> from <ui>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
317
Event-LDB-monitor
318
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-nac-quarantine
Event-nac-quarantine log messages record quarantine events, such as when banned users are
quarantined.
43776
Log Sub-type
nac-quarantine
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A NAC quarantine event was recorded.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
src
The banned IP address.
dst
The destination IP address.
src_int
The banned interface.
dst_int
The destination interface.
src_port
The source port number.
dst_port
The destination port number.
proto
The protocol number that applies to the session or packet. The protocol
number in the packet header that identifies the next level protocol. Protocol
numbers are assigned by the Internet Assigned Number Authority (IANA).
service
The IP network service that applies to the session or packet. The services
displayed correspond to the services configured in the firewall policy.
action
This field contains any one of the following:
• ban-ip
• ban-src-dst-ip (banned all traffic from source IP to
destination IP by NAC quarantine)
• ban-interface
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
policid
The ID number of the firewall policy that applies the session or packet. Any
policy that is automatically added by the FortiGate will have an index
number of zero.
banned_src
The banned source. This field contains any one of the following:
• ips
• dlp-compound
• dos
• av
• dlp-rule
banned_rule
The banned rule or reason that was detected.
sensor
The name of the DLP sensor that was used to detect and take action.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
319
Event-nac-quarantine
320
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-his-performance
Event-his-performance log messages record the FortiGate unit’s performance statistics.
40704
Message ID
40704
Log Sub-type
his-performance
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
Performance statistics for the FortiGate unit.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
action
This field contains perf-stats.
cpu
The CPU usage in percent.
mem
The memory usage in percent.
total_session
The total number of sessions.
msg
Performance statistics.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
321
Event-his-performance
322
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-HA
Event-HA log messages are recorded when FortiGate units are in high availability mode.
These log messages describe changes in cluster unit status. These changes in status occur if a cluster unit
fails/starts up, or if a link fails/restored. Each of these messages includes the serial number of the cluster
unit reporting the message. You can use the serial number to determine which cluster unit’s status has
changed.
37888
37889
37890
37891
37892
37893
37894
37895
37896
37897
37898
37899
37900
37901
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
323
Event-HA
37888
Message ID
37888
Log Subtype
HA
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A specified HA group was deleted.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
HA group is deleted.
ha_group
The number of the HA group.
37889
Message ID
37889
Log Subtype
HA
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A specified virtual cluster was deleted.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
Virtual cluster is deleted.
vcluster
The number of the virtual cluster.
37890
324
Message ID
37890
Log Subtype
HA
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A specific VDOM in a virtual cluster was moved.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
Virtual cluster’s vdom is moved.
from_vcluster
The number of the virtual cluster that the VDOM is being moved from.
to_vcluster
The number of the virtual cluster that the VDOM is being moved to.
vdname
The name of the virtual domain where the VDOM has been moved to.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-HA
37891
Message ID
37891
Log Subtype
HA
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A VDOM was added to the specified virtual cluster.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
Virtual cluster’s vdom is added.
to_vcluster
The number of the virtual cluster that the VDOM was added to.
vdname
The name of the virtual domain where the new VDOM was added in.
37892
Message ID
37892
Log Subtype
HA
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A virtual cluster moved a member’s status.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Virtual cluster’s member state moved
ha_role
The role of the unit within the cluster, for example, subordinate. This
field contains either slave or master.
Note: A FortiGate unit in a cluster has either a “slave” role (which is
often referred to as subordinate), or “master” role (which is often
referred to as primary). There are no other roles for the unit in a cluster.
vcluster
The number of the virtual cluster that the VDOM was added to.
vcluster_state
The state the virtual cluster is in. This field contains any one of the
following:
• init
• work
• helo
• standby
vcluster_member
The number of the member of the virtual cluster.
hostname
The host name.
sn
The serial number of the log message.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
325
Event-HA
37893
Message ID
37893
Log Subtype
HA
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A virtual cluster’s member was detected and its status was that it was not
functioning.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
Virtual cluster detected memeber dead.
vcluster
The number of the virtual cluster.
ha_group
The number of the HA group.
37894
Message ID
37894
Log Subtype
HA
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A virtual cluster’s member was detected and its status was that it joined
the virtual cluster.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
Virtual cluster detected member join
vcluster
The number of the virtual cluster.
ha_group
The number of the HA group.
37895
326
Message ID
37895
Log Subtype
HA
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A FortiGate unit in HA mode was added to the virtual cluster. The unit’s
name is not given, only its internal interface name.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
Virtual cluster add HA device
vcluster
The number of the virtual cluster.
devintfname
The name of the unit’s interface.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-HA
37896
Message ID
37896
Log Subtype
HA
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A FortiGate unit in HA mode was deleted from the virtual cluster. The
unit’s name is not given, only its internal interface name.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
Virtual cluster delete HA device(interface)
vcluster
The number of the virtual cluster.
devintfname
The name of the unit’s interface.
37897
Message ID
37897
Log Subtype
HA
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A FortiGate unit in HA mode is ready. The unit’s name is not given, only its
internal interface name.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
HA device(interface) ready
ha_role
The type of role the device has in the HA cluster. This field contains either
master or slave.
Note: A FortiGate unit in a cluster has either a “slave” role (which is often
referred to as subordinate), or “master” role (which is often referred to as
primary). There are no other roles for the unit in a cluster.
devintfname
The name of the unit’s interface.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
327
Event-HA
37898
Message ID
37898
Log Subtype
HA
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
A FortiGate unit in HA mode failed. The unit’s name is not given, only its
internal interface name.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
HA device(interface) fail
ha_role
The type of role the device has in the HA cluster. This field contains either
master or slave.
Note: A FortiGate unit in a cluster has either a “slave” role (which is often
referred to as subordinate), or “master” role (which is often referred to as
primary). There are no other roles for the unit in a cluster.
devintfname
The name of the interface of the device.
37899
328
Message ID
37899
Log Subtype
HA
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A FortiGate unit in HA mode with peer information. The unit’s name is not
given, only its internal interface name.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
HA device(interface) peerinfo
ha_role
The type of role the unit has in the HA cluster. This field contains either
master or slave.
Note: A FortiGate unit in a cluster has either a “slave” role (which is often
referred to as subordinate), or “master” role (which is often referred to as
primary). There are no other roles for the unit in a cluster.
devintfname
The name of the unit’s interface.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-HA
37900
Message ID
37900
Log Subtype
HA
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The HA heartbeat was deleted.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
Heartbeat device(interface) delete
devintfname
The name of the interface on the FortiGate unit.
37901
Message ID
37901
Log Subtype
HA
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit in HA mode is not functioning properly. The unit’s name
is not given, only its internal interface name.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
Heartbeat device(interface) down
ha_role
The type of role the FortiGate unit has in the HA cluster. This field contains
either master or slave.
Note: A FortiGate unit in a cluster has either a “slave” role (which is often
referred to as subordinate), or “master” role (which is often referred to as
primary). There are no other roles for the unit in a cluster.
hbdn_reason
The reason why the heartbeat is currently down. This field contains either
linkfail or neighbor-info-lost.
devintfname
The name of the interface on the FortiGate unit.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
329
Event-HA
37902
Message ID
37902
Log Subtype
HA
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The HA heartbeat is up.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
Heartbeat device(interface) up
ha_role
The type of role the FortiGate unit has in the HA cluster. This field contains
either master or slave.
Note: A FortiGate unit in a cluster has either a “slave” role (which is often
referred to as subordinate), or “master” role (which is often referred to as
primary). There are no other roles for the unit in a cluster.
devintfname
The name of the interface on the FortiGate unit.
37903
330
Message ID
37903
Log Subtype
HA
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The primary unit’s synchronization status.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
The sync status with the master
sync_type
The type of synchronization being performed. This field contains either
configurations or external-files.
synt_status
The status of the synchronization. This field contains either out-of-sync or
in-sync.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-HA
37904
Message ID
37904
Log Subtype
HA
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The HA activity report
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
HA activity report
vd
The name of the virtual domain where the information for the report was
gathered from.
ip
The IP address of the unit.
ha-prio
The priority number of the unit.
activity
The HA activity message.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
331
Event-HA
332
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-pattern
Event-pattern logs are recorded whenever an administrator updates virus, IPS, and antispam databases
from the FortiGuard network.
41000
41001
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
333
Event-pattern
41000
334
Message ID
41000
Log Subtype
pattern
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any one of the
following:
• The specified administrator updated the IPS database from the web-based
manager.
• The specified administrator failed to updated the virus database from the
web-based manager.
• The specified administrator successfully updated the AntiSpam database from
the web-based manager.
• The specified administrator successfully updated the IPS database from the
web-based manager.
Fields
Field Description
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so that
they could change, add, or remove a setting. For example, the user admin_123
accesses the web-based manager to change their password on the FortiGate-51B
(IP address is 10.10.20.5). This field shows their point-of-entry, GUI(10.10.20.5).
action
This field is always update.
status
This field contains either success or failure.
msg
This field contains any one of the following:
• VCM plugin has been updated successfully by user <user_name> via
GUI(<ip_address>)
• Virus database has been updated successfully by user <user_name> via
GUI(<ip_address>)
• Antispam database has been updated successfully by user <user_name> via
GUI (<ip_address>)
• IPS database has been updated successfully by user <user_name> via GUI
(<ip_address>)
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-pattern
41001
Message ID
41001
Log Subtype
pattern
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
Depending on what appears in the msg field, the meaning can be any one of the
following:
• The specified administrator failed to update the IPS database from the web-based
manager.
• The specified administrator failed to update the virus database from the
web-based manager.
• The specified administrator failed to update the AntiSpam database from the
web-based manager.
• The specified administrator failed to update the IPS database from the web-based
manager.
Fields
Field Description
user
The name of the user creating the traffic.
ui
The location of the point-of-entry the user used to access the FortiGate unit so that
they could change, add, or remove a setting. For example, the user admin_123
accesses the web-based manager to change their password on the FortiGate-51B
(IP address is 10.10.20.5). This field shows their point-of-entry, GUI(10.10.20.5).
action
This field is always update.
status
This field contains either success or failure.
msg
This field contains any one of the following:
• Update VCM plugin failed by user <user_name> via GUI (<ip_address>)
• Update virus database failed by user <user_name> via GUI(<ip_address>)
• Update AntiSpam database failed by user <user_name> via GUI(<ip_address>)
• Update IPS database failed by user <user_name> via GUI(<ip_address>)
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
335
Event-pattern
336
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-RADIUS
Event RADIUS log messages record RADIUS server events.
38656
38657
38658
38659
38660
38661
38662
38663
38664
38665
38666
38667
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
337
Event-RADIUS
38656
Message ID
38656
Log Sub-type
RADIUS
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A RADIUS protocol error report.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
count
The number of times the same event was detected within a short period of time.
duration
This represents the value in seconds.
msg
The log message information. This is usually a sentence and explains the activity
and/or action taken.
38657
Message ID
38657
Log Sub-type
RADIUS
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A RADIUS profile error report.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
count
The number of times the same event was detected within a short period of time.
duration
This represents the value in seconds.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
38658
338
Message ID
38658
Log Sub-type
RADIUS
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A RADIUS context error report.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
count
The number of times the same event was detected within a short period of time.
duration
This represents the value in seconds.
msg
The log message information. This is usually a sentence and explains the activity
and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-RADIUS
38659
Message ID
38659
Log Sub-type
RADIUS
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A RADIUS missing stop packet report.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
count
The number of times the same event was detected within a short period of time.
duration
This represents the value in seconds.
msg
The log message information. This is usually a sentence and explains the activity
and/or action taken.
38660
Message ID
38660
Log Sub-type
RADIUS
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A RADIUS accounting event report.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
count
The number of times the same event was detected within a short period of time.
duration
This represents the value in seconds.
msg
The log message information. This is usually a sentence and explains the activity
and/or action taken.
38661
Message ID
38661
Log Sub-type
RADIUS
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A RADIUS other dynamic profile report.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
count
The number of times the same event was detected within a short period of time.
duration
This represents the value in seconds.
msg
The log message information. This is usually a sentence and explains the activity
and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
339
Event-RADIUS
38662
Message ID
38662
Log Sub-type
RADIUS
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
RADIUS protocol errors occurred.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always display
N/A in FortiOS.
ip
The IP address.
profile
The name of the profile that was used to detect and take action.
msg
The log message information. This is usually a sentence and explains the activity
and/or action taken.
acc_stat
The accounting state. This field contains any one of the following:
• Start
• Stop
• Interim-Update
• Accounting-On
• Accounting-Off
reason
The reason that the trigger occurred.
38663
Message ID
38663
Log Sub-type
RADIUS
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A RADIUS start or interim-update packet received with missing or invalid profile
specified.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always display
N/A in FortiOS.
ip
The IP address.
profile
The name of the profile that was used to detect and take action.
msg
The log message information. This is usually a sentence and explains the activity
and/or action taken.
acct_stat
This field contains any one of the following:
• Start
• Stop
• Interim-Update
• Accounting-On
• Accounting-Off
reason
340
The reason that the trigger occurred.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-RADIUS
38664
Message ID
38664
Log Sub-type
RADIUS
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
RADIUS context not found for user.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always display
N/A in FortiOS.
ip
The IP address.
profile
The name of the profile that was used to detect and take action.
msg
The log message information. This is usually a sentence and explains the activity
and/or action taken.
38665
Message ID
38665
Log Sub-type
RADIUS
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A RADIUS stop packet was missed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always display
N/A in FortiOS.
ip
The IP address.
profile
The name of the profile that was used to detect and take action.
msg
The log message information. This is usually a sentence and explains the activity
and/or action taken.
acct_stat
The accounting state. This field contains any one of the following:
• Start
• Stop
• Interim-Update
• Accounting-On
• Accounting-Off
reason
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
The reason that the trigger occurred.
341
Event-RADIUS
38666
Message ID
38666
Log Sub-type
RADIUS
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A RADIUS account event.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always display
N/A in FortiOS.
ip
The IP address.
profile
The name of the profile that was used to detect and take action.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
acct_stat
This field contains any one of the following:
• Start
• Stop
• Interim-Update
• Accounting-On
• Accounting-Off
reason
The reason that the trigger occurred.
38667
Message ID
38667
Log Sub-type
RADIUS
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A RADIUS other dynamic profile event.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always display
N/A in FortiOS.
ip
The IP address.
profile
The name of the profile that was used to detect and take action.
msg
The log message information. This is usually a sentence and explains the activity
and/or action taken.
acct_stat
This field contains any one of the following:
• Start
• Stop
• Interim-Update
• Accounting-On
• Accounting-Off
reason
342
The reason that the trigger occurred.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-notification
Event-notification logs messages record sent email notification alerts.
38400
38401
38402
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
343
Event-notification
38400
344
Message ID
38400
Log Subtype
Notification
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The system successfully sent an email notification message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
user
The name of the user creating the traffic.
from
The sender’s email address.
to
The recipient’s email address.
service
The IP network service that applies to the session or packet. The
services displayed correspond to the services configured in the
firewall policy.
proto
The MMS protocol used when running FortiOS Carrier. When
running FortiOS, this field contains N/A. This field contains any one
of the following:
• mm1
• mm4
• mm3
• mm7
dst
The destination IP address.
dport
The destination port number.
nf_type
The type of notification that was sent. For example, if a file was
blocked. This field contains any one of the following:
• bword
• file_block
• carrier_ep_bwl
• flood
• dupe
• alert
• mms_checksum
• virus
virus
The name of the virus that was found.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile used.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured.
count
The number of times the same event was detected within a short
period of time.
duration
This represents the value in seconds.
msg
Successfully sent a notification message.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-notification
38401
Message ID
38401
Log Subtype
Notification
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The system failed to send an email notification message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
user
The name of the user creating the traffic.
from
The sender’s email address.
to
The recipient’s email address.
service
The IP network service that applies to the session or packet. The
services displayed correspond to the services configured in the
firewall policy.
proto
The MMS protocol used when running FortiOS Carrier. When running
FortiOS, this field contains N/A. This field contains any one of the
following:
• mm1
• mm4
• mm3
• mm7
dst
The destination IP address.
dport
The destination port number.
nf_type
The type of notification that was sent. For example, if a file was
blocked. This field contains any one of the following:
virus
• bword
• file_block
• carrier_ep_bwl
• flood
• dupe
• alert
• mms_checksum
• virus
The name of the virus that was found.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile used.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured.
count
The number of times the same event was detected within a short
period of time.
duration
This represents the value in seconds.
msg
Unable to send notification message.
sess_duration
The session duration number.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
345
Event-notification
38402
346
Message ID
38402
Log Subtype
Notification
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The system was unable to resolve an MMSC hostname.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
service
The IP network service that applies to the session or packet. The
services displayed correspond to the services configured in the
firewall policy.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile used.
profile_vd
The virtual domain that the profile is from.
msg
Unable to resolve hostname.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-amc-intf-bypass
Event-amc-intf-bypass log messages record the AMC disks’ bypass mode activity.
47201
Message ID
47201
Log Sub-type
amc-intf-bypass
Severity
Emergency
Firmware version
FortiOS 4.0 MR3
Meaning
AMC card entered bypass mode.
Fields
Field Description
msg
The AMC card in slot <slot_number> has entered bypass mode due to <reason>.
47202
Message ID
47202
Log Sub-type
amc-intf-bypass
Severity
Emergency
Firmware version
FortiOS 4.0 MR3
Meaning
AMC card exited bypass mode.
Fields
Field Description
msg
The AMC card in slot <slot_number> has exited bypass mode due to <reason>.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
347
Event-amc-intf-bypass
348
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-GTP
Event-GTP log messages record GTP activity. These messages are recorded only when running FortiOS
Carrier firmware.
41216
41217
41218
41219
41220
41221
41222
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
349
Event-GTP
41216
Message ID
41216
Log Subtype
GTP
Severity
Information
Firmware version
FortiOS Carrier 4.0 MR3
Meaning
GTP forward
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
profile
The name of the VoIP profile that was used to detect and take action.
status
This field can contain any one of the following:
• forwarded
• prohibited
• rate-limited
• state-invalid
• tunnel-limited
• traffic-count
• user-data
version
The version number.
msg-type
The number of the message type.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
from
The source IP address.
to
The destination IP address.
imsi
The IMSI information.
msisdn
The MSISDN information.
apn
The APN information.
selection
This field contains any one of the following:
• apns-vrf
• ms-apn-no-vrf
• net-apn-no-vrf
c-gsn
The GSN IP address for signaling.
u-gsn
The GSN IP address for user traffic.
nsapi
The NSAPI number.
linked-nsapi
The linked-NSAPI number.
imei-sv
The IMEI-SV information.
rat-type
This field contains any one of the following
• utran
• gan
• geran
• hspa
• wlan
350
rai
The RAI information.
uli
The ULI information.
end-user-address
The end-user’s IP address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-GTP
41217
Message ID
41217
Log Subtype
GTP
Severity
Information
Firmware version
FortiOS Carrier 4.0 MR3
Meaning
GTP deny
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If
no virtual domains exist, this field always contains root.
profile
The name of the VoIP profile that was used to detect and take
action.
status
This field can contain any one of the following:
• forwarded
• prohibited
• rate-limited
• state-invalid
• tunnel-limited
• traffic-count
• user-data
version
The version number.
msg-type
The number of the message type.
carrier_ep
The FortiOS Carrier end-point identification. For example, it
would display MSISDN of the phone that sent the MMS
message. This field will always display N/A in FortiOS.
from
The source IP address.
to
The destination IP address.
deny-cause
Explains why the message is prohibited. This field contains any
one of the following:
• packet-sanity
• invalid-reserved-field
• reserved-msg
• out-state-msg
• reserved-ie
• out-state-ie
• invalid-msg-length
• invalid-ie-length
• miss-mandatory-ie
• ip-policy
• non-ip-policy
• sgsn-not-authorized
• sgsn-no-handover
• ggsn-not-authorized
• invalid-seq-num
• msg-filter
• apn-filter
• imsi-filter
• adv-policy-filter
imsi
The IMSI information.
msisdn
The MSISDN information.
apn
The APN information.
selection
This field contains any one of the following:
• apns-vrf
• ms-apn-no-vrf
• net-apn-no-vrf
c-gsn
The IP address.
u-gsn
The IP address.
nsapi
The number of NSAPI.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
351
Event-GTP
linked-nsapi
The number of linked-NSAPI.
imei-sv
The IMEI-SV information.
rat-type
This field contains any one of the following
• utran
• gan
• geran
• hspa
• wlan
352
rai
The RAI information.
uli
The ULI information.
end-user-address
The end-user’s IP address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-GTP
41218
Message ID
41218
Log Subtype
GTP
Severity
Information
Firmware version
FortiOS Carrier 4.0 MR3
Meaning
GTP rate limit.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
profile
The name of the VoIP profile that was used to detect and take
action.
status
This field can contain any one of the following:
• forwarded
• prohibited
• rate-limited
• state-invalid
• tunnel-limited
• traffic-count
• user-data
version
The version number.
msg-type
The number of the message type.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This
field will always display N/A in FortiOS.
from
The source IP address.
to
The destination IP address.
imsi
The identification number of the IMSI.
msisdn
The identification number of the MSISDN.
apn
The identification number for APN.
selection
This field contains any one of the following:
• apns-vrf
• ms-apn-no-vrf
• net-apn-no-vrf
c-gsn
The IP address.
u-gsn
The IP address.
nsapi
The NSAPI number.
linked-nsapi
The linked-NSAPI number.
imei-sv
The IMEI-SV information.
rat-type
This field contains any one of the following
• utran
• gan
• geran
• hspa
• wlan
rai
The RAI information.
uli
The ULI information.
end-user-address
The end-user’s IP address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
353
Event-GTP
41219
Message ID
41219
Log Subtype
GTP
Severity
Information
Firmware version
FortiOS Carrier 4.0 MR3
Meaning
GTP state invalid
Fields
Field Description
vd
The name of the virtual domain where the action occurred in.
If no virtual domains exist, this field always contains root.
profile
The name of the VoIP profile that was used to detect and take
action.
status
This field always contains state-invalid. This means the
message is blocked because the FortiGate unit found no valid
state. For example, a response message comes in and the
FortiGate unit detects no corresponding request message.
version
The version number.
msg-type
The number of the message type.
carrier_ep
The FortiOS Carrier end-point identification. For example, it
would display MSISDN of the phone that sent the MMS
message. This field will always display N/A in FortiOS.
from
The source IP address.
to
The destination IP address.
imsi
The IMSI information.
msisdn
The MSISDN information.
apn
The APN information.
selection
This field contains any one of the following:
• apns-vrf
• ms-apn-no-vrf
• net-apn-no-vrf
c-gsn
The IP address.
u-gsn
The IP address.
nsapi
The number of NSAPI.
linked-nsapi
The number of linked-NSAPI.
imei-sv
The IMEI-SV information.
rat-type
This field contains any one of the following
• utran
• gan
• geran
• hspa
• wlan
354
rai
The RAI information.
uli
The ULI information.
end-user-address
The end-user’s IP address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-GTP
41220
Message ID
41220
Log Subtype
GTP
Severity
Information
Firmware version
FortiOS Carrier 4.0 MR3
Meaning
Tunnel limit GTP message. These messages occur only when the
maximum number of GTP tunnels is reached. No new tunnels are
created when the maximum number is reached.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
profile
The name of the VoIP profile that was used to detect and take
action.
status
This field contains any one of the following:
• forwarded
• prohibited
• rate-limited
• state-invalid
• tunnel-limited
• traffic-count
• user-data
version
The version number.
msg-type
The number of the message type.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This
field will always display N/A in FortiOS.
from
The source IP address.
to
The destination IP address.
imsi
The IMSI information.
msisdn
The MSISDN information.
apn
The APN information.
selection
This field contains any one of the following:
• apns-vrf
• ms-apn-no-vrf
• net-apn-no-vrf
c-gsn
The IP address.
u-gsn
The IP address.
nsapi
The number of NSAPI.
linked-nsapi
The number of linked-NSAPI.
imei-sv
The IMEI-SV information.
rat-type
This field contains any one of the following
• utran
• gan
• geran
• hspa
• wlan
rai
The RAI information.
uli
The ULI information.
end-user-address
The end-user’s IP address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
355
Event-GTP
41221
Message ID
41221
Log Subtype
GTP
Severity
Information
Firmware version
FortiOS Carrier 4.0 MR3
Meaning
Statistic summary information when the GTP tunnel is being torn
down.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
profile
The name of the VoIP profile that was used to detect and take
action.
status
This field contains any one of the following:
• forwarded
• prohibited
• rate-limited
• state-invalid
• tunnel-limited
• traffic-count
• user-data
version
The version number.
c-sgsn
The SGSN IP address for signaling.
c-ggsn
The GGSN IP address for signaling.
u-sgsn
The SGSN IP address for user traffic.
u-ggsn
The GGSN IP address for user traffic.
c-sgsn-teid
The identification number.
c-ggsn-teid
The identification number.
u-sgsn-teid
The identification number.
u-ggsn-teid
The identification number.
tunnel-idx
The tunnel’s identity index number.
duration
The duration of the GTP tunnel’s existence. The duration is in
seconds.
c-pkts
The number of GTP-c packets.
c-bytes
The number of bytes for GTP-c signaling traffic.
u-pkts
The number of GTP-u packets.
u-bytes
The number of bytes for GTP-u user traffic.
imsi
The IMSI information.
msisdn
The MSISDN information.
apn
The APN information.
selection
This field contains any one of the following:
• apns-vrf
• ms-apn-no-vrf
• net-apn-no-vrf
356
nsapi
The NSAPI information.
linked-nsapi
The linked-NSAPI information.
imei-sv
The IMEI-SV information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-GTP
rat-type
This field contains any one of the following:
• utran
• gan
• geran
• hspa
• wlan
rai
The RAI information.
uli
The ULI information.
end-user-address
The end-user’s IP address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
357
Event-GTP
41222
Message ID
41222
Log Subtype
GTP
Severity
Information
Firmware version
FortiOS Carrier 4.0 MR3
Meaning
GTP user data
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If
no virtual domains exist, this field always contains root.
profile
The name of the VoIP profile that was used to detect and take
action.
status
This field contains any one of the following:
• forwarded
• prohibited
• rate-limited
• state-invalid
• tunnel-limited
• traffic-count
• user-data
358
version
The version number.
tunnel-idx
The tunnel’s identity index number.
from
The source IP address.
to
The destination IP address.
end-user-address
The end-user’s IP address.
imsi
The IMSI information.
msisdn
The MSISDN information.
apn
The APN information.
user_data
The actual user traffic content, represented in hexidecimal form.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-MMS-Stats
Event-MMS log messages record MMS activity. These log messages are recorded only when running
FortiOS Carrier firmware.
43264
Message ID
43264
Log Sub-type
MMS
Severity
Information
Firmware version
FortiOS Carrier 4.0 MR3
Meaning
MMS statistics.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
proto
The MMS protocol that was used. This field can be any one of the following:
• mm1
• mm3
• mm4
• mm7
infected
The number of infected messages.
suspicious
The number of suspicous messages.
scanned
The number of scanned messages.
intercepted
The number of intercepted messages.
blocked
The number of blocked messages.
checksum
The number of content checksum blocked messages.
duration
The duration of the interval this counts over.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
359
Event-MMS-Stats
360
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VoIP
Event-VoIP log messages record VoIP activites that include the SIP and SCCP protocols.
44032
44033
44034
44035
44036
44037
44038
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
361
Event-VoIP
44032
Message ID
44032
Log Subtype
VoIP
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A SIP log.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
session_id
The session identification number.
epoch
The user session identification number.
event_id
The event’s serial identification number.
src
The source IP address.
src_port
The source port number.
dst
The destination IP address.
dst_port
The destination port number
proto
The transport protocol number.
src_int
The source interface.
dst_int
The destination interface.
policy_id
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate unit will
have an index number of zero.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
endpoint
The endpoint information.
profile
The name of the VoIP profile that was used to detect the SIP activity.
profile_group
The group that the profile is part of. This field contains N/A if there is no
profile group configured.
profile_type
The type of profile used.
voip_proto
The VoIP application protocol that was detected. This field contains
either sip or sccp.
kind
This field contains any one of the following:
• register
• call-info
• unregister
• call-block
• call
action
362
This field contains any one of the following:
• permit
• cm-reject
• block
• exempt
• monitor
• ban
• kickout
• ban-user
• encrypt-kickout
• log-only
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VoIP
status
This field contains any one of the following:
• start
• succeeded
• end
• failed
• timeout
• authentication-required
• blocked
duration
This represents the value in seconds.
dir
The direction of the traffic. This field contains either inbound or
outbound.
from
The source name.
to
The destination name.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
363
Event-VoIP
44033
Message ID
44033
Log Subtype
VoIP
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
SIP was blocked.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
session_id
The session identification number.
epoch
The user session identification number.
event_id
The event’s serial identification number.
src
The source IP address.
src_port
The source port number.
dst
The destination IP address.
dst_port
The destination port number
proto
The transport protocol number.
src_int
The source interface.
dst_int
The destination interface.
policy_id
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
endpoint
The endpoint information.
profile
The name of the VoIP profile that was used to detect the SIP activity.
profile_group
The name of the profile group. This is for FortiOS Carrier only.
profile_type
The type of profile that was used.
voip_proto
The VoIP application protocol that was detected. This field contains either
sip or sccp.
kind
This field contains any one of the following:
• register
• call-info
• unregister
• call-block
• call
action
364
This field contains any one of the following:
• permit
• cm-reject
• block
• exempt
• monitor
• ban
• kickout
• ban-user
• encrypt-kickout
• log-only
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VoIP
status
This field contains any one of the following:
• start
• succeeded
• end
• failed
• timeout
• authentication-required
• blocked
reason
This field contains any one of the following:
• rate-limit
• dialog-limit
• long-header
• unrecognized-form
• unknown
• block-request
• phone
• session-close
• new-register
• invalid-ip
• exceed-rate
duration
This represents the value in seconds.
dir
The direction of the traffic. This field contains either inbound or outbound.
message_type
The type of message. This field contains either request or response.
request_name
The name of the request.
count
The number of times the same event was detected within a short period of
time.
from
The source name.
to
The destination name.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
365
Event-VoIP
44034
Message ID
44034
Log Subtype
VoIP
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
SIP fuzzing occurred.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
session_id
The session identification number.
epoch
The user session identification number.
event_id
The event’s identification serial number
src
The source IP address.
src_port
The source port number.
dst
The destination IP address.
dst_port
The destination port number
proto
The transport protocol number.
src_int
The source interface.
dst_int
The destination interface.
policy_id
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
endpoint
The endpoint information.
profile
The name of the VoIP profile that was used to detect the SIP activity.
profile_group
The group that the profile is part of. This field contains N/A if there is no
profile group configured. profile groups are only available in FortiOS Carrier.
profile_type
The type of profile used.
voip_proto
The VoIP application protocol that was detected. This field contains either
sip or sccp.
kind
This field contains any one of the following:
• register
• call-info
• unregister
• call-block
• call
action
366
This field contains any one of the following:
• permit
• cm-reject
• block
• exempt
• monitor
• ban
• kickout
• ban-user
• encrypt-kickout
• log-only
duration
This represents the value in seconds.
dir
The direction of the traffic. This field contains either inbound or outbound.
message_type
The type of message. This field contains either request or response.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VoIP
request_name
The request name.
malform_desc
The description of the syntax error. This field contains any one of the
following:
• unexpected-character
• invalid-quoting-character
• trailing-bytes
• header-line-oversize
• msg-body-oversize
• domain-name-oversize
• domain-name-oversize
• domain-label-oversize
• syntax-malformed
• duplicated-sip-header
• space-violation
• invalid-ip4-address
• invalid-ipv6-address
• invalid-port
• invalid-fqdn
• no-matching-double-quote
• empty-quoted-string
• invalid<userinfo>
• invalid-escape-encodingin<userinfor>
• invalid-escape-encoding-in-uriparamter
• invalid-escape-encoding-in-uriheader
• invalid-escape-encoding-in<reasonphrase>
• port-expected
• port-not-allowed
• domain-name-invalid
• <gen-value>-expected
• invalid-<gen-value>
• invalid-<quoted-string>-in-<gen-value>
• ipv4-address-expected
• ipv6-address-expected
• uri-expected
• invalid-transport-uri-parameter
• invalid-user-uri-parameter
• invalid-method-uri-parameter
• invalid-ttl-uri-parameter
• invalid-uri-parameter-pname
• invalid-uri-parameter-value
• uri-parameter-repeat
• invalid-uri-header-name
• invalid-uri-header-value
• invalid-uri-header-name-valuepair
• invalid-quoted-string-in-display-name
• left-angle-bracket-is-mandatory • right-angle-bracket-not-found
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
• invalid-status-code
• no-METHOD-on-request-line
• uri-parameters-not-allowed-byRFC
• unknown-scheme
• whitespace-expected
• LWS-expected
• invalid-<SIP-Version>-onrequest-line
• invalid-<protocol-name>
• invalid-<protocol-version>
• invalid-<transport>
• no-SLASH-after-<protocolname>
• no-SLASH-after-<protocol-version>
• header-parameter-expected
• invalid-ttl-parameter
• invalid-madddr-parameter
• invalid-received-parameter
• invalid-branch-parameter
• invalid-rport-parameter
• via-parameter-repeat
• <seq>-number-expected
• <method>-expected
• <method>-does-not-match-therequest-line
• <response-num>-expected
• <CSeq-num>-expected
• <Method>-expected-after<CSeq-num>
• expires-header-repeated
367
Event-VoIP
• <delta-seconds>expected
• invalid-max-forwards
• token-expected
• invalid-expires-parameter
• invalid-q-parameter
• <generic-param>-with-invalid<genvalue>
• <m-type>-expected
• SLASH-expected-after-<m-type>
• <m-subtype>expected
• <m-attribute>-expected-after-SEMI
• boundary-parameter-appearsmore-than-once
• EQUAL-expected-after-<m-attribute>
• invalid-<quoted-string>-in-<mvalue>
• invalid-<m-value>
• multipart-Content-Type-has-no- • digits-expected
boundary
• IN-expected
368
• IP-expected
• IP4-or-IP6-expected
• IPv4-or-IPv6-address-expected
• line-order-error
• z-line-not-allowed-on-media-level
• <time>-expected
• <typed-time>-expected
• r-line-not-allowed-on-medialevel
• <repeat-interval>-expected
• <bwtype>-expected
• colon-expected
• <bandwidth>-expected
• t-liine-not-allowed-on-media-level
• invalid-<start-time>
• invalid<stop-time>
• too-many-i-lines
• <text>-expected
• too-many-c-lines
• too-many-v-line
• v-line-not-allowed-on-medialevel
• too-many-o-lines
• o-line-not-allowed-on-medialevel
• <username>-expected
• <sess-id>-expected
• <sess-version>-expected
• too-many-s-lines
• s-line-not-allowed-on-media-level
• too-many-m-lines
• <media>-expected
• <integer>-expected
• <proto>-expected
• <token>-expected-in-<proto>after-slash
• <fmt>-expected
• <att-field>-expected
• <att-value>-expected
• <payload-type>-expected-inrtpmap
• <encoding-name>-expected-in-rtpmap
• slash-expected-after<encoding-name>-in-rtpmap
• invalid-<clock-rate>-in-rtpmap
• invalid-<encodingparameters>-in-rtpmap
• invalid-candidate-line
• sdp-candidate-line-before-mline
• sip-Yahoo-candidate-invalid-protocol
• invalid-port-after-ip-address-incandidate-line
• too-many-candidate-lines
• sdp-invalid-alt-line
• sdp-alt-line-before-m-line
• invalid-port-after-ip-address-inalt-line
• sdp-rtcp-line-before-m-line
• invalid-port-in-rtcp-lines
• too-many-rtcp-lines
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VoIP
• <callid>-expected
• <word>-expected
• invalid-tag-parameter
• no-tag-parameter
• sdp-v-o-s-t-lines-are-mandatory • unknown-header
• end-of-line-error
• sip-udp-message-truncated
• missing-mandatory-field
madlform_data
The number of the malform data.
line
The line information.
column
The column number.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
369
Event-VoIP
44035
Message ID
44035
Log Subtype
VoIP
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
SCCP registration
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
session_id
The session identification number.
epoch
The user session identification number.
event_id
The event’s serial identification number
src
The source IP address.
proto
The transport protocol number.
src_int
The source interface.
policy_id
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
endpoint
The endpoint information.
profile
The name of the VoIP profile that was used to detect the SIP activity.
profile_group
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
profile_type
The type of profile used.
voip_proto
The VoIP protocol that was detected. This field contains either sip or sccp.
kind
This field contains any one of the following:
• register
• call-info
• unregister
• call-block
• call
action
status
This field contains any one of the following:
• permit
• cm-reject
• block
• exempt
• monitor
• ban
• kickout
• ban-user
• encrypt-kickout
• log-only
This field contains any one of the following:
• start
• succeeded
• end
• failed
• timeout
• authentication-required
• blocked
phone
370
The phone information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VoIP
44036
Message ID
44036
Log Subtype
VoIP
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
SCCP unregister
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
session_id
The session identification number.
epoch
The user session identification number.
event_id
The event’s serial identification number
src
The source IP address.
proto
The transport protocol number.
src_int
The source interface.
policy_id
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
endpoint
The endpoint information.
profile
The name of the VoIP profile that was used to detect the VoIP activity.
profile_group
The group that the profile is part of. This field contains N/A if there is no
profile group configured.
profile_type
The type of profile used.
voip_proto
The VoIP protocol that was detected. This field contains either sip or sccp.
kind
This field contains any one of the following:
• register
• call-info
• unregister
• call-block
• call
action
status
This field contains any one of the following:
• permit
• cm-reject
• block
• exempt
• monitor
• ban
• kickout
• ban-user
• encrypt-kickout
• log-only
This field contains any one of the following:
• start
• succeeded
• end
• failed
• timeout
• authentication-required
• blocked
reason
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
This field contains any one of the following:
• rate-limit
• block-request
• dialog-limit
• phone
371
Event-VoIP
• long-header
• session-close
• unrecognized-form
• new-register
• unknown
• invalid-ip
• exceed-rate
phone
372
The phone information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VoIP
44037
Message ID
44037
Log Subtype
VoIP
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
SCCP call block
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
session_id
The session identification number.
epoch
The user session identification number.
event_id
The event’s serial identification number.
src
The source IP address.
proto
The transport protocol number.
src_int
The source interface.
policy_id
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
endpoint
The endpoint information.
profile
The name of the VoIP profile that was used to detect the VoIP activity.
profile_group
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
profile_type
The type of profile used.
voip_proto
The VoIP protocol that was detected. This field contains either sip or sccp.
kind
This field contains any one of the following:
• register
• call-info
• unregister
• call-block
• call
action
status
This field contains any one of the following:
• permit
• cm-reject
• block
• exempt
• monitor
• ban
• kickout
• ban-user
• encrypt-kickout
• log-only
This field contains any one of the following:
• start
• succeeded
• end
• failed
• timeout
• authentication-required
• blocked
reason
This field contains any one of the following:
• rate-limit
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
• block-request
373
Event-VoIP
• dialog-limit
• phone
• long-header
• session-close
• unrecognized-form
• new-register
• unknown
• invalid-ip
• exceed-rate
phone
374
The phone information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Event-VoIP
44038
Message ID
44038
Log Subtype
VoIP
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
SCCP call info
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
session_id
The session identification number.
epoch
The user session identification number.
event_id
The event’s serial identification number
src
The source IP address.
src_port
The source port number.
dst
The destination IP address.
dst_port
The destination port number.
proto
The transport protocol number.
src_int
The source interface.
dst_int
The destination interface.
policy_id
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate unit will have an
index number of zero.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
endpoint
The endpoint information.
profile
The name of the VoIP profile that was used to detect the VoIP activity.
profile_group
The group that the profile is part of. This field contains N/A if there is no
profile group configured.
profile_type
The type of profile used.
voip_proto
The VoIP protocol that was detected. This field contains either sip or sccp.
kind
This field contains any one of the following:
• register
• call-info
• unregister
• call-block
• call
action
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
This field contains any one of the following:
• permit
• cm-reject
• block
• exempt
• monitor
• ban
• kickout
• ban-user
• encrypt-kickout
• log-only
375
Event-VoIP
status
This field contains any one of the following:
• start
• succeeded
• end
• failed
• timeout
• authentication-required
• blocked
376
duration
This represents the value in seconds.
phone
The phone information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Data Leak Prevention
Data Leak Protection (DLP) log messages are log messages that record data leaks. These logs provide
additional information to help administrators better analyze and detect data leaks.
In FortiOS 4.0 MR3 and higher, DLP log messages are located in UTM log file. These log messages are
also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM.
24576
24577
24578
24579
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
377
Data Leak Prevention
24576
Message ID
24576
Log Subtype
DLP
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
A data leak was detected by a specified DLP sensor rule.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate will have an index number
of zero.
custom
The log field that a user has created. This is referred to as a custom log field
because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if the
firewall policy does not use an identity-based policy; otherwise, it displays the
number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains one of the following:
status
filefilter
• http
• mm4
• https
• mm7
• smtp
• nntp
• pop3
• im
• imap
• smtps
• ftp
• pop3s
• mm1
• imaps
• mm3
• ftp (ftp-over-http)
The action the FortiGate unit took. This field contains any of the following:
•
detected
• blocked
•
success
• error
The type of file filter. This field contains any one of the following:
• none
• file pattern
• file type
378
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Data Leak Prevention
filetype
The type of file, for example, a zip file. This field contains any one of the
following:
• arj
• cab
• tzh
• rar
• tar
• zip
• bzip
• gzip
• bzip2
• bat
• msc
• uue
• mime
• base64
• binhex
• com
• elf
• exe
• hta
• html
• jad
• class
• cod
• javascript
• msoffice
• fsg
• upx
• petite
• aspack
• prc
• sis
• hlp
• activemime
• jpeg
• gif
• tiff
• png
• bmp
• ignored
• unknown
• N/A
sent
The total number of bytes sent.
rcvd
The total number of bytes received.
hostname
The home page of the web site. For example, www.example.com
url
The URL address of the web page that the user was viewing.
from
The sender’s email address.
to
The receiver’s email address.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
rulename
The name of the DLP rule within the DLP sensor.
compoundname
The name of the compound rule used.
filtername
The name of the filter.
file
The file information.
action
The action that was specified within the rule. In some rules within sensors,
you can specify content archiving. If no log type is specified, this field
displays log-only.
This field contains any one of the following:
• log-only
• ban sender
• block
• quarantine ip
• exempt
• quarantine interface
• ban
severity
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
The level of severity for that specific rule.
379
Data Leak Prevention
24577
Message ID
24577
Log Subtype
DLP
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A data leak was detected by a specified DLP sensor rule.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log field
because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique within
a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains one of the following:
status
filefilter
• http
• mm4
• https
• mm7
• smtp
• nntp
• pop3
• im
• imap
• smtps
• ftp
• pop3s
• mm1
• imaps
• mm3
• ftp (ftp-over-http)
The action the FortiGate unit took. This field contains any one of the
following:
• detected
• blocked
• success
• error
The type of file filter. This field contains any one of the following:
• none
• file pattern
• file type
380
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Data Leak Prevention
filetype
The type of file, for example, a zip file. This field contains any one of the
following:
• arj
• cab
• tzh
• rar
• tar
• zip
• bzip
• gzip
• bzip2
• bat
• msc
• uue
• mime
• base64
• binhex
• com
• elf
• exe
• hta
• html
• jad
• class
• cod
• javascript
• msoffice
• fsg
• upx
• petite
• aspack
• prc
• sis
• hlp
• activemime
• jpeg
• gif
• tiff
• png
• bmp
• ignored
• unknown
• N/A
sent
The total number of bytes sent.
rcvd
The total number of bytes received.
hostname
The home page of the web site. For example, www.example.com.
url
The URL address of the web page that the user was viewing.
from
This field contains N/A.
to
This field contains N/A.
msg
data leak detected(Data Leak Prevention Rule matched)
rulename
The name of the DLP rule that was used.
compoundname
The name of the compound rule used.
filtername
The name of the filter.
file
The file information.
action
The action that was specified within the rule. In some rules within sensors,
you can specify content archiving. If no log type is specified, this field
displays log-only.
This field contains one of the following:
• log-only
• ban sender
• block
• quarantine ip
• exempt
• quarantine interface
• ban
severity
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
The level of severity for that specific rule.
381
Data Leak Prevention
24578
Message ID
24578
Log Subtype
DLP
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A DLP fingerprint document source notice.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
status
The action the FortiGate unit took. This field contains any one of the
following:
• detected
•
blocked
• success
•
error
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
sensitivity
The document source.
docsource
The document source.
errorstr
The erorr information, if there was an error in scanning the document
source.
24579
Message ID
24579
Log Subtype
DLP
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A DLP fingerprint document source error.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
status
The action the FortiGate unit took. This field contains any one of the
following:
msg
382
• detected
•
blocked
• success
•
error
The log message information. This is usually a sentence and explains the
activity and/or action taken.
sensitivity
The document source.
docsource
The document source.
errorstr
The erorr information, if there was an error in scanning the document
source.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Data Leak Prevention
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
383
Data Leak Prevention
384
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
Application Control log messages are log messages that record application control protocols and events.
In FortiOS 4.0 MR3 and higher, application control log messages are located in UTM log file. These log
messages are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM.
28672
28673
28674
28675
28676
28677
28678
28688
28689
28690
28704
28705
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
385
Application Control
28672
Message ID
28672
Log Subtype
app-crtl-all
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An application control IM-basic log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
kind
This field can be any one of the following:
• login
• chat
• file
• photo
• audio
• call
• regist
• unregister
• call-block
• request
• response
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
dir
This field can be any one of the following:
• incoming
• outgoing
• N/A
386
src
The source IP address.
src_port
The source port number.
src_int
The source interface name. For example, internal.
dst
The destination IP address.
dst_port
The destination port number.
dst_int
The destination interface name. For example, wan1.
src_name
The source name. This can be a name or an IP address.
dst_name
The destination name. This can be a name or an IP address.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
service
The service where the event or activity occurred.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happened.
app_list
The name of the application control list that was used to detect and
take action. For example, the default application control list, monitor-all.
app_type
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control
list. For example, SSL.
action
The action that was taken by the application control engine. This field
can be any one of the following:
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
• pass
• block
• monitor
• kickout
• encrypt-kickout
• reject
387
Application Control
28673
Message ID
28673
Log Subtype
app-crtl-all
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An application control IM log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
kind
This field can be any one of the following:
• login
• chat
• file
• photo
• audio
• call
• regist
• unregister
• call-block
• request
• response
• video
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
dir
This field can be any one of the following:
• incoming
• outgoing
• N/A
388
src
The source IP address.
src_port
The source port number.
src_int
The source interface name. For example, internal.
dst
The destination IP address.
dst_port
The destination port number.
dst_int
The destination interface name. For example, wan1.
src_name
The source name. This can be a name or an IP address.
dst_name
The destination name. This can be a name or an IP address.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
service
The service where the event or activity occurred.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happened.
app_list
The name of the application control list that was used to detect and take
action. For example, the default application control list, monitor-all.
app_type
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control
list. For example, SSL.
action
The action that was taken by the application control engine. This field can
be any one of the following:
status
• pass
• block
• monitor
• kickout
• encrypt-kickout
• reject
This field can be any one of the following:
• request
• cancel
• accept
• fail
• download
• stop
• start
• end
• timeout
• blocked
• succeeded
• failed
• authentication-required
• pass
• block
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
389
Application Control
28674
Message ID
28674
Log Subtype
app-crtl-all
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An application control IM (chat message count) log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
kind
This field can be any one of the following:
• login
• chat
• file
• photo
• audio
• call
• regist
• unregister
• call-block
• request
• response
• video
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
dir
This field can be any one of the following:
• incoming
• outgoing
• N/A
390
src
The source IP address.
src_port
The source port number.
src_int
The source interface name. For example, internal.
dst
The destination IP address.
dst_port
The destination port number.
dst_int
The destination interface name. For example, wan1.
src_name
The source name. This can be a name or an IP address.
dst_name
The destination name. This can be a name or an IP address.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
service
The service where the event or activity occurred.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happened.
app_list
The name of the application control list that was used to detect and take
action. For example, the default application control list, monitor-all.
app_type
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control
list. For example, SSL.
action
The action that was taken by the application control engine. This field can
be any one of the following:
count
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
• pass
• block
• monitor
• kickout
• encrypt-kickout
• reject
The number of times the same event was detected within a short period
of time.
391
Application Control
28675
Message ID
28675
Log Subtype
app-crtl-all
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An application control IM (file) log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
kind
This field can be any one of the following:
• login
• chat
• file
• photo
• audio
• call
• regist
• unregister
• call-block
• request
• response
• video
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
dir
This field can be any one of the following:
• incoming
• outgoing
• N/A
392
src
The source IP address.
src_port
The source port number.
src_int
The source interface name. For example, internal.
dst
The destination IP address.
dst_port
The destination port number.
dst_int
The destination interface name. For example, wan1.
src_name
The source name. This can be a name or an IP address.
dst_name
The destination name. This can be a name or an IP address.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
service
The service where the event or activity occurred.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happened.
app_list
The name of the application control list that was used to detect and take
action. For example, the default application control list, monitor-all.
app_type
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control
list. For example, SSL.
action
The action that was taken by the application control engine. This field can
be any one of the following:
status
• pass
• block
• monitor
• kickout
• encrypt-kickout
• reject
This field can be any one of the following:
• request
• cancel
• accept
• fail
• download
• stop
• start
• end
• timeout
• blocked
• succeeded
• failed
• authentication-required
• pass
• block
filename
The name of the file.
filesize
The size of the file.
message
The log information. This is usually a sentence and explains the activity
and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
393
Application Control
28676
Message ID
28676
Log Subtype
app-crtl-all
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An application control IM (chat) log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
kind
This field can be any one of the following:
• login
• chat
• file
• photo
• audio
• call
• regist
• unregister
• call-block
• request
• response
• video
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
dir
This field can be any one of the following:
• incoming
• outgoing
• N/A
394
src
The source IP address.
src_port
The source port number.
src_int
The source interface name. For example, internal.
dst
The destination IP address.
dst_port
The destination port number.
dst_int
The destination interface name. For example, wan1.
src_name
The source name. This can be a name or an IP address.
dst_name
The destination name. This can be a name or an IP address.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
service
The service where the event or activity occurred.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happened.
app_list
The name of the application control list that was used to detect and take
action. For example, the default application control list, monitor-all.
app_type
The name of the application control list that was used to detect and take
action. For example, the default application control list, monitor-all.
app
The type of application that triggered the action within the control list.
action
The action that was taken by the application control engine. This field can
be any one of the following:
• pass
• block
• monitor
• kickout
• encrypt-kickout
• reject
count
The number of times the same event was detected within a short period
of time.
content
The content information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
395
Application Control
28677
Message ID
28677
Log Subtype
app-crtl-all
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An application control IM (chat blocked) log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
kind
This field can be any one of the following:
• login
• chat
• file
• photo
• audio
• call
• regist
• unregister
• call-block
• request
• response
• video
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
dir
This field can be any one of the following:
• incoming
• outgoing
• N/A
396
src
The source IP address.
src_port
The source port number.
src_int
The source interface name. For example, internal.
dst
The destination IP address.
dst_port
The destination port number.
dst_int
The destination interface name. For example, wan1.
src_name
The source name. This can be a name or an IP address.
dst_name
The destination name. This can be a name or an IP address.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
service
The service where the event or activity occurred.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
app_list
The name of the application control list that was used to detect and take
action. For example, the default application control list, monitor-all.
app_type
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control
list. For example, SSL.
action
The action that was taken by the application control engine. This field can
be any one of the following:
• pass
• block
• monitor
• kickout
• encrypt-kickout
• reject
count
The number of times the same event was detected within a short period
of time.
reason
This field contains any one of the following:
req
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
• meter-overload-drop
• meter-overload-refuse
• rate-limit
• dialog-limit
• long-header
• unrecognized-form
• unknown
• block-request
• invalid-ip
• exceed-rate
The request information.
397
Application Control
28678
Message ID
28678
Log Subtype
app-crtl-all
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An application control IM (blocked) log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
kind
This field can be any one of the following:
• login
• chat
• file
• photo
• audio
• call
• regist
• unregister
• call-block
• request
• response
• video
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
dir
This field can be any one of the following:
• incoming
• outgoing
• N/A
398
src
The source IP address.
src_port
The source port number.
src_int
The source interface name. For example, internal.
dst
The destination IP address.
dst_port
The destination port number.
dst_int
The destination interface name. For example, wan1.
src_name
The source name. This can be a name or an IP address.
dst_name
The destination name. This can be a name or an IP address.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
service
The service where the event or activity occurred.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
app_list
The name of the application control list that was used to detect and take
action. For example, the default application control list, monitor-all.
app_type
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control
list. For example, SSL.
action
The action that was taken by the application control engine. This field can
be any one of the following:
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
• pass
• block
• monitor
• kickout
• encrypt-kickout
• reject
399
Application Control
28688
Message ID
28688
Log Subtype
app-crtl-all
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An application control IM (VoIP basic) log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
kind
This field can be any one of the following:
• login
• chat
• file
• photo
• audio
• call
• regist
• unregister
• call-block
• request
• response
• video
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
dir
This field can be any one of the following:
• incoming
• outgoing
• N/A
400
src
The source IP address.
src_port
The source port number.
src_int
The source interface name. For example, internal.
dst
The destination IP address.
dst_port
The destination port number.
dst_int
The destination interface name. For example, wan1.
src_name
The source name. This can be a name or an IP address.
dst_name
The destination name. This can be a name or an IP address.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
service
The service where the event or activity occurred.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
app_list
The name of the application control list that was used to detect and take
action. For example, the default application control list, monitor-all.
app_type
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control
list. For example, SSL.
action
The action that was taken by the application control engine. This field can
be any one of the following:
status
• pass
• block
• monitor
• kickout
• encrypt-kickout
• reject
This field can be any one of the following:
• request
• cancel
• accept
• fail
• download
• stop
• start
• end
• timeout
• blocked
• succeeded
• failed
• authentication-required
• pass
• block
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
401
Application Control
28689
Message ID
28689
Log Subtype
app-crtl-all
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An application control IM (SCCP call blocked) log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
kind
This field can be any one of the following:
• login
• chat
• file
• photo
• audio
• call
• regist
• unregister
• call-block
• request
• response
• video
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
dir
This field can be any one of the following:
• incoming
• outgoing
• N/A
402
src
The source IP address.
src_port
The source port number.
src_int
The source interface name. For example, internal.
dst
The destination IP address.
dst_port
The destination port number.
dst_int
The destination interface name. For example, wan1.
src_name
The source name. This can be a name or an IP address.
dst_name
The destination name. This can be a name or an IP address.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
service
The service where the event or activity occurred.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
app_list
The name of the application control list that was used to detect and take
action. For example, the default application control list, monitor-all.
app_type
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control
list. For example, SSL.
action
The action that was taken by the application control engine. This field can
be any one of the following:
status
• pass
• block
• monitor
• kickout
• encrypt-kickout
• reject
This field can be any one of the following:
• request
• cancel
• accept
• fail
• download
• stop
• start
• end
• timeout
• blocked
• succeeded
• failed
• authentication-required
• pass
• block
phone
The phone information.
reason
This field contains any one of the following:
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
• meter-overload-drop
• meter-overload-refuse
• rate-limit
• dialog-limit
• long-header
• unrecognized-form
• unknown
• block-request
• invalid-ip
• exceed-rate
403
Application Control
28690
Message ID
28690
Log Subtype
app-crtl-all
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An application control IM (SIP block) log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
kind
This field can be any one of the following:
• login
• chat
• file
• photo
• audio
• call
• regist
• unregister
• call-block
• request
• response
• video
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
dir
This field can be any one of the following:
• incoming
• outgoing
• N/A
404
src
The source IP address.
src_port
The source port number.
src_int
The source interface name. For example, internal.
dst
The destination IP address.
dst_port
The destination port number.
dst_int
The destination interface name. For example, wan1.
src_name
The source name. This can be a name or an IP address.
dst_name
The destination name. This can be a name or an IP address.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
service
The service where the event or activity occurred.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
app_list
The name of the application control list that was used to detect and take
action. For example, the default application control list, monitor-all.
app_type
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control
list. For example, SSL.
action
The action that was taken by the application control engine. This field can
be any one of the following:
• pass
• block
• monitor
• kickout
• encrypt-kickout
• reject
count
The number of times the same event was detected within a short period
of time.
reason
This field contains any one of the following:
req
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
• meter-overload-drop
• meter-overload-refuse
• rate-limit
• dialog-limit
• long-header
• unrecognized-form
• unknown
• block-request
• invalid-ip
• exceed-rate
The request information.
405
Application Control
28704
406
Message ID
28704
Log Subtype
app-crtl-all
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An application control IM (IPS) log message (pass).
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
attack_id
The identification number of the IM (IPS) log message.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
src_port
The source port number.
src_int
The source interface name. For example, internal.
dst
The destination IP address.
dst_port
The destination port number.
dst_int
The destination interface name. For example, wan1.
src_name
The source name. This can be a name or an IP address.
dst_name
The destination name. This can be a name or an IP address.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
service
The service where the event or activity occurred.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
serial
The serial number of the firewall session on which the event happend.
app_list
The name of the application control list that was used to detect and take
action. For example, the default application control list, monitor-all.
app_type
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control
list. For example, SSL.
action
The action that was taken by the application control engine. This field can
be any one of the following:
• pass
• block
• monitor
• kickout
• encrypt-kickout
• reject
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
count
The number of times the same event was detected within a short period
of time.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
407
Application Control
28705
408
Message ID
28705
Log Subtype
app-crtl-all
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An application control IM (IPS) log message (pass).
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
attack_id
The identification number of the IM (IPS) log message.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
src_port
The source port number.
src_int
The source interface name. For example, internal.
dst
The destination IP address.
dst_port
The destination port number.
dst_int
The destination interface name. For example, wan1.
src_name
The source name. This can be a name or an IP address.
dst_name
The destination name. This can be a name or an IP address.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
service
The service where the event or activity occurred.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
serial
The serial number of the firewall session on which the event happend.
app_list
The name of the application control list that was used to detect and take
action. For example, the default application control list, monitor-all.
app_type
The type of application that triggered the action within the control list.
app
The name of the application that triggered the action within the control
list. For example, SSL.
action
The action that was taken by the application control engine. This field can
be any one of the following:
• pass
• block
• monitor
• kickout
• encrypt-kickout
• reject
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Application Control
count
The number of times the same event was detected within a short period
of time.
msg
The log message information. This is usually a sentence and explains the
activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
409
Application Control
410
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
Antivirus log messages record actual viruses that are contained in an email as well as anything that
appears to be similar to a virus or suspicious, such as in a file or in an email.
In FortiOS 4.0 MR3 and higher, antivirus log messages are located in UTM log file. These log messages
are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM.
8192
8704
8972
8193
8704
8973
8194
8705
8195
8706
8196
8707
8197
8960
8198
8961
8199
8962
8448
8963
8449
8964
8450
8965
8451
8966
8452
8967
8453
8968
8454
8969
8455
8970
8456
8971
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
411
Antivirus
8192
Message ID
8192
Log Subtype
Infected
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
An infected file was detected by the FortiGate unit and blocked.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
File is infected
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic. This
field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
dir
This field contains any one of the following:
• N/A
• tx
• rx
412
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If two
files have different names but the same checksum, the FortiGate unit
assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quarantine for HTTP
• GET file pattern block
• No quarantine for oversized files.
• File was not quarantined.
virus
The name of the virus that was detected.
dtype
The dtype information.
ref
The URL reference that give more information about the virus. If you
enter the URL in the address bar of the web browser, you are directed
to that specific page that contains information about the virus.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in FortiOS
Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
413
Antivirus
8193
Message ID
8193
Log Subtype
Infected
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An infected file was detected by the FortiGate unit and it passed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
File is infected
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic. This
field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
dir
This field contains any one of the following:
• N/A
• tx
• rx
414
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If two
files have different names but the same checksum, the FortiGate unit
assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quarantine for HTTP
• GET file pattern block
• No quarantine for oversized files.
• File was not quarantined.
virus
The name of the virus that was detected.
dtype
The dtype information.
ref
The URL reference that give more information about the virus. If you
enter the URL in the address bar of the web browser, you are directed
to that specific page that contains information about the virus.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in FortiOS
Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
415
Antivirus
8194
Message ID
8194
Log Subtype
Infected
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
A MIME header was detected to have a virus and was blocked.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
File is infected
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
416
The type of protocol that was used to send and receive the traffic. This
field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If two
files have different names but the same checksum, the FortiGate unit
assumes that they have the same content.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
quarskip
This field contains any one of the following:
• No skip
• No quarantine for HTTP
• GET file pattern block
• No quarantine for oversized files.
• File was not quarantined.
virus
The name of the virus that was detected.
dtype
The dtype information.
ref
The URL reference that give more information about the virus. If you
enter the URL in the address bar of the web browser, you are directed
to that specific page that contains information about the virus.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in FortiOS
Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
from
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
to
The sender’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
417
Antivirus
8195
Message ID
8195
Log Subtype
Infected
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A MIME header is infected and passed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
File is infected
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
blocked
passthrough
monitored
service
418
The type of protocol that was used to send and receive the traffic. This
field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If two
files have different names but the same checksum, the FortiGate unit
assumes that they have the same content.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
quarskip
This field contains any one of the following:
• No skip
• No quarantine for HTTP
• GET file pattern block
• No quarantine for oversized files.
• File was not quarantined.
virus
The name of the virus that was detected.
dtype
The dtype information.
ref
The URL reference that give more information about the virus. If you
enter the URL in the address bar of the web browser, you are directed
to that specific page that contains information about the virus.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in FortiOS
Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
from
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
to
The sender’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
419
Antivirus
8196
Message ID
8196
Log Subtype
Infected
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit detected a computer worm and blocked it.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Worm detected.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
420
The type of protocol that was used to send and receive the traffic. This
field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
virus
The name of the virus that was detected.
dtype
The dtype information.
url
The URL address of where the file was acquired.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in FortiOS
Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
421
Antivirus
8197
Message ID
8197
Log Subtype
Infected
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit detected a computer worm and monitored it.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Worm deteceted.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
422
The type of protocol that was used to send and receive the traffic. This
field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
virus
The name of the virus that was detected.
dtype
The dtype information.
url
The URL address of where the file was acquired.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in FortiOS
Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
423
Antivirus
8198
Message ID
8198
Log Subtype
Infected
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit detected a computer worm (MIME) and blocked it.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Worm detected.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
424
The type of protocol that was used to send and receive the traffic. This
field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
virus
The name of the virus that was detected.
dtype
The dtype information.
url
The URL address of where the file was acquired.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in FortiOS
Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
425
Antivirus
8199
Message ID
8199
Log Subtype
Infected
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit detected a computer worm (MIME) and monitored it.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Worm detected.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
426
The type of protocol that was used to send and receive the traffic. This
field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
virus
The name of the virus that was detected.
dtype
The dtype information.
url
The URL address of where the file was acquired.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in FortiOS
Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
427
Antivirus
8457
Message ID
8457
Log Subtype
Infected
Severity
Warning
Firmware version
FortiOS Carrier 4.0 MR3
Meaning
An MMS content checksum blocked an infected file.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Blocked by MMS content checksum
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic. This
field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
dir
This fieldl contains any one of the following:
• N/A
• tx
• rx
428
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
checksum
The checksum of the file that was scanned by the FortiGate unit. If two
files have different names but the same checksum, the FortiGate unit
assumes that they have the same content.
file
The name of the file.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in FortiOS
Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
429
Antivirus
8458
Message ID
8458
Log Subtype
Infected
Severity
Notification
Firmware version
FortiOS Carrier 4.0 MR3
Meaning
An MMS content checksum was matched.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Matched by MMS content checksum.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic. This
field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
dir
This fieldl contains any one of the following:
• N/A
• tx
• rx
430
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
checksum
The checksum of the file that was scanned by the FortiGate unit. If two
files have different names but the same checksum, the FortiGate unit
assumes that they have the same content.
file
The name of the file.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in FortiOS
Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
431
Antivirus
8448
Message ID
8448
Log Subtype
Filename
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit blocked a file because it contains a virus.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
File is blocked
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic. This field
contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log field
because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
serial
The serial number of the firewall session on which the event happend.
dir
This field contains any one of the following:
• N/A
• tx
• rx
432
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
filefilter
This field contains any one of the following:
• none
• file pattern
• file type
filetype
This field contains any one of the following:
• arj
• cab
• lzh
• rar
• tar
• zip
• bzip
• gzip
• bzip2
• bat
• msc
• uue
• mime
• base64
• binhex
• com
• elf
• exe
• hta
• html
• jad
• class
• cod
• javascript
• msoffice
• fsg
• upx
• petite
• aspack
• prc
• sis
• hlp
• activemime
• jpeg
• gif
• tiff
• png
• bmp
• ignored
• unknown
• N/A
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files
have different names but the same checksum, the FortiGate unit assumes
that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quarantine for HTTP GET file pattern
block.
• No quarantine for
oversized files
• File was not quarantined.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier,
this field always contains N/A.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
433
Antivirus
434
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8449
Message ID
8449
Log Subtype
Filename
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit blocked a file because it contains a virus.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
File is blocked
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.This field
contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log field
because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
serial
The serial number of the firewall session on which the event happend.
dir
This field contains any one of the following:
• N/A
• tx
• rx
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
435
Antivirus
filefilter
This field contains any one of the following:
• none
• file pattern
• file type
filetype
This field contains any one of the following:
• arj
• cab
• lzh
• rar
• tar
• zip
• bzip
• gzip
• bzip2
• bat
• msc
• uue
• mime
• base64
• binhex
• com
• elf
• exe
• hta
• html
• jad
• class
• cod
• javascript
• msoffice
• fsg
• upx
• petite
• aspack
• prc
• sis
• hlp
• activemime
• jpeg
• gif
• tiff
• png
• bmp
• ignored
• unknown
• N/A
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files
have different names but the same checksum, the FortiGate unit assumes
that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quarantine for HTTP GET file pattern
block.
• No quarantine for oversized • File was not quarantined.
files
436
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS Carrier,
this field always contains N/A.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
437
Antivirus
8450
Message ID
8450
Log Subtype
Filename
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit blocked a file because it contains a virus (MIME).
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
File is blocked.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
filefilter
This field contains any one of the following:
• none
• file pattern
• file type
438
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
filetype
This field contains any one of the following:
• arj
• cab
• lzh
• rar
• tar
• zip
• bzip
• gzip
• bzip2
• bat
• msc
• uue
• mime
• base64
• binhex
• com
• elf
• exe
• hta
• html
• jad
• class
• cod
• javascript
• msoffice
• fsg
• upx
• petite
• aspack
• prc
• sis
• hlp
• activemime
• jpeg
• gif
• tiff
• png
• bmp
• ignored
• unknown
• N/A
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If
two files have different names but the same checksum, the FortiGate
unit assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quarantine for HTTP GET file pattern
block.
• No quarantine for
oversized files
• File was not quarantined.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
439
Antivirus
8451
Message ID
8451
Log Subtype
Filename
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit blocked a file because it contains a virus (MIME).
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
File is blocked.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
filefilter
This field contains any one of the following:
• none
• file pattern
• file type
440
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
filetype
This field contains any one of the following:
• arj
• cab
• lzh
• rar
• tar
• zip
• bzip
• gzip
• bzip2
• bat
• msc
• uue
• mime
• base64
• binhex
• com
• elf
• exe
• hta
• html
• jad
• class
• cod
• javascript
• msoffice
• fsg
• upx
• petite
• aspack
• prc
• sis
• hlp
• activemime
• jpeg
• gif
• tiff
• png
• bmp
• ignored
• unknown
• N/A
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If
two files have different names but the same checksum, the FortiGate
unit assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quarantine for HTTP GET file pattern
block.
• No quarantine for
oversized files
• File was not quarantined.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
441
Antivirus
8452
Message ID
8452
Log Subtype
Filename
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit blocked a virus command.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Command blocked.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
442
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
url
The URL address of where the file was acquired.
user
The name of the user creating the traffic.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
group
The name of the group creating the traffic.
command
The command information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
443
Antivirus
8453
Message ID
8453
Log Subtype
Filename
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit intercepted a file containing a virus.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
The file is intercepted.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
blocked
passthrough
monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
dir
This field contains any one of the following:
• N/A
• tx
• rx
444
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
filefilter
This field contains any one of the following:
• none
• file pattern
• file type
filetype
This field contains any one of the following:
• arj
• cab
• lzh
• rar
• tar
• zip
• bzip
• gzip
• bzip2
• bat
• msc
• uue
• mime
• base64
• binhex
• com
• elf
• exe
• hta
• html
• jad
• class
• cod
• javascript
• msoffice
• fsg
• upx
• petite
• aspack
• prc
• sis
• hlp
• activemime
• jpeg
• gif
• tiff
• png
• bmp
• ignored
• unknown
• N/A
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If
two files have different names but the same checksum, the FortiGate
unit assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quarantine for HTTP GET file pattern
block.
• No quarantine for
oversized files
• File was not quarantined.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
445
Antivirus
446
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8454
Message ID
8454
Log Subtype
Filename
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGate unit intercepted a file (MIME).
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
The file is intercepted.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
filefilter
This field contains any one of the following:
• none
• file pattern
• file type
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
447
Antivirus
filetype
This field contains any one of the following:
• arj
• cab
• lzh
• rar
• tar
• zip
• bzip
• gzip
• bzip2
• bat
• msc
• uue
• mime
• base64
• binhex
• com
• elf
• exe
• hta
• html
• jad
• class
• cod
• javascript
• msoffice
• fsg
• upx
• petite
• aspack
• prc
• sis
• hlp
• activemime
• jpeg
• gif
• tiff
• png
• bmp
• ignored
• unknown
• N/A
448
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If
two files have different names but the same checksum, the FortiGate
unit assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quarantine for HTTP GET file pattern
block.
• No quarantine for
oversized files
• File was not quarantined.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8455
Message ID
8455
Log Subtype
Filename
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A file was exempted.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
File has been exempted.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
dir
This field contains any one of the following:
• N/A
• tx
• rx
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
449
Antivirus
filefilter
This field contains any one of the following:
• none
• file pattern
• file type
filetype
This field contains any one of the following:
• arj
• cab
• lzh
• rar
• tar
• zip
• bzip
• gzip
• bzip2
• bat
• msc
• uue
• mime
• base64
• binhex
• com
• elf
• exe
• hta
• html
• jad
• class
• cod
• javascript
• msoffice
• fsg
• upx
• petite
• aspack
• prc
• sis
• hlp
• activemime
• jpeg
• gif
• tiff
• png
• bmp
• ignored
• unknown
• N/A
450
file
The name of the file.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8456
Message ID
8456
Log Subtype
Filename
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A file was exempted.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
File has been exempted.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
filefilter
This field contains any one of the following:
• none
• file pattern
• file type
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
451
Antivirus
filetype
This field contains any one of the following:
• arj
• cab
• lzh
• rar
• tar
• zip
• bzip
• gzip
• bzip2
• bat
• msc
• uue
• mime
• base64
• binhex
• com
• elf
• exe
• hta
• html
• jad
• class
• cod
• javascript
• msoffice
• fsg
• upx
• petite
• aspack
• prc
• sis
• hlp
• activemime
• jpeg
• gif
• tiff
• png
• bmp
• ignored
• unknown
• N/A
452
file
The name of the file.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8704
Message ID
8704
Log Subtype
Oversize
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The defined file size limit was exceeded
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Size limit is exceeded.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
file
The name of the file.
url
The URL address of where the file was acquired.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
453
Antivirus
454
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
from
The sender’s email address.
to
The recipient’s email address.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8705
Message ID
8705
Log Subtype
Oversize
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The file size limit was exceeded.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Size limit is exceeded.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
file
The name of the file.
url
The URL address of where the file was acquired.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
455
Antivirus
456
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
from
The sender’s email address.
to
The recipient’s email address.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8706
Message ID
8706
Log Subtype
Oversize
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The file (MIME) size exceed the defined size limit.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Size limit is exceeded.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
file
The name of the file.
url
The URL address of where the file was acquired.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
457
Antivirus
458
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8707
Message ID
8707
Log Subtype
Oversize
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The file (MIME) size exceed the defined size limit.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Size limit is exceeded.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
file
The name of the file.
url
The URL address of where the file was acquired.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
459
Antivirus
460
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The name of the profile that was used to detect and take action.
profilegroup
The type of profile that was used, for example, Antivirus_Profile.
profile
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8960
Message ID
8960
Log Subtype
Scanerror
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The file reached the uncompressed nested limit.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
File reached uncompressed nested limit.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic. This field
contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique within
a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
dir
This field contains any one of the following:
• N/A
• tx
• rx
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
461
Antivirus
462
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files
have different names but the same checksum, the FortiGate unit assumes
that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quaratine for HTTP GET file pattern
block
• No quarantine for
oversized files
• File was not quarantined.
virus
The name of the virus that was detected.
dtype
The dtype information.
ref
The URL reference that give more information about the virus. If you enter
the URL in the address bar of the web browser, you are directed to that
specific page that contains information about the virus.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8961
Message ID
8961
Log Subtype
Scanerror
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The file reached the uncompressed size limit.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
File reached uncompressed size limit.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• https
• pop3s
• imaps
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
dir
This field contains any one of the following:
• N/A
• tx
• rx
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
463
Antivirus
464
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If
two files have different names but the same checksum, the FortiGate
unit assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quaratine for HTTP GET file pattern
block
• No quarantine for
oversized files
• File was not quarantined.
virus
The name of the virus that was detected.
dtype
The dtype information.
ref
The URL reference that give more information about the virus. If you
enter the URL in the address bar of the web browser, you are
directed to that specific page that contains information about the
virus.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8962
Message ID
8962
Log Subtype
Scanerror
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The archived file is encrypted.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Encrypted archive.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
dir
This field contains any one of the following:
• N/A
• tx
• rx
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
465
Antivirus
466
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If
two files have different names but the same checksum, the FortiGate
unit assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quaratine for HTTP GET file pattern
block
• No quarantine for
oversized files
• File was not quarantined.
virus
The name of the virus that was detected.
dtype
The dtype information.
ref
The URL reference that give more information about the virus. If you
enter the URL in the address bar of the web browser, you are
directed to that specific page that contains information about the
virus.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8963
Message ID
8963
Log Subtype
Scanerror
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The archived file is encrypted.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Encrypted archive.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
dir
This field contains any one of the following:
• N/A
• tx
• rx
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
467
Antivirus
468
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If
two files have different names but the same checksum, the FortiGate
unit assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quaratine for HTTP GET file pattern
block
• No quarantine for
oversized files
• File was not quarantined.
virus
The name of the virus that was detected.
dtype
The dtype information.
ref
The URL reference that give more information about the virus. If you
enter the URL in the address bar of the web browser, you are
directed to that specific page that contains information about the
virus.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8964
Message ID
8964
Log Subtype
Scanerror
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The archived file is corrupted.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Corrupted archive
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
dir
This field contains any one of the following:
• N/A
• tx
• rx
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
469
Antivirus
470
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If
two files have different names but the same checksum, the FortiGate
unit assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quaratine for HTTP GET file pattern
block
• No quarantine for
oversized files
• File was not quarantined.
virus
The name of the virus that was detected.
dtype
The dtype information.
ref
The URL reference that give more information about the virus. If you
enter the URL in the address bar of the web browser, you are
directed to that specific page that contains information about the
virus.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8965
Message ID
8962
Log Subtype
Scanerror
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The archived file is corrupted.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Corrupted archive.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
dir
This field contains any one of the following:
• N/A
• tx
• rx
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
471
Antivirus
472
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If
two files have different names but the same checksum, the FortiGate
unit assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quaratine for HTTP GET file pattern
block
• No quarantine for
oversized files
• File was not quarantined.
virus
The name of the virus that was detected.
dtype
The dtype information.
ref
The URL reference that give more information about the virus. If you
enter the URL in the address bar of the web browser, you are
directed to that specific page that contains information about the
virus.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8966
Message ID
8966
Log Subtype
Scanerror
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The file is a multipart archive or contains multiple files within the
archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Multipart archive.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
473
Antivirus
dir
This field contains any one of the following:
• N/A
• tx
• rx
474
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If
two files have different names but the same checksum, the FortiGate
unit assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quaratine for HTTP GET file pattern
block
• No quarantine for
oversized files
• File was not quarantined.
virus
The name of the virus that was detected.
dtype
The dtype information.
ref
The URL reference that give more information about the virus. If you
enter the URL in the address bar of the web browser, you are
directed to that specific page that contains information about the
virus.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8967
Message ID
8967
Log Subtype
Scanerror
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The file is a multipart archive or contains multiple files within the
archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Encrypted archive.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
475
Antivirus
dir
This field contains any one of the following:
• N/A
• tx
• rx
476
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If
two files have different names but the same checksum, the FortiGate
unit assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quaratine for HTTP GET file pattern
block
• No quarantine for
oversized files
• File was not quarantined.
virus
The name of the virus that was detected.
dtype
The dtype information.
ref
The URL reference that give more information about the virus. If you
enter the URL in the address bar of the web browser, you are
directed to that specific page that contains information about the
virus.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8968
Message ID
8968
Log Subtype
Scanerror
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The file is a nested archived file.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Nested archive.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
dir
This field contains any one of the following:
• N/A
• tx
• rx
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
477
Antivirus
478
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If
two files have different names but the same checksum, the FortiGate
unit assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quaratine for HTTP GET file pattern
block
• No quarantine for
oversized files
• File was not quarantined.
virus
The name of the virus that was detected.
dtype
The dtype information.
ref
The URL reference that give more information about the virus. If you
enter the URL in the address bar of the web browser, you are
directed to that specific page that contains information about the
virus.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8969
Message ID
8969
Log Subtype
Scanerror
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The file is a nested archived file.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Nested archive.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
dir
This field contains any one of the following:
• N/A
• tx
• rx
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
479
Antivirus
480
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If
two files have different names but the same checksum, the FortiGate
unit assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quaratine for HTTP GET file pattern
block
• No quarantine for
oversized files
• File was not quarantined.
virus
The name of the virus that was detected.
dtype
The dtype information.
ref
The URL reference that give more information about the virus. If you
enter the URL in the address bar of the web browser, you are
directed to that specific page that contains information about the
virus.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8970
Message ID
8970
Log Subtype
Scanerror
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The archived file is oversized.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Oversize archive.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
dir
This field contains any one of the following:
• N/A
• tx
• rx
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
481
Antivirus
482
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If
two files have different names but the same checksum, the FortiGate
unit assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quaratine for HTTP GET file pattern
block
• No quarantine for
oversized files
• File was not quarantined.
virus
The name of the virus that was detected.
dtype
The dtype information.
ref
The URL reference that give more information about the virus. If you
enter the URL in the address bar of the web browser, you are
directed to that specific page that contains information about the
virus.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8971
Message ID
8971
Log Subtype
Scanerror
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The archived file is oversized.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Nested archive.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
483
Antivirus
dir
This field contains any one of the following:
• N/A
• tx
• rx
484
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If
two files have different names but the same checksum, the FortiGate
unit assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quaratine for HTTP GET file pattern
block
• No quarantine for
oversized files
• File was not quarantined.
virus
The name of the virus that was detected.
dtype
The dtype information.
ref
The URL reference that give more information about the virus. If you
enter the URL in the address bar of the web browser, you are
directed to that specific page that contains information about the
virus.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8972
Message ID
8969
Log Subtype
Scanerror
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
A type of unhandled archived file.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Unhandled archive.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
dir
This field contains any one of the following:
• N/A
• tx
• rx
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
485
Antivirus
486
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If
two files have different names but the same checksum, the FortiGate
unit assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quaratine for HTTP GET file pattern
block
• No quarantine for
oversized files
• File was not quarantined.
virus
The name of the virus that was detected.
dtype
The dtype information.
ref
The URL reference that give more information about the virus. If you
enter the URL in the address bar of the web browser, you are
directed to that specific page that contains information about the
virus.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Antivirus
8973
Message ID
8973
Log Subtype
Scanerror
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A type of unhandled archived file.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
msg
Unhandled archive.
status
The decision of the antivirus engine on how to treat the file. This field
contains any one of the following:
• blocked
• passthrough
• monitored
service
The type of protocol that was used to send and receive the traffic.
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
• http (ftp-over-http)
src
The source IP address.
dst
The destination IP address.
sport
The source port number.
src_port
The source port number.
dport
The destination port number.
dst_port
The destination port number.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The serial number of the firewall session on which the event
happend.
dir
This field contains any one of the following:
• N/A
• tx
• rx
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
487
Antivirus
488
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If
two files have different names but the same checksum, the FortiGate
unit assumes that they have the same content.
quarskip
This field contains any one of the following:
• No skip
• No quaratine for HTTP GET file pattern
block
• No quarantine for
oversized files
• File was not quarantined.
virus
The name of the virus that was detected.
dtype
The dtype information.
ref
The URL reference that give more information about the virus. If you
enter the URL in the address bar of the web browser, you are
directed to that specific page that contains information about the
virus.
url
The URL address of where the file was acquired.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there
is no profile group configured. Profile groups are only available in
FortiOS Carrier.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Attack
Attack log message are recorded when attacks are made against your network. These log messages
provide details about the attack, such as the severity level of the attack and a reference URL link to find
more information about the specified attack in the Fortinet Attack Encyclopedia.
In FortiOS 4.0 MR3 and higher, attack log messages are located in UTM log file. These log messages are
also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM.
16384
16385
16386
18432
18433
18434
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
489
Attack
16384
Message ID
16384
Log Subtype
Signature
Severity
Alert
Firmware version
FortiOS 4.0 MR3
Meaning
An attack signature using UCP/TCP.
Fields
Field Description
severity
The specified severity level of the attack. This field contains any one of
the following:
• info
• low
• medium
• high
• critical
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profilegroup
The group that the profile is a part of. This field contains N/A if there is
no profile group configure. Profile groups are only available in FortiOS
Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
src
The source IP address.
dst
The destination IP address.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
serial
The serial number of the firewall session on which the event happend.
status
The type of action the FortiGate unit took, for example, detecting the
attack.
This field contains any one of the following:
• detected
• dropped
• reset
490
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
service
The service of where the event or activity occurred. For example,
139/tcp.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
count
The number of times that the attack was detected within a short period
of time. This is useful when the attacks are DoS attacks.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Attack
attack_name
The name of the attack.
src_port
The source port number. This number is either a TCP or UDP port
number.
dst_port
The destination port number. This number is either a TCP or UDP port
number.
attack_id
The identification number of the attack log message.
sensor
The name of the DLP sensor that was used to detect and take action.
ref
The reference URL where you can find out more information about the
attack. This URL takes you directly to Fortinet’s FortiGuard Center
Encyclopedia.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
incident_serialno
The unique ID for this attack. This number is used for cross-referencing
IPS packet logs.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
491
Attack
16385
Message ID
16385
Log Subtype
Signature
Severity
Alert
Firmware version
FortiOS 4.0 MR3
Meaning
An attack signature using ICMP.
Fields
Field Description
severity
The specified severity level of the attack. This field contains any one of
the following:
• info
• low
• medium
• high
• critical
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profilegroup
The group that the profile is a part of. This field contains N/A if there is
no profile group configure. Profile groups are only available in FortiOS
Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
src
The source IP address.
dst
The destination IP address.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
serial
The serial number of the firewall session on which the event happend.
status
The type of action the FortiGate unit took, for example detecting the
attack.
This field contains any one of the following:
• detected
• dropped
• reset
492
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
service
The service of where the event or activity occurred. For example,
139/tcp.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
count
The number of times that the attack was detected within a short period
of time. This is useful when the attacks are DoS attacks.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Attack
attack_name
The name of the attack.
icmp_id
The ICMP source port number.
icmp_type
The ICMP destination port number.
icmp_code
The ICMP destination port number.
attack_id
The identification number of the attack log message.
sensor
The name of the DLP sensor that was used to detect and take action.
ref
The reference URL where you can find out more information about the
attack. This URL takes you directly to Fortinet’s FortiGuard Center
Encyclopedia.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
incident_serialno
The unique ID for this attack. This number is used for cross-referencing
IPS packet logs.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
493
Attack
16386
Message ID
16386
Log Subtype
Signature
Severity
Alert
Firmware version
FortiOS 4.0 MR3
Meaning
An attack signature using others.
Fields
Field Description
severity
The specified severity level of the attack. This field contains any one of
the following:
• info
• low
• medium
• high
• critical
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profilegroup
The group that the profile is a part of. This field contains N/A if there is
no profile group configure. Profile groups are only available in FortiOS
Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
src
The source IP address.
dst
The destination IP address.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
serial
The serial number of the firewall session on which the event happend.
status
The type of action the FortiGate unit took, for example detecting the
attack.
This field contains any one of the following:
• detected
• dropped
• reset
494
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
service
The service of where the event or activity occurred. For example,
139/tcp.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
count
The number of times that the attack was detected within a short period
of time. This is useful when the attacks are DoS attacks.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Attack
attack_name
The name of the attack.
attack_id
The identification number of the attack log message.
sensor
The name of the DLP sensor that was used to detect and take action.
ref
The reference URL where you can find out more information about the
attack. This URL takes you directly to Fortinet’s FortiGuard Center
Encyclopedia.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
incident_serialno
The unique ID for this attack. This number is used for cross-referencing
IPS packet logs.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
495
Attack
18432
Message ID
18432
Log Subtype
Anomaly
Severity
Alert
Firmware version
FortiOS 4.0 MR3
Meaning
An attack anomaly using UDP/TCP
Fields
Field Description
severity
The specified severity level of the attack. This field contains any one of
the following:
• info
• low
• medium
• high
• critical
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profilegroup
The group that the profile is a part of. This field contains N/A if there is
no profile group configure. Profile groups are only available in FortiOS
Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
src
The source IP address.
dst
The destination IP address.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
serial
The serial number of the firewall session on which the event happend.
status
The type of action the FortiGate unit took, for example detecting the
attack.
This field contains any one of the following:
• detected
• dropped
• reset
496
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
service
The service of where the event or activity occurred. For example,
139/tcp.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
count
The number of times that the attack was detected within a short period
of time. This is useful when the attacks are DoS attacks.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Attack
attack_name
The name of the attack.
src_port
The source port number. This number is either a TCP or UDP port
number.
dst_port
The destination port number. This number is either a TCP or UDP port
number.
attack_id
The identification number of the attack log message.
sensor
The name of the DLP sensor that was used to detect and take action.
ref
The reference URL where you can find out more information about the
attack. This URL takes you directly to Fortinet’s FortiGuard Center
Encyclopedia.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
497
Attack
18433
Message ID
18433
Log Subtype
Anomaly
Severity
Alert
Firmware version
FortiOS 4.0 MR3
Meaning
An attack anomaly using ICMP.
Fields
Field Description
severity
The specified severity level of the attack. This field contains any one of
the following:
• info
• low
• medium
• high
• critical
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profilegroup
The group that the profile is a part of. This field contains N/A if there is
no profile group configure. Profile groups are only available in FortiOS
Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
src
The source IP address.
dst
The destination IP address.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
serial
The serial number of the firewall session on which the event happend.
status
The type of action the FortiGate unit took, for example detecting the
attack.
This field contains any one of the following:
• detected
• dropped
• reset
498
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
service
The service of where the event or activity occurred. For example,
139/tcp.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
count
The number of times that the attack was detected within a short period
of time. This is useful when the attacks are DoS attacks.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Attack
attack_name
The name of the attack.
icmp_id
The ICMP source port number.
icmp_type
The ICMP destination port number.
icmp_code
The ICMP destination port number.
attack_id
The identification number of the attack log message.
sensor
The name of the DLP sensor that was used to detect and take action.
ref
The reference URL where you can find out more information about the
attack. This URL takes you directly to Fortinet’s FortiGuard Center
Encyclopedia.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
incident_serialno
The unique ID for this attack. This number is used for cross-referencing
IPS packet logs.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
499
Attack
18434
Message ID
18434
Log Subtype
Anomaly
Severity
Alert
Firmware version
FortiOS 4.0 MR3
Meaning
An attack anomaly using others.
Fields
Field Description
severity
The specified severity level of the attack. This field contains any one of
the following:
• info
• low
• medium
• high
• critical
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profilegroup
The group that the profile is a part of. This field contains N/A if there is
no profile group configure. Profile groups are only available in FortiOS
Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
src
The source IP address.
dst
The destination IP address.
src_int
The source interface. For example, internal.
dst_int
The destination interface. For example, wan1.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
serial
The serial number of the firewall session on which the event happend.
status
The type of action the FortiGate unit took, for example detecting the
attack.
This field contains any one of the following:
• detected
• dropped
• reset
500
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level
protocol. Protocol numbers are assigned by the Internet Assigned
Number Authority (IANA).
service
The service of where the event or activity occurred. For example,
139/tcp.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
count
The number of times that the attack was detected within a short period
of time. This is useful when the attacks are DoS attacks.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Attack
attack_name
The name of the attack.
attack_id
The identification number of the attack log message.
sensor
The name of the DLP sensor that was used to detect and take action.
ref
The reference URL where you can find out more information about the
attack. This URL takes you directly to Fortinet’s FortiGuard Center
Encyclopedia.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
incident_serialno
The unique ID for this attack. This number is used for cross-referencing
IPS packet logs.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
501
Attack
502
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
Email filter log messages record email protocols SMTP, POP3 and IMAP.
In FortiOS 4.0 MR3 and higher, email filtering log messages are located in UTM log file. These log
messages are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM.
20480
20496
20481
20497
20482
20498
20483
20499
20484
20500
20491
20501
20485
20503
20486
20504
20487
20505
20488
20489
20490
20492
20493
20494
20495
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
503
Email filter
20480
Message ID
20480
Log Subtype
SMTP
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An SMTP warning.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
504
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
505
Email filter
20481
Message ID
20481
Log Subtype
SMTP
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An SMTP warning.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
506
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
banword
The banned word that was detected.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
507
Email filter
20482
Message ID
20482
Log Subtype
POP3
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A POP3 warning.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
508
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
509
Email filter
20483
Message ID
20483
Log Subtype
POP3
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A POP3 notice.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
510
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
banword
The banned word that was detected.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
511
Email filter
20484
Message ID
20484
Log Subtype
IMAP
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An IMAP notice.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
512
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
513
Email filter
20491
Message ID
20491
Log Subtype
IMAP
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An IMAP banned word notice.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
514
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
banword
The banned word that was detected.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
515
Email filter
20485
Message ID
20485
Log Subtype
Carrier Endpoint Filter
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
An endpoint filter warning.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
516
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
517
Email filter
20486
Message ID
20486
Log Subtype
Carrier Endpoint Filter
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An endpoint filter notice.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
518
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
519
Email filter
20487
Message ID
20487
Log Subtype
Carrier Endpoint Filter
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
An MM7 warning.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
520
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
521
Email filter
20488
Message ID
20488
Log Subtype
Carrier Endpoint Filter
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An MM7 notice.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
522
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
523
Email filter
20489
Message ID
20489
Log Subtype
Carrier Endpoint Filter
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
An MM1 warning.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
524
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
dir
This field contains either tx or rx.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
525
Email filter
20490
Message ID
20490
Log Subtype
Carrier Endpoint Filter
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An MM1 notice.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
526
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
dir
This field contains either tx or rx.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
527
Email filter
20492
Message ID
20492
Log Subtype
Mass-MMS
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
An MM1 flood detection warning.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
528
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
dir
This field contains either tx or rx.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
529
Email filter
20493
Message ID
20493
Log Subtype
Mass-MMS
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An MM1 flood detection notice.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
530
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
dir
This field contains either tx or rx.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
531
Email filter
20494
Message ID
20494
Log Subtype
Mass-MMS
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
An MM4 flood detection warning.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
532
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
533
Email filter
20495
Message ID
20495
Log Subtype
Mass-MMS
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An MM4 flood detection notice.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
534
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
535
Email filter
20496
Message ID
20496
Log Subtype
Mass-MMS
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
An MM1 duplicate detection warning.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
536
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
dir
This field contains either tx or rx.
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
537
Email filter
20497
Message ID
20497
Log Subtype
Mass-MMS
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An MM1 duplicate detection notice.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
538
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
dir
This field contains either tx or rx.
agent
This is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
539
Email filter
20498
Message ID
20498
Log Subtype
Mass-MMS
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
An MM4 duplicate detection warning.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
540
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
541
Email filter
20499
Message ID
20499
Log Subtype
Mass-MMS
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
An MM4 duplicate detection notice.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
542
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
543
Email filter
20500
Message ID
20500
Log Subtype
msn-hotmail
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An MSN Hotmail email message.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
544
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
subject
The subject line of the email message.
size
The email message’s size.
attachment
Indicates whether the email message includes an attachment or not.
This log field contains either yes, that an attachment is included, or no,
that an attachment is not included.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
545
Email filter
20501
Message ID
20501
Log Subtype
yahoo-hotmail
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A Yahoo! email message.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
546
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
subject
The subject line of the email message.
size
The email message’s size.
attachment
Indicates whether the email message includes an attachment or not.
This log field contains either yes, that an attachment is included, or no,
that an attachment is not included.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
547
Email filter
20503
Message ID
20503
Log Subtype
smtp
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An SMTP warning.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
548
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
subject
The subject line of the email message.
size
The email message’s size.
attachment
Indicates whether the email message includes an attachment or not.
This log field contains either yes, that an attachment is included, or no,
that an attachment is not included.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
549
Email filter
20504
Message ID
20504
Log Subtype
POP3
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A POP3 warning.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
550
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
subject
The subject line of the email message.
size
The email message’s size.
attachment
Indicates whether the email message includes an attachment or not.
This log field contains either yes, that an attachment is included, or no,
that an attachment is not included.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
551
Email filter
20505
Message ID
20505
Log Subtype
IMAP
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An IMAP notice.
Fields
Field Description
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The serial number of the firewall session on which the event happend.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
552
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Email filter
status
The type of action the FortiGate unit took, for example blocking the
email message from getting through.
This field contains any one of the following:
• exempted
• blocked
• detected
from
The sender’s email address.
to
The recipient’s email address.
tracker
The identification information that is associated wiith the rule or rules
that were used to identify the email message as spam. This field
appears only when the email message was blocked by the email filter
rules, and not by other filter methods. For example, if an email
message was blocked by URL filter, IP address filter and E-mail
checksum filter (these filters are checked off in the FortiGuard Email
Filter section of the Profile page for email filtering) this field displays.
msg
The log message information. This is usually a sentence and explains
the activity and/or action taken.
subject
The subject line of the email message.
size
The email message’s size.
attachment
Indicates whether the email message includes an attachment or not.
This log field contains either yes, that an attachment is included, or no,
that an attachment is not included.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
553
Email filter
554
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
Web filter log messages record URL activity as well as filters, such as a blocked URL because it was found
in the URL black list.
In FortiOS 4.0 MR3 and higher, web filtering log messages are located in UTM log file. These log
messages are also viewed in the web-based manager from Log&Report > Log & Archive Access > UTM.
12288
12558
12289
13056
12290
13056
12291
13312
12544
13313
12545
13314
12546
12800
12547
12801
12548
13568
12549
13601
12550
13602
12551
13573
12552
13584
12553
13315
12554
13316
12555
12802
12556
12557
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
555
Webfilter
12288
Message ID
12288
Log Subtype
Content
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
A web content banned word was found.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
556
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web
site, such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the
URL address manually.
url
The URL address.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
agent
This field is for FortiOS carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s information.
to
The recipient’s information.
banword
The banned word that was detected.
msg
URL was blocked because it contained banned word(s).
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
557
Webfilter
12289
Message ID
12289
Log Subtype
Content
Severity
Warning
Firmware version
FortiOS Carrier 4.0 MR2
Meaning
A web content MMS banned word was found.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will have
an index number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero
if the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
558
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
url
The URL address.
status
This field contains any one of the following:
dir
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
This field contains any one of the following:
• n/a
• TX
• RX
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Caririer, this field always contains N/A.
from
The sender’s information.
to
The recipient’s information.
banword
The banned word that was detected.
msg
Message was blocked because it contained a banned word.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
559
Webfilter
12290
Message ID
12290
Log Subtype
Content
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A web content exempt word was found.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
560
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web
site, such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the
URL address manually.
url
The URL address.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s information.
to
The recipient’s information.
banword
The banned word that was detected.
msg
URL was exempted because it contained exempt word(s).
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
561
Webfilter
12291
Message ID
12291
Log Subtype
Content
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A web content MMS exempt word was found.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
562
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile groups are only available in
FortiOS Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web
site, such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the
URL address manually.
url
The URL address.
status
This field contains any one of the following:
dir
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
This field contains any one of the following:
• n/a
• TX
• RX
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s information.
to
The recipient’s information.
banword
The banned word that was detected.
msg
Message was exempted because it contained an exempt word.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
563
Webfilter
12305
Message ID
12305
Log Subtype
Content
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A web content MMS banned word.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no
virtual domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
custom
The log field that a user has created. This is referred to as a custom
log field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
564
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is
no profile group configured. Profile gorups are only available in
FortiOS Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web
site, such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the
URL address manually.
url
The URL address.
status
This field contains any one of the following:
dir
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
This field contains any one of the following:
• n/a
• TX
• RX
agent
This field is for FortiOS Carrier only. If the unit is not running FortiOS
Carrier, this field always contains N/A.
from
The sender’s information.
to
The recipient’s information.
banword
The banned word that was detected.
msg
Message was logged because it contained a banned word.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
565
Webfilter
12544
Message ID
12544
Log Subtype
URL Filter
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
The URL address was blocked because it was found in the URL filter list.
Fields
Field Description
urlfilter_idx
The index number that identifies the URL filter in the URL filter list.
urlfilter_list
The name of the URL filter list.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet. Any
policy that is automatically added by the FortiGate will have an index number
of zero.
custom
The log field that a user has created. This is referred to as a custom log field
because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
566
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile gorups are only available in FortiOS Carrier.
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web site, such
as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
url
The URL address.
msg
URL was blocked becaue it is in the URL filter list.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
567
Webfilter
12545
Message ID
12545
Log Subtype
URL Filter
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The URL address was exempted because it was found in the URL filter
list.
Fields
Field Description
urlfilter_idx
The index number that identifies the URL filter in the URL filter list.
urlfilter_list
The name of the URL filter list.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
568
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile gorups are only available in FortiOS
Carrier.
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
url
The URL address.
msg
URL was exempted because it is in the URL filter list.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
569
Webfilter
12546
Message ID
12546
Log Subtype
URL Filter
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The URL address was allowed because it was found in the URL filter list.
Fields
Field Description
urlfilter_idx
The index number that identifies the URL filter in the URL filter list.
urlfilter_list
The name of the URL filter list.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
570
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile gorups are only available in FortiOS
Carrier.
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
url
The URL address.
msg
URL was allowed because it is in the URL filter list.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
571
Webfilter
12547
Message ID
12547
Log Subtype
URL Filter
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The request contained an invalid domain name.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
572
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
profile
The name of the profile that was used to detect and take action.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
msg
The HTTP request contained an invalid domain name.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
573
Webfilter
12548
Message ID
12548
Log Subtype
URL Filter
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A HTTP certificate request contained an invalid domain name.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
574
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
profile
The name of the profile that was used to detect and take action.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
msg
The certificate for the HTTPS session contained an invalid domain name.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
575
Webfilter
12549
Message ID
12549
Log Subtype
URL Filter
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A HTTP request contained an invalid name so the session has been
filtered by IP only.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
576
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
msg
The HTTP request contained an invalid domain name. The session has
been filtered by IP only.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
577
Webfilter
12550
Message ID
12550
Log Subtype
URL Filter
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A HTTPS request contained an invalid name so the session has been
filtered by IP only.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
578
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
msg
The certificate for the HTTP Ssession contained an invalid domain name.
The session has been filtered by IP only.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
579
Webfilter
12551
Message ID
12551
Log Subtype
URL Filter
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
There are insufficient resources.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
error
The webfilter error information.
msg
Insufficient resources.
12552
580
Message ID
12552
Log Subtype
URL Filter
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
Getting the host name failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
hostname
The name of the website that was accessed.
error
The webfilter error information.
msg
gethostbyname() failed.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
12553
Message ID
12553
Log Subtype
URL Filter
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A server certificate validation failed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
msg
The server certificate valiadation failed.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile gorups are only available in FortiOS
Carrier.
profile
The name of the profile that was used to detect and take action.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
581
Webfilter
12554
Message ID
12554
Log Subtype
URL Filter
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The SSL session was blocked because its identification number was not
known.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
status
msg
582
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
The SSL session was blocked because the session ID was unknown.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
12555
Message ID
12555
Log Subtype
URL Filter
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The SSL session was blocked, either because the server certificate was
missing or because the server certificate was invalid.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
status
msg
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
The SSL session was blocked because the server certificate was
missing or invalid.
583
Webfilter
12556
Message ID
12556
Log Subtype
URL Filter
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The SSL session was ignored, either because the server certificate was
missing, or the server certificate was invalid.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
status
msg
584
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
The SSL session was blocked because the server certificate was
missing or invalid.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
12557
Message ID
12557
Log Subtype
URL Filter
Severity
Critical
Firmware version
FortiOS 4.0 MR3
Meaning
The FortiGuard Analysis and Management Service is not active. You
must enable this service, after subscribing to the service, in System >
Maintenance > FortiGuard.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
msg
FortiGate is enabled in the protection profile but the FortiGuard service is
not enabled.
12558
Message ID
12558
Log Subtype
URL Filter
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A rating error occurred.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
user
The name of the user creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
url_type
This field contains any one of the following:
• http
• https
• ftp
• telnet
• mail
hostname
The name of the website that was accessed.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
error
The webfilter error information.
url
The URL address.
msg
Policy allows URLs when a rating error occurs.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
585
Webfilter
12559
Message ID
12559
Log Subtype
URL Filter
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A URL was passed because it was in the URL filter list.
Fields
Field Description
urlfilter_idx
The index number that identifies the URL filter in the URL filter list.
urlfilter_list
The name of the URL filter list.
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
586
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example Antivirus_Profile.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
url
The URL address.
msg
URL was passed becaused it is in the URL filter list.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
587
Webfilter
13056
Message ID
13056
Log Subtype
ftgd_blk
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The URL belongs to an blocked category within the firewall policy.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
588
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
url
The URL address.
msg
URL belongs to a denied category in policy.
method
This field contains either ip or domain
class
The class the URL belongs to.
class_desc
The class description that the URL belongs to.
cat
The category that the URL belongs to.
cat_desc
The category description that the URL belongs to.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
589
Webfilter
13312
Message ID
13312
Log Subtype
ftgd_allow
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The URL belongs to an allowed category within the firewall policy.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
590
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
url
The URL address.
msg
URL belongs to an allowed category in policy.
method
This field contains either ip or domain
class
The class the URL belongs to.
class_desc
The class description that the URL belongs to.
cat
The category that the URL belongs to.
cat_desc
The category description that the URL belongs to.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
591
Webfilter
13313
Message ID
13313
Log Subtype
ftgd_allow
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The URL belongs to an override rule.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
592
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
url
The URL address.
msg
URL belongs to an override rule.
method
This field contains either ip or domain.
class
The class the URL belongs to.
class_desc
The class description that the URL belongs to.
cat
The category that the URL belongs to.
cat_desc
The category description that the URL belongs to.
mode
This field contains rule.
rule_type
This field contains any one of the following:
• directory
• domain
• rating
rule_data
The rule data information.
ovrd_tbl
The override table information .
ovrd_id
The override identification number.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
593
Webfilter
13314
Message Id
13314
Log Subtype
ftgd_allow
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The URL belongs to an override rule.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
594
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral –if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
url
The URL address.
msg
URL belongs to an override rule.
method
This field contains either ip or domain
class
The class the URL belongs to.
class_desc
The class description that the URL belongs to.
cat
The category that the URL belongs to.
cat_desc
The category description that the URL belongs to.
mode
This field contains offsite.
rule_type
This field contains any one of the following:
• directory
• domain
• rating
rule_data
The rule data information.
ovrd_tbl
The override table information .
ovrd_id
The override identification number.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
595
Webfilter
12800
596
Message Id
12800
Log Subtype
ftgd_err
Severity
Error
Firmware version
FortiOS 4.0 MR3
Meaning
A FortiGuard Web Filter error.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
• ftp (ftp-over-http)
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral –if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
url
The URL address.
sent
The total number of bytes sent.
rcvd
The total number of bytes received.
msg
A rating error occurs.
error
The web filter error information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
597
Webfilter
12801
598
Message Id
12801
Log Subtype
ftgd_err
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
A FortiGuard Web Filter error.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
• ftp (ftp-over-http)
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral –if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
url
The URL address.
sent
The total number of bytes sent.
rcvd
The total number of bytes received.
msg
A rating error occurs.
error
The web filter error information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
599
Webfilter
13601
600
Message Id
13601
Log Subtype
cookiefilter
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A FortiGuard web filter cookie log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
• ftp (ftp-over-http)
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral –if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
url
The URL address.
sent
The total number of bytes sent.
rcvd
The total number of bytes received.
msg
The cookie was removed entirely.
count
The number of times the same event was detected within a short period
of time.
filter_type
The script filter type. This field contains any one of the following:
• n/a
• jscript
• javascript
• vbscript
• unknown
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
601
Webfilter
13602
602
Message Id
13602
Log Subtype
cookiefilter
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A web reference filter log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
• ftp (ftp-over-http)
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral –if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
url
The URL address.
sent
The total number of bytes sent.
rcvd
The total number of bytes received.
msg
Reference was removed from request.
count
The number of times the same event was detected within a short period
of time.
filter_type
The script filter type. This field contains any one of the following:
• n/a
• jscript
• javascript
• vbscript
• unknown
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
603
Webfilter
13568
604
Message ID
13568
Log Subtype
activexfilter
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An ActiveX script was removed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
• ftp (ftp-over-http)
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
url
The URL address.
msg
activex script was removed
count
The number of times the same event was detected within a short period
of time.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
605
Webfilter
13573
606
Message ID
13573
Log Subtype
cookiefilter
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A cookie was removed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
• ftp (ftp-over-http)
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
url
The URL address.
msg
cookie was removed
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
607
Webfilter
13584
608
Message ID
13584
Log Subtype
appletfilter
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A Java applet was removed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
• ftp (ftp-over-http)
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
url
The URL address.
msg
java applet was removed
count
The number of times the same event was detected within a short period
of time.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
609
Webfilter
13315
610
Message ID
13315
Log Subtype
ftgd_quota_counting
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A FortiGuard web filter category quota counting log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
• fp (ftp-over-http)
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
url
The URL address.
msg
Webfilter wuota has begun counting
method
This field contains either ip or domain
class
The class the URL belongs to.
class_desc
The class description that the URL belongs to.
cat
The category that the URL belongs to.
cat_desc
The category description that the URL belongs to.
quota_used
The number of times the quota was used by the user, in seconds.
qutoa_max
The maximum number of times quota time wa allowed, in seconds.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
611
Webfilter
13316
612
Message ID
13316
Log Subtype
ftgd_quota_expired
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
A FortiGuard web filter category quota expired log message.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
custom
The log field that a user has created. This is referred to as a custom log
field because the name can be anything, for example, hq.
identidx
The identity-based policy identification number. This field displays zero if
the firewall policy does not use an identity-based policy; otherwise, it
displays the number of the identity-based policy entry that the traffic
matched. This number is not globally unique, it is only locally unique
within a given firewall policy.
serial
The session number identification.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
src
The source IP address.
sport
The source port number.
src_port
The source port number.
src_int
The source interface. For example, internal.
dst
The destination IP address.
dport
The destination port number.
dst_port
The destination port number.
dst_int
The destination interface. For example, wan1.
service
This field contains any one of the following:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
• ftp (ftps-over-http)
hostname
The name of the website that was accessed.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrier.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Webfilter
profile
The name of the profile that was used to detect and take action.
status
This field contains any one of the following:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
req_type
The type of request, which can be one of the following:
• referral – if the HTTP transaction is requested from a parent web site,
such as selecting a link on a web page
• direct – a direct connection to a web page, such as typing in the URL
address manually.
url
The URL address.
msg
Webfilter quota for category has expired
method
This field contains either ip or domain
class
The class the URL belongs to.
class_desc
The class description that the URL belongs to.
cat
The category that the URL belongs to.
cat_desc
The category description that the URL belongs to.
quota_used
The number of times the quota was used by the user, in seconds.
qutoa_max
The maximum number of times quota time wa allowed, in seconds.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
613
Webfilter
12802
614
Message ID
12802
Log Subtype
ftgd_quota
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The daily FortiGuard quota status.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
quota
Indicates whether the quota was exceeded or not. This field contains
either no or yes.
quota_used
The quota time used, in seconds.
quota_max
The maximum quota time that is allowed, in seconds.
cat_desc
The category description.
user
The name of the user.
profile
The name of the profile that was used to detect and take action.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Netscan logs
Netscan logs record network scanning activities that were preformed by the FortiGate unit.
4096
4097
4098
4099
4100
4101
4102
4103
4104
4105
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
615
Netscan logs
4096
Message ID
4096
Log Subtype
Vulnerability
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A network scan was performed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action
This field contains any one of the following:
•
scan
•
host-detection
•
vuln-detection
•
service-detection
•
os-scan
•
port-detection
•
vuln-count
start
The GMT start time, indicating when the scan began.
end
The GMT end time, indicating when the scan stopped.
status
The status of the scan. This field contains any one of the following:
•
start
•
stop
•
pause
•
resume
•
complete
engine
The version number of the netscan engine
plugin
The version number of the netscan plugin.
4097
616
Message ID
4097
Log Subtype
Discovery
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A network scan was performed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action
This field contains any one of the following:
•
scan
•
host-detection
•
vuln-detection
•
service-detection
•
os-scan
•
port-detection
•
vuln-count
start
The GMT start time, indicating when the scan began.
end
The GMT end time, indicating when the scan stopped.
engine
The version number of the netscan engine
plugin
The version number of the netscan plugin.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Netscan logs
4098
Message ID
4098
Log Subtype
Vulnerability
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A network scan vulnerabilty was detected.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action
This field contains any one of the following:
•
scan
•
host-detection
•
vuln-detection
•
service-detection
•
os-scan
•
port-detection
•
vuln-count
ip
The host IP address.
vuln
The name of the detected vulnerabilty.
vuln_cat
The category of the detected vulnerability.
vuln_id
The identification number of the detected vulnerability.
vuln_ref
The link that redirects you to the vulnerability listed in FortiGuard.
severity
The severity level of the detected vulnerabiltiy. This field contains any one of
the following:
•
cirticial
•
high
•
medium
•
low
•
info
proto
The protocol that was used, which is either TCP or UDP.
port
The port number.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
617
Netscan logs
4099
618
Message ID
4099
Log Subtype
Discovery
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A network scan was performed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action
This field contains any one of the following:
•
scan
•
host-detection
•
vuln-detection
•
service-detection
•
os-scan
•
port-detection
•
vuln-count
ip
The host’s IP address.
os
The name of the operating system.
os_family
The name of the operating system’s family.
os_gen
The operating system’s generation.
os_vender
The name of the vendor for that operating system. For example, Microsoft.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Netscan logs
4100
Message ID
4100
Log Subtype
Discovery
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A network scan was performed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action
This field contains any one of the following:
•
scan
•
host-detection
•
vuln-detection
•
service-detection
•
os-scan
•
port-detection
•
vuln-count
ip
The host’s IP address.
service
The name of the detected service.
proto
This field can be either tcp or udp, depending on the protocol that was used.
port
The port number.
4101
Message ID
4101
Log Subtype
Vulnerability
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A network scan notification.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action
This field contains any one of the following:
msg
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
•
scan
•
host-detection
•
vuln-detection
•
service-detection
•
os-scan
•
port-detection
•
vuln-count
The log message information. This is usually a sentence and explains the
activity and/or action taken.
619
Netscan logs
4102
Message ID
4102
Log Subtype
Discovery
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A network scan was performed.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action
This field contains any one of the following:
message
•
scan
•
host-detection
•
vuln-detection
•
service-detection
•
os-scan
•
port-detection
•
vuln-count
The log message information. This is usually a sentence and explains the
activity and/or action taken.
4103
620
Message ID
4103
Log Subtype
Vulnerability
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
The number of vulnerabilities that netscan detected.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action
This field contains any one of the following:
•
scan
•
host-detection
•
vuln-detection
•
service-detection
•
os-scan
•
port-detection
•
vuln-count
•
ip
The host’s IP address.
vuln_count
The total number of vulnerabilities.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
Netscan logs
4104
Message ID
4104
Log Subtype
Discovery
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A netscan host was detected.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action
This field contains any one of the following:
•
scan
•
host-detection
•
vuln-detection
•
service-detection
•
os-scan
•
port-detection
•
vuln-count
•
ip
The host’s IP address.
method
The discovery method that was used. This field contains any one of the
following:
•
ARP
•
ICMP
•
TCP
•
UDP
asset_id
The asset definition fro this host.
asset_name
The asset definition name for this host.
vuln_count
The total number of vulnerabilities.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
621
Netscan logs
4105
622
Message ID
4105
Log Subtype
Discovery
Severity
Notification
Firmware version
FortiOS 4.0 MR3
Meaning
A netscan port was detected.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field contains root.
action
This field contains any one of the following:
•
scan
•
host-detection
•
vuln-detection
•
service-detection
•
os-scan
•
port-detection
•
vuln-count
•
ip
The host’s IP address.
proto
This field can be either tcp or udp, depending on the protocol that was used.
port
The port number.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
DLP archive log messages are log messages that are sent to the FortiAnalyzer unit, FortiGate hard disk, or
FortiGuard Analysis server. These log messages include email, FTP activities, IM events, VoIP events, and
web filter events. You can configure your FortiGate unit to send archives to a FortiGuard Analysis server if
you have subscribe to the FortiGuard Analysis and Management Service.
32768
32777
32776
32794
32770
32795
32772
32796
32774
32797
32769
32798
32782
32800
32783
32778
32784
32779
32785
32780
32786
32781
32787
32771
32788
32773
32789
32775
32790
32791
32792
32793
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
623
DLP archives
32768
Message ID
32768
Log Subtype
HTTP
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The HTTP log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
infection
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
This field contains any one of the following:
• block
• fileexempt
• file intercept
• mms block
• carrier end point filter
• mms flood
• mms duplicate
• virus
• virusrm
• heuristic
• html script
• script filter
• banned word
• exempt word
• oversize
• virus
• heuristic
• worm
• mime block
• fragmented
• exempt
• ip blacklist
• dnsbl
• FortiGuard - Antispam ip blacklist
• helo
• emailblacklist
• mimeheader
• dns
• FortiGuard - AntiSpam ase • banned word
block
624
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist
• emailwhitelist
• fewhitelist
• headerwhitelist
• dlp
• dlpban
• pass
• mms content checksum
virus
The name of the virus that was detected.
SN
The session number of the log message.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
client
The internal IP address of the FortiGate unit.
server
The IP address of the server.
rcvd
The total number of bytes transferred on server side.
sent
The total number of bytes transferred on client side.
dlp_sensor
The name of the DLP sensor that was used to detect and take action. For
example, the default sensor Content_Archive.
method
The HTTP/HTTPS command.
hostname
The HTTP/HTTPS host name.
url
The HTTP/HTTPS URL address.
cat
The HTTP/HTTPS category.
cat_desc
The HTTP/HTTPS description of the category.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
625
DLP archives
32776
Message ID
32776
Log Subtype
FTP
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The FTP log archive
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request • im_voice
infection
626
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
This field contains any one of the following:
• block
• fileexempt
• file intercept
• mms block
• carrier end point filter
• mms flood
• mms duplicate
• virus
• virusrm
• heuristic
• html script
• script filter
• banned word
• exempt word
• oversize
• virus
• heuristic
• worm
• mime block
• fragmented
• exempt
• ip blacklist
• dnsbl
• FortiGuard - Antispam ip blacklist
• helo
• emailblacklist
• mimeheader
• dns
• FortiGuard - AntiSpam
ase block
• banned word
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist
• emailwhitelist
• fewhitelist
• headerwhitelist
• dlp
• dlpban
• pass
• mms content checksum
virus
The name of the virus detected.
SN
The session number of the log message.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS
Carrer.
client
The internal IP address of the FortiGate unit.
server
The IP address of the server.
rcvd
The total number of bytes transferred on server side.
sent
The total number of bytes transferred on client side.
dlp_sensor
The name of the DLP sensor that was used to detect and take action. For
example, the default sensor Content_Archive.
ftpcmd
This field contains any one of the following:
• NONE
• USER
• PASS
• ACCT
• STOR
• RETR
• QUIT
file
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
The name of the file that was uploaded to the server.
627
DLP archives
32770
Message ID
32770
Log Subtype
SMTP
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The SMTP log archive
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
infection
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
This field contains any one of the following:
• block
• fileexempt
• file intercept
• mms block
• carrier end point filter
• mms flood
• mms duplicate
• virus
• virusrm
• heuristic
• html script
• script filter
• banned word
• exempt word
• oversize
• virus
• heuristic
• worm
• mime block
• fragmented
• exempt
• ip blacklist
• dnsbl
• FortiGuard - Antispam ip blacklist
• helo
• emailblacklist
• mimeheader
• dns
• FortiGuard - AntiSpam ase • banned word
block
628
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist
• emailwhitelist
• fewhitelist
• headerwhitelist
• dlp
• dlpban
• pass
• mms content checksum
virus
The name of the virus detected.
SN
The session number of the log message.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
client
The internal IP address of the FortiGate unit.
server
The IP address of the server.
rcvd
The total number of bytes transferred on server side.
sent
The total number of bytes transferred on client side.
dlp_sensor
The name of the DLP sensor that was used to detect and take action. For
example, the default sensor Content_Archive.
to
The recipient’s email address.
from
The sender’s email address.
subject
The subject line of the email message.
attachment
The number of attachments that are present within the email. If there are no
attachments, zero displays.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
629
DLP archives
32772
Message ID
32772
Log Subtype
POP3
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The POP3 log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
infection
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
This field contains any one of the following:
• block
• fileexempt
• file intercept
• mms block
• carrier end point filter
• mms flood
• mms duplicate
• virus
• virusrm
• heuristic
• html script
• script filter
• banned word
• exempt word
• oversize
• virus
• heuristic
• worm
• mime block
• fragmented
• exempt
• ip blacklist
• dnsbl
• FortiGuard - Antispam ip blacklist
• helo
• emailblacklist
• mimeheader
• dns
• FortiGuard - AntiSpam ase • banned word
block
630
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist
• emailwhitelist
• fewhitelist
• headerwhitelist
• dlp
• dlpban
• pass
• mms content checksum
virus
The name of the virus detected.
SN
The session number of the log message.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
client
The internal IP address of the FortiGate unit.
server
The IP address of the server.
rcvd
The total number of bytes transferred on server side.
sent
The total number of bytes transferred on client side.
dlp_sensor
The name of the DLP sensor that was used to detect and take action. For
example, the default sensor Content_Archive.
to
The recipient’s email address.
from
The sender’s email address.
subject
The subject line of the email message.
attachment
The number of attachments that are present within the email. If there are no
attachments, zero displays.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
631
DLP archives
32774
Message ID
32774
Log Subtype
IMAP
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The IMAP content archive
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
infection
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
This field contains any one of the following:
• block
• fileexempt
• file intercept
• mms block
• carrier end point filter
• mms flood
• mms duplicate
• virus
• virusrm
• heuristic
• html script
• script filter
• banned word
• exempt word
• oversize
• virus
• heuristic
• worm
• mime block
• fragmented
• exempt
• ip blacklist
• dnsbl
• FortiGuard - Antispam ip blacklist
• helo
• emailblacklist
• mimeheader
• dns
• FortiGuard - AntiSpam ase • banned word
block
632
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist
• emailwhitelist
• fewhitelist
• headerwhitelist
• dlp
• dlpban
• pass
• mms content checksum
virus
The name of the virus detected.
SN
The session number of the log message.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
client
The internal IP address of the FortiGate unit.
server
The IP address of the server.
rcvd
The total number of bytes transferred on server side.
sent
The total number of bytes transferred on client side.
dlp_sensor
The name of the DLP sensor that was used to detect and take action. For
example, the default sensor Content_Archive.
to
The recipient’s email address.
from
The sender’s email address.
subject
The subject line of the email.
attachment
The number of attachments that are present within the email. If there are no
attachments, zero displays.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
633
DLP archives
32769
Message ID
32769
Log Subtype
HTTPS
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The HTTPS log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
infection
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
This field contains any one of the following:
• block
• fileexempt
• file intercept
• mms block
• carrier end point filter
• mms flood
• mms duplicate
• virus
• virusrm
• heuristic
• html script
• script filter
• banned word
• exempt word
• oversize
• virus
• heuristic
• worm
• mime block
• fragmented
• exempt
• ip blacklist
• dnsbl
• FortiGuard - Antispam ip blacklist
• helo
• emailblacklist
• mimeheader
• dns
• FortiGuard - AntiSpam ase • banned word
block
634
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist
• emailwhitelist
• fewhitelist
• headerwhitelist
• dlp
• dlpban
• pass
• mms content checksum
virus
The name of the virus detected.
SN
The session number of the log message.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
client
The internal IP address of the FortiGate unit.
server
The IP address of the server.
rcvd
The total number of bytes transferred on server side.
sent
The total number of bytes transferred on client side.
dlp_sensor
The name of the DLP sensor that was used to detect and take action. For
example, the default sensor Content_Archive.
method
The HTTP/HTTPS command.
hostname
The HTTP/HTTPS host name.
url
The HTTP/HTTPS URL address.
cat
The HTTP/HTTPS category.
cat_desc
The HTTP/HTTPS description of the category.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
635
DLP archives
32782
Message ID
32782
Log Subtype
im-all
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The IM chat summary log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
infection
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
This field contains any one of the following:
• block
• fileexempt
• file intercept
• mms block
• carrier end point filter
• mms flood
• mms duplicate
• virus
• virusrm
• heuristic
• html script
• script filter
• banned word
• exempt word
• oversize
• virus
• heuristic
• worm
• mime block
• fragmented
• exempt
• ip blacklist
• dnsbl
• FortiGuard - Antispam ip blacklist
• helo
• emailblacklist
• mimeheader
• dns
• FortiGuard - AntiSpam ase • banned word
block
636
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist
• emailwhitelist
• fewhitelist
• headerwhitelist
• dlp
• dlpban
• pass
• mms content checksum
SN
The session number of the log message.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrier.
profile
The name of the profile that was used to detect and take action.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
identidx
The identity-based policy identification number. This field displays zero is the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level protocol.
Protocol numbers are assigned by the Internet Assigned Number Authority
(IANA).
kind
This field contains any one of the following:
• summary
• chat
• file
• photo
• photo-xref
• audio
• oversize
• fileblock
• fileexempt
• virus
• dlp
• call-block
• call-info
• call
• register
• unregister
laddr
The local IP address.
raddr
The remote IP address.
local
The local user.
remote
The remote user.
messages
The number of chat messages.
start-date
The local start date.
end-date
The local end date.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
637
DLP archives
32783
Message Id
32783
Log Subtype
im-all
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
The IM chat message log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
infection
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
This field contains any one of the following:
• block
• fileexempt
• file intercept
• mms block
• carrier end point filter
• mms flood
• mms duplicate
• virus
• virusrm
• heuristic
• html script
• script filter
• banned word
• exempt word
• oversize
• virus
• heuristic
• worm
• mime block
• fragmented
• exempt
• ip blacklist
• dnsbl
• FortiGuard - Antispam ip blacklist
• helo
• emailblacklist
• mimeheader
• dns
• FortiGuard - AntiSpam ase • banned word
block
638
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist
• emailwhitelist
• fewhitelist
• headerwhitelist
• dlp
• dlpban
• pass
• mms content checksum
SN
The session number of the log message.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there is no
profile group configured. Profile groups are available only in FortiOS Carrier.
profile
The name of the profile that was used to detect and take action.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is a part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
identidx
The identity-based policy identification number. This field displays zero is the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level protocol.
Protocol numbers are assigned by the Internet Assigned Number Authority
(IANA).
kind
This field contains any one of the following:
• summary
• chat
• file
• photo
• photo-xref
• audio
• oversize
• fileblock
• fileexempt
• virus
• dlp
• call-block
• call-info
• call
• register
• unregister
• video
laddr
The local IP address.
raddr
The remote IP address.
local
The local user.
remote
The remote user.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
639
DLP archives
action
640
This field contains any one of the following:
• permit
• block
• monitor
• kickout
• encrypt-kickout
• cm-reject
• exempt
• ban
• ban-im-user
• log-only
dir
The direction of the traffic. This field contains either outbound or inbound.
messages
The number of chat messages.
content
The content of the IM chat message.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
32784
Message Id
32784
Log Subtype
im-all
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An IM file transfer log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
infection
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
This field contains any one of the following:
• block
• fileexempt
• file intercept
• mms block
• carrier end point filter
• mms flood
• mms duplicate
• virus
• virusrm
• heuristic
• html script
• script filter
• banned word
• exempt word
• oversize
• virus
• heuristic
• worm
• mime block
• fragmented
• exempt
• ip blacklist
• dnsbl
• FortiGuard - Antispam ip blacklist
• helo
• emailblacklist
• mimeheader
• dns
• FortiGuard - AntiSpam ase • banned word
block
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
641
DLP archives
• ipwhitelist
• emailwhitelist
• fewhitelist
• headerwhitelist
• dlp
• dlpban
• pass
• mms content checksum
SN
The session number of the log message.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrier.
profile
The name of the profile that was used to detect and take action.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
profiletype
The type of profile that was used, for example Antivirus_Profile.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
identidx
The identity-based policy identification number. This field displays zero is the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level protocol.
Protocol numbers are assigned by the Internet Assigned Number Authority
(IANA).
kind
This field contains any one of the following:
• summary
• chat
• file
• photo
• photo-xref
• audio
• oversize
• fileblock
• fileexempt
• virus
• dlp
• call-block
• call-info
• call
• register
• unregister
• video
642
laddr
The local IP address.
raddr
The remote IP address.
local
The local user.
remote
The remote user.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
action
This field contains any one of the following:
• permit
• block
• monitor
• kickout
• encrypt-kickout
• cm-reject
• exempt
• ban
• ban-im-user
• log-only
dir
The direction of the traffic. This field contains either outbound or inbound.
status
The IM status.
filename
The name of the file that was transferred.
filesize
The size of the file that was transferred.
message
The number of chat messages.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
643
DLP archives
32785
Message ID
32785
Log Subtype
im-all
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An IM photo sharing log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
infection
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
This field contains any one of the following:
• block
• fileexempt
• file intercept
• mms block
• carrier end point filter
• mms flood
• mms duplicate
• virus
• virusrm
• heuristic
• html script
• script filter
• banned word
• exempt word
• oversize
• virus
• heuristic
• worm
• mime block
• fragmented
• exempt
• ip blacklist
• dnsbl
• FortiGuard - Antispam ip blacklist
• helo
• emailblacklist
• mimeheader
• dns
• FortiGuard - AntiSpam ase • banned word
block
644
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist
• emailwhitelist
• fewhitelist
• headerwhitelist
• dlp
• dlpban
• pass
• mms content checksum
SN
The session number of the log message.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
profile
The name of the profile that was used to detect and take action.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured.
profiletype
The type of profile that was used, for example Antivirus_Profile.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
identidx
The identity-based policy identification number. This field displays zero is the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level protocol.
Protocol numbers are assigned by the Internet Assigned Number Authority
(IANA).
kind
This field contains any one of the following:
• summary
• chat
• file
• photo
• photo-xref
• audio
• oversize
• fileblock
• fileexempt
• virus
• dlp
• call-block
• call-info
• call
• register
• unregister
• video
laddr
The local IP address.
raddr
The remote IP address.
local
The local user.
remote
The remote user.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
645
DLP archives
action
646
This field contains any one of the following:
• permit
• block
• monitor
• kickout
• encrypt-kickout
• cm-reject
• exempt
• ban
• ban-im-user
• log-only
dir
The direction of the traffic. This field contains either outbound or inbound.
status
The IM status.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
32786
Message ID
32786
Log Subtype
im-all
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An IM photo transfer log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
infection
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
This field contains any one of the following:
• block
• fileexempt
• file intercept
• mms block
• carrier end point filter
• mms flood
• mms duplicate
• virus
• virusrm
• heuristic
• html script
• script filter
• banned word
• exempt word
• oversize
• virus
• heuristic
• worm
• mime block
• fragmented
• exempt
• ip blacklist
• dnsbl
• FortiGuard - Antispam ip blacklist
• helo
• emailblacklist
• mimeheader
• dns
• FortiGuard - AntiSpam ase • banned word
block
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
647
DLP archives
• ipwhitelist
• emailwhitelist
• fewhitelist
• headerwhitelist
• dlp
• dlpban
• pass
• mms content checksum
SN
The session number of the log message.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
profile
The name of the profile that was used to detect and take action.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured.
profiletype
The type of profile that was used, for example Antivirus_Profile.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
identidx
The identity-based policy identification number. This field displays zero is the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level protocol.
Protocol numbers are assigned by the Internet Assigned Number Authority
(IANA).
kind
This field contains any one of the following:
• summary
• chat
• file
• photo
• photo-xref
• audio
• oversize
• fileblock
• fileexempt
• virus
• dlp
• call-block
• call-info
• call
• register
• unregister
• video
648
laddr
The local IP address.
raddr
The remote IP address.
local
The local user.
remote
The remote user.
dir
The direction of the traffic. This field contains either outbound or inbound.
conn-mode
The mode information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
32787
Message ID
32787
Log Subtype
im-all
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An IM voice chat log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
infection
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
This field contains any one of the following:
• block
• fileexempt
• file intercept
• mms block
• carrier end point filter
• mms flood
• mms duplicate
• virus
• virusrm
• heuristic
• html script
• script filter
• banned word
• exempt word
• oversize
• virus
• heuristic
• worm
• mime block
• fragmented
• exempt
• ip blacklist
• dnsbl
• FortiGuard - Antispam ip blacklist
• helo
• emailblacklist
• mimeheader
• dns
• FortiGuard - AntiSpam ase • banned word
block
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
649
DLP archives
• ipwhitelist
• emailwhitelist
• fewhitelist
• headerwhitelist
• dlp
• dlpban
• pass
• mms content checksum
SN
The session number of the log message.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
profile
The name of the profile that was used to detect and take action.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
profiletype
The type of profile that was used, for example Antivirus_Profile.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
identidx
The identity-based policy identification number. This field displays zero is the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level protocol.
Protocol numbers are assigned by the Internet Assigned Number Authority
(IANA).
kind
This field contains any one of the following:
• summary
• chat
• file
• photo
• photo-xref
• audio
• oversize
• fileblock
• fileexempt
• virus
• dlp
• call-block
• call-info
• call
• register
• unregister
• video
650
laddr
The local IP address.
raddr
The remote IP address.
local
The local user.
remote
The remote user.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
action
This field contains any one of the following:
• permit
• block
• monitor
• kickout
• encrypt-kickout
• cm-reject
• exempt
• ban
• ban-im-user
• log-only
dir
The direction of the traffic. This field contains either outbound or inbound.
status
The IM status.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
651
DLP archives
32788
Message ID
32788
Log Subtype
im-all
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An IM virus log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
infection
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
This field contains any one of the following:
• block
• fileexempt
• file intercept
• mms block
• carrier end point filter
• mms flood
• mms duplicate
• virus
• virusrm
• heuristic
• html script
• script filter
• banned word
• exempt word
• oversize
• virus
• heuristic
• worm
• mime block
• fragmented
• exempt
• ip blacklist
• dnsbl
• FortiGuard - Antispam ip blacklist
• helo
• emailblacklist
• mimeheader
• dns
• FortiGuard - AntiSpam ase • banned word
block
652
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist
• emailwhitelist
• fewhitelist
• headerwhitelist
• dlp
• dlpban
• pass
• mms content checksum
SN
The session number of the log message.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
profile
The name of the profile that was used to detect and take action.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
profiletype
The type of profile that was used, for example Antivirus_Profile.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
identidx
The identity-based policy identification number. This field displays zero is the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level protocol.
Protocol numbers are assigned by the Internet Assigned Number Authority
(IANA).
kind
This field contains any one of the following:
• summary
• chat
• file
• photo
• photo-xref
• audio
• oversize
• fileblock
• fileexempt
• virus
• dlp
• call-block
• call-info
• call
• register
• unregister
• video
laddr
The local IP address.
raddr
The remote IP address.
local
The local user.
remote
The remote user.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
653
DLP archives
action
654
This field contains any one of the following:
• permit
• block
• monitor
• kickout
• encrypt-kickout
• cm-reject
• exempt
• ban
• ban-im-user
• log-only
dir
The direction of the traffic. This field contains either outbound or inbound.
filename
The name of the file that was transferred.
virus
The name of the virus detected.
heuristic
The information regarding heuristics.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
32789
Message ID
32789
Log Subtype
im-all
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An IM file oversize log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
infection
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
This field contains any one of the following:
• block
• fileexempt
• file intercept
• mms block
• carrier end point filter
• mms flood
• mms duplicate
• virus
• virusrm
• heuristic
• html script
• script filter
• banned word
• exempt word
• oversize
• virus
• heuristic
• worm
• mime block
• fragmented
• exempt
• ip blacklist
• dnsbl
• FortiGuard - Antispam ip blacklist
• helo
• emailblacklist
• mimeheader
• dns
• FortiGuard - AntiSpam ase • banned word
block
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
655
DLP archives
• ipwhitelist
• emailwhitelist
• fewhitelist
• headerwhitelist
• dlp
• dlpban
• pass
• mms content checksum
SN
The session number of the log message.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
profile
The name of the profile that was used to detect and take action.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
profiletype
The type of profile that was used, for example Antivirus_Profile.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
identidx
The identity-based policy identification number. This field displays zero is the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level protocol.
Protocol numbers are assigned by the Internet Assigned Number Authority
(IANA).
kind
This field contains any one of the following:
• summary
• chat
• file
• photo
• photo-xref
• audio
• oversize
• fileblock
• fileexempt
• virus
• dlp
• call-block
• call-info
• call
• register
• unregister
• video
656
laddr
The local IP address.
raddr
The remote IP address.
local
The local user.
remote
The remote user.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
action
This field contains any one of the following:
• permit
• block
• monitor
• kickout
• encrypt-kickout
• cm-reject
• exempt
• ban
• ban-im-user
• log-only
dir
The direction of the traffic. This field contains either outbound or inbound.
filename
The name of the file that was transferred.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
657
DLP archives
32790
Message ID
32790
Log Subtype
im-all
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An IM file block log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
infection
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
This field contains any one of the following:
• block
• fileexempt
• file intercept
• mms block
• carrier end point filter
• mms flood
• mms duplicate
• virus
• virusrm
• heuristic
• html script
• script filter
• banned word
• exempt word
• oversize
• virus
• heuristic
• worm
• mime block
• fragmented
• exempt
• ip blacklist
• dnsbl
• FortiGuard - Antispam ip blacklist
• helo
• emailblacklist
• mimeheader
• dns
• FortiGuard - AntiSpam ase • banned word
block
658
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
• ipwhitelist
• emailwhitelist
• fewhitelist
• headerwhitelist
• dlp
• dlpban
• pass
• mms content checksum
SN
The session number of the log message.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
profile
The name of the profile that was used to detect and take action.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
profiletype
The type of profile that was used, for example Antivirus_Profile.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
identidx
The identity-based policy identification number. This field displays zero is the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level protocol.
Protocol numbers are assigned by the Internet Assigned Number Authority
(IANA).
kind
This field contains any one of the following:
• summary
• chat
• file
• photo
• photo-xref
• audio
• oversize
• fileblock
• fileexempt
• virus
• dlp
• call-block
• call-info
• call
• register
• unregister
• video
laddr
The local IP address.
raddr
The remote IP address.
local
The local user.
remote
The remote user.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
659
DLP archives
action
660
This field contains any one of the following:
• permit
• block
• monitor
• kickout
• encrypt-kickout
• cm-reject
• exempt
• ban
• ban-im-user
• log-only
dir
The direction of the traffic. This field contains either outbound or inbound.
filename
The name of the file that was transferred.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
32791
Message ID
32791
Log Subtype
im-all
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An IM file exempt log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
SN
The session number of the log message.
profiletype
The type of profile that was used, for example, Antivirus_Profiile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
profile
The name of the profile that was used to detect and take action.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured.
profiletype
The type of profile that was used, for example, Antivirus _Profile.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
661
DLP archives
identidx
The identity-based policy identification number. This field displays zero is the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level protocol.
Protocol numbers are assigned by the Internet Assigned Number Authority
(IANA).
kind
This field contains any one of the following:
• summary
• chat
• file
• photo
• photo-xref
• audio
• oversize
• fileblock
• fileexempt
• virus
• dlp
• call-block
• call-info
• call
• register
• unregister
• video
662
laddr
The local IP address.
raddr
The remote IP address.
local
The local user.
remote
The remote user.
action
This field contains any one of the following:
• permit
• block
• monitor
• kickout
• encrypt-kickout
• cm-reject
• exempt
• ban
• ban-im-user
• log-only
dir
The direction of the traffic. This field contains either outbound or inbound.
filename
The name of the file that was transferred.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
32792
Message ID
32792
Log Subtype
im-all
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An IM DLP information log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
SN
The session number of the log message.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
profile
The name of the profile that was used to detect and take action.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
663
DLP archives
identidx
The identity-based policy identification number. This field displays zero is the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level protocol.
Protocol numbers are assigned by the Internet Assigned Number Authority
(IANA).
kind
This field contains any one of the following:
• summary
• chat
• file
• photo
• photo-xref
• audio
• oversize
• fileblock
• fileexempt
• virus
• dlp
• call-block
• call-info
• call
• register
• unregister
• video
664
laddr
The local IP address.
raddr
The remote IP address.
local
The local user.
remote
The remote user.
action
This field contains any one of the following:
• permit
• block
• monitor
• kickout
• encrypt-kickout
• cm-reject
• exempt
• ban
• ban-im-user
• log-only
dir
The direction of the traffic. This field contains either outbound or inbound.
filename
The name of the file that was transferred.
filesize
The size of the file that was transferred.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
32793
Message ID
32793
Log Subtype
im-all
Severity
Warning
Firmware version
FortiOS 4.0 MR3
Meaning
An IM DLP warning log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
SN
The session number of the log message.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
profile
The name of the profile that was used to detect and take action.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
profiletype
The type of profile that was used, for example Antivirus_Profile.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
665
DLP archives
identidx
The identity-based policy identification number. This field displays zero is the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level protocol.
Protocol numbers are assigned by the Internet Assigned Number Authority
(IANA).
kind
This field contains any one of the following:
• summary
• chat
• file
• photo
• photo-xref
• audio
• oversize
• fileblock
• fileexempt
• virus
• dlp
• call-block
• call-info
• call
• register
• unregister
• video
666
laddr
The local IP address.
raddr
The remote IP address.
local
The local user.
remote
The remote user.
action
This field contains any one of the following:
• permit
• block
• monitor
• kickout
• encrypt-kickout
• cm-reject
• exempt
• ban
• ban-im-user
• log-only
dir
The direction of the traffic. This field contains either outbound or inbound.
filename
The name of the file that was transferred.
filesize
The size of the file that was transferred.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
32777
Message ID
32777
Log Subtype
NNTP
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
An NNTP log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
infection
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
The type of infection. This field contains any one of the following:
• block
• fileexempt
• file intercept
• mms block
• carrier end point filter
• mms flood
• mms duplicate
• virus
• virusrm
• heuristic
• html script
• script filter
• banned word
• exempt word
• oversize
• virus
• heuristic
• worm
• mime block
• fragmented
• exempt
• ip blacklist
• dnsbl
• FortiGuard - Antispam ip blacklist
• helo
• emailblacklist
• mimeheader
• dns
• FortiGuard - AntiSpam ase • banned word
block
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
667
DLP archives
668
• ipwhitelist
• emailwhitelist
• fewhitelist
• headerwhitelist
• dlp
• dlpban
• pass
• mms content checksum
virus
The name of the virus that was detected.
SN
The session number of the log message.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profile
The name of the profile that was used to detect and take action.
profilegroup
The group that the profile is a part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
client
The internal IP address of the FortiGate unit.
server
The IP address of the server.
rcvd
The total number of bytes transferred on server side.
sent
The total number of bytes transferred on client side.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
32794
Message ID
32794
Log Subtype
VOIP
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A VoIP SIP log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
SN
The session number of the log message.
profile
The name of the profile applied to the firewall policy and used during the
detection process.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The carrier endpoint identification number. This field contains N/A unless
FortiOS Carrier is running on the unit.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
identidx
The identity-based policy identification number. This field displays zero if the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
669
DLP archives
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level protocol.
Protocol numbers are assigned by the Intenet Assigned Number Authority
(IANA).
kind
This field contains any one of the following:
• summary
• chat
• file
• photo
• photo-xref
• audio
• oversize
• fileblock
• fileexempt
• virus
• dlp
• call-block
• call-info
• call
• register
• unregister
• video
action
670
This field contains any one of the following:
• permit
• block
• monitor
• kickout
• encrypt-kickout
• cm-reject
• exempt
• ban
• ban-im-user
• log-only
status
The IM status.
src
The source IP address.
dst
The destination IP address.
src_port
The source port number.
dst_port
The destination port number.
dir
The direction of the traffic. This field contains either outbound or inbound.
duration
This represents the value in seconds.
from
The sender’s email address.
to
The recipient’s email address.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
32795
Message ID
32795
Log Subtype
VOIP
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A VOIP SCCP register log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
SN
The session number of the log message.
profile
The name of the profile applied to the firewall policy and used during the
detection process.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
671
DLP archives
identidx
The identity-based policy identification number. This field displays zero is the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level protocol.
Protocol numbers are assigned by the Internet Assigned Number Authority
(IANA).
kind
This field contains any one of the following:
• summary
• chat
• file
• photo
• photo-xref
• audio
• oversize
• fileblock
• fileexempt
• virus
• dlp
• call-block
• call-info
• call
• register
• unregister
• video
action
672
This field contains any one of the following:
• permit
• block
• monitor
• kickout
• encrypt-kickout
• cm-reject
• exempt
• ban
• ban-im-user
• log-only
status
The IM status.
phone
The phone number.
src
The source IP address.
from
The sender’s information.
to
The receiver’s information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
32796
Message ID
32796
Log Subtype
VOIP
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A VOIP SCCP unregister log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
SN
The session number of the log message.
profile
The name of the profile applied to the firewall policy and used during the
detection process.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example, Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
673
DLP archives
identidx
The identity-based policy identification number. This field displays zero is the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level protocol.
Protocol numbers are assigned by the Internet Assigned Number Authority
(IANA).
kind
This field contains any one of the following:
• summary
• chat
• file
• photo
• photo-xref
• audio
• oversize
• fileblock
• fileexempt
• virus
• dlp
• call-block
• call-info
• call
• register
• unregister
• video
action
674
This field contains any one of the following:
• permit
• block
• monitor
• kickout
• encrypt-kickout
• cm-reject
• exempt
• ban
• ban-im-user
• log-only
status
The IM status.
phone
The phone information.
src
The source IP address.
reason
The information about why the trigger occurred.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
32797
Message ID
32797
Log Subtype
VOIP
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A VOIP SCCP call block log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
SN
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
The session number of the log message.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The grou pthat the profile is a part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there is no
profile group configured. Profile groups are only available in FortiOS Carrer.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
675
DLP archives
identidx
The identity-based policy identification number. This field displays zero is the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level protocol.
Protocol numbers are assigned by the Internet Assigned Number Authority
(IANA).
kind
This field contains any one of the following:
• summary
• chat
• file
• photo
• photo-xref
• audio
• oversize
• fileblock
• fileexempt
• virus
• dlp
• call-block
• call-info
• call
• register
• unregister
• video
action
676
This field contains any one of the following:
• permit
• block
• monitor
• kickout
• encrypt-kickout
• cm-reject
• exempt
• ban
• ban-im-user
• log-only
status
The IM status.
phone
The phone information.
src
The source IP address.
reason
The reason as to why the trigger occurred.
from
The sender’s information.
to
The receiver’s information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
32798
Message ID
32798
Log Subtype
VOIP
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A VOIP SCCP call information log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual
domains exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
SN
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
The session number of the log message.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there is no
profile group configured.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display
MSISDN of the phone that sent the MMS message. This field will always
display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The grou pthat the profile is a part of. This field contains N/A if there is no
profile group configured.
policyid
The ID number of the firewall policy that applies to the session or packet.
Any policy that is automatically added by the FortiGate will have an index
number of zero.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
677
DLP archives
identidx
The identity-based policy identification number. This field displays zero is the
firewall policy does not use an identity-based policy; otherwise, it displays
the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall
policy.
proto
The protocol number that applies to the session or packet. This is the
protocol number in the packet header that identifies the next level protocol.
Protocol numbers are assigned by the Internet Assigned Number Authority
(IANA).
kind
This field contains any one of the following:
• summary
• chat
• file
• photo
• photo-xref
• audio
• oversize
• fileblock
• fileexempt
• virus
• dlp
• call-block
• call-info
• call
• register
• unregister
• video
action
678
This field contains any one of the following:
• permit
• block
• monitor
• kickout
• encrypt-kickout
• cm-reject
• exempt
• ban
• ban-im-user
• log-only
status
The IM status.
phone
The phone information.
src
The source IP address.
dst
The destination IP address.
src_port
The source port number.
dst_port
The destination port number.
duration
This represents the value in seconds.
from
The sender’s information.
to
The receipient’s information.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
32800
Message ID
32800
Log Subtype
VOIP
Severity
Information
Firmware version
FortiOS 4.0 MR3
Meaning
A VOIP SIP fuzzing log archive.
Fields
Field Description
vd
The name of the virtual domain where the action occurred in. If no virtual domains
exist, this field always contains root.
clogver
The content log version number.
epoch
The time period in seconds.
eventid
The event identification number or serial number.
cstatus
The status of the content log. This field contains any one of the following:
SN
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter
• mass_mms
• dlp
• fragmented
• spam
• im_summary
• im_message
• im_file_request
• im_file_accept
• im_file_cancel
• im_video
• im_photo_share_request
• im_voice
• im_photo_share_cancel
• im_photo_share_accept
• im_photo_xref
• im_photo_share_stop
• error
• voip
The session number of the log message.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The group that the profile is a part of. This field contains N/A if there is no profile
group configured. Profile groups are only available in FortiOS Carrer.
user
The name of the user creating the traffic.
group
The name of the group creating the traffic.
carrier_ep
The FortiOS Carrier end-point identification. For example, it would display MSISDN of
the phone that sent the MMS message. This field will always display N/A in FortiOS.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile that was used, for example Antivirus_Profile.
profilegroup
The grou pthat the profile is a part of. This field contains N/A if there is no profile
group configured. Profile groups are only available in FortiOS Carrer.
policyid
The ID number of the firewall policy that applies to the session or packet. Any policy
that is automatically added by the FortiGate will have an index number of zero.
identidx
The identity-based policy identification number. This field displays zero is the firewall
policy does not use an identity-based policy; otherwise, it displays the number of the
identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
679
DLP archives
proto
The protocol number that applies to the session or packet. This is the protocol
number in the packet header that identifies the next level protocol. Protocol numbers
are assigned by the Internet Assigned Number Authority (IANA).
kind
This field contains any one of the following:
• summary
• chat
• file
• photo
• photo-xref
• audio
• oversize
• fileblock
• fileexempt
• virus
• dlp
• call-block
• call-info
• call
• register
• unregister
• video
action
680
This field contains any one of the following:
• permit
• block
• monitor
• kickout
• encrypt-kickout
• cm-reject
• exempt
• ban
• ban-im-user
• log-only
status
The IM status.
src
The source IP address.
dst
The destination IP address.
src_port
The source port number.
dst_port
The destination port number.
dir
The direction of the traffic. This field contains either outbound or inbound.
duration
This represents the value in seconds.
message_type
This field contains either request or response.
request_name
The request name.
malform_desc
The description of the malformed header. This field contains any one of the following;
• unexpected-character
• invalid-quoting-character
• trailing-bytes
• header-line-oversize
• msg-body-oversize
• domain-name-oversize
• domain-label-oversize
• syntax-malformed
• duplicated-sip-header
• space-violation
• invalid-ipv4-address
• invalid-ipv6-address
• invalid-port
• invalid-fqdn
• no-matching-double-quote
• empty-quoted-string
• invalid-<user_info>
• invalid-escape-encoding-in-<userinfo>
• invalid-escape-encoding-in-uriparameter
• invalid-escape-encoding-in-uri-header
• invalid-escape-encoding-in<reason-phrase>
• port-expected
• port-not-allowed
• domain-name-invalid
• <gen-value>-expected
• invalid-<gen-value>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
DLP archives
• invalid-<quoted-string>-in-<genvalue>
• ip4-address-expected
• ipv6-address-expected
• uri-expected
• invalid-transport-uri-parameter
• invalid-user-uri-parameter
• invalid-method-uri-parameter
• invalid-ttl-uri-parameter
• invalid-uri-parameter-pname
• invalid-uri-parameter-value
• uri-parameter-repeat
• invalid-uri-header-name
• invalid-uri-header-value
• invalid-uri-header-name-value-pair
• invalid-quoted-string-in-displayname
• left-angle-braket-is-mandatory
• right-angle-bracket-not-found
• invalid-status-code
• no-METHOD-on-request-time
• uri-parameters-not-allowed-by-RFC
• unknown-scheme
• whitespace-expected
• LWS-expected
• invalid-<SIP-Version>-on-request-line
• invalid-<protocol-name>
• invalid-<protocol-version>
• invalid-<transport>
• no-SLASH-after-<protocol_name>
• no-SLASH-after-<protocol-version> • header-parameter-expected
• invalid-ttl-parameter
• invalid-maddr-parameter
• invalid-received-parameter
• invalid-branch-parameter
• invalid-rport-parameter
• via-parameter-repeat
• <seq>-number-expected
• <method>-expected
• <method>-does-not-match-therequest-line
• <response-num>-expected
• <CSeq-num>-expected
• <Method>-expected-after-<CSeq-num>
• expires-header-repeated
• <delta-seconds>-expected
• invalid-max-forwards
• token-expected
• invalid-expires-parameter
• invalid-q-parameter
• <generic-param>-with-invalid-<gen- • <m-type>-expected
value>
FortiGate Log Message Reference
01-430-112804-20111121
http://docs.fortinet.com/ • Feedback
• SLASH-expected-after-<m-type>
• <m-subtype>-expected
• <m-attribute>-expected-after-SEMI
• boundary-parameter-appears-more-thanonce
• EQUAL-expected-after-<mattribute>
• invalid-<quoted-string>-in-<m-value>
• invalid-<m-value>
• multipart-Content-Type-has-no-boundary
• digits-expected
• IN-expected
• IP-expected
• IP4-or-IP6-expected
• IPv4-or-IPv6-address-expected
• line-order-error
• z-line-not-allowed-on-media-level
• <time>-expected
• <typed-time>-expected
• r-line-not-allowed-on-media-level
• <repeat-interval>-expected
• <bwtype>-expected
• colon-expected
• <bandwidth>-expected
• t-line-not-allowed-on-media-level
• invalid-<start-time>
• invalid-<stop-time>
• too-many-i-lines
• <text>-expected
• too-many-c-lines
681
DLP archives
682
• too-many-v-line
• v-line-not-allowed-on-media-level
• too