0% found this document useful (0 votes)

245 views643 pages

Log Message Reference 510

Uploaded by

shashi505286

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

245 views643 pages

Log Message Reference 510

Uploaded by

shashi505286

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 643

FortiGate Log Message Reference

v5.0 Patch Release 10

FortiGate Log Message Reference - FortiOS 5.0.10
March 13, 2015
01-510-112804-20150313
Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and
FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and
other jurisdictions, and other Fortinet names herein may also be registered and/or common law
trademarks of Fortinet. All other product or company names may be trademarks of their
respective owners. Performance and other metrics contained herein were attained in internal
lab tests under ideal conditions, and actual performance and other results may vary.
Network variables, different network environments and other conditions may affect
performance results. Nothing herein represents any binding commitment by Fortinet, and
Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet
enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser
that expressly warrants that the identified product will perform according to certain
expressly-identified performance metrics and, in such event, only the specific
performance metrics expressly identified in such binding written contract shall be binding on
Fortinet. For absolute clarity, any such warranty will be limited to performance in the same
ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features or development, and circumstances may
change such that any forward-looking statements herein are not accurate. Fortinet disclaims in
full any covenants, representations, and guarantees pursuant hereto, whether express or
implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com
Customer Service & Support support.fortinet.com
Training Services training.fortinet.com
FortiGuard fortiguard.com
Document Feedback [email protected]
Change Log

Date Change Description

2013-03-20 Initial Release.

2013-09-27 Patch 4 Release.

2014-04-01 Patch 6 Release. Added Variable Event Logs Addendum.

2015-01-16 Patch 9 Release. Complete corrections of all terminology.

2015-03-13 Patch 10 Release. Added new Variable Event Logs.

Page 3
Log Field Name Changes in FortiOS 5.0

4.3 5 4.3 5
app_cat appcat pri level
app_list applist profile_group profilegroup
app_type apptype profile_type profiletype
asset_id assetid quota_exceeded quotaexceeded
asset_name assetname quota_max quotamax
attack_id attackid quota_used quotaused
attack_name attackname rcvd rcvdbyte
carrier_ep carrierep rcvd_pkt rcvdpkt
cat_desc catdesc rem_ip remip
class_desc classdesc rem_port remport
conn-mode connmode remote_ip remip
content_type contenttype req_type reqtype
dec_spi decspi request_name requestname
dir direction rule_data ruledata
dir_disp dirdisp rule_type ruletype
dlp_sensor dlpsensor sent sentbyte
dst dstip sent_pkt sentpkt
dst_country dstcountry shaper_drop_rcvd shaperdroprcvdbyte
dst_int dstintf shaper_drop_sent shaperdropsentbyte
dst_port dstport shaper_rcvd_name shaperrcvdname
enc_spi encspi shaper_sent_name shapersentname
end-date enddate src srcip
esp_auth espauth src_country srccountry
esp_transform esptransform src_int srcintf
filter_type filtertype src_port srcport
icmp_code icmpcode start-date startdate
icmp_id icmpid tran_disp trandisp
icmp_type icmptype tran_ip tranip
incident_serialno incidentserialno tran_port tranport
lan_in lanin tran_sip transip
lan_out lanout tran_sport transport
loc_ip locip url_type urltype
loc_port locport urlfilter_idx urlfilteridx
local_ip locip urlfilter_list urlfilterlist
log_id logid voip_proto voipproto
malform_data malformdata vpn_tunnel vpntunnel
malform_desc malformdesc vpn_type vpntype
message msg vuln_cat vulncat
message_type messagetype vuln_cnt vulncnt
os_family osfamily vuln_id vulnid
os_gen osgen vuln_ref vulnref
os_vendor osvendor wan_in wanin
out_intf outintf wan_out wanout
ovrd_id ovrdid wanopt_app_type wanoptapptype
ovrd_tbl ovrdtbl xauth_group xauthgroup
perip_drop shaperperipdropbyte xauth_user xauthuser
perip_name shaperperipname

Page 4
Log Subtype Name Changes in FortiOS 5.0
4.3 subtypes 5.0 subtypes
traffic allowed forward/local/multicast
webcache-traffic, wanopt-traffic, explicit-proxy-traffic forward
failed-conn, violation, other forward

event ipsec, sslvpn-user, sslvpn-admin, sslvpn-session vpn

ha, gtp, nac-quarantine, config, notification, perf-

historical, forticlient, mms-stats, amc-intf-bypass, system
admin, ldb-monitor, pattern

dns, dhcp, l2tp/pptp/pppoe router

auth, radius user
wireless wireless
wad wad
voip moved to voip logs section

virus infected infected

filename filename
oversize oversized
scanerror scanerror
----- analytics
----- switchproto

webfilter content content

urlfilter urlfilter
ftgd_blk ftgd_blk
ftgd_allow ftgd_allow
ftgd_err ftgd_err
activexfilter activexfilter
cookiefilter cookiefilter
appletfilter appletfilter
ftgd_quota_counting ftgd_quota_counting
ftgd_quota ftgd_quota
----- ftgd_quota_expired
----- webfilter_command_block

ips signature signature

anomaly anomaly
emailfilter msn-hotmail msn
yahoo-mail yahoo
smtp smtp
pop3 pop3
imap imap
carrier-endpoint-filter endpointfilter
mass-mms mms
----- google
----- mapi

Page 5
netscan discovery discovery
vulnerability vulnerability

dlp dlp dlp

----- dlp-docsource

app-ctrl app-ctrl-all app-ctrl-all

content http http

ftp ftp
smtp smtp
pop3 pop3
imap imap
https https
im-all im-all
nntp nntp
voip voip
mm1 mm1
mm3 mm3
mm4 mm4
mm7 mm7
smtps smtps
pop3s pop3s
imaps imaps

voip ----- voip

Page 6
Page 7
Traffic
2
Message ID: 000002
Message Description: allowed message
Type (type): traffic
Subtype (subtype): forward
Level/Severity: notice

Log field Meaning

type traffic

subtype forward

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

status The status of the traffic.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

trandisp Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither
(noop).

srcip The source IP.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstname The destination name. This can be a name or an IP address.

dstcountry Destination country.

srccountry Source country.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

tranip The translated IP in NAT mode. For Transparent mode, it is zero.

tranport The translated port number in NAT mode. For Transparent mode, it is zero.

transip The translated source IP in NAT mode. For Transparent mode, it is zero.

transport The translated source port number in NAT mode. For Transparent mode, it is zero.

service The service where the event or activity occurred.

proto The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).

duration Time value in seconds.

Page 8
policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.
This number is not globally unique, it is only locally unique within a given firewall policy.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

shaperdropsentbyte Shaper dropped sent bytes.

shaperdroprcvdbyte Shaper dropped received bytes.

shaperperipdropbyte PerIP dropped bytes.

shapersentname The name of the traffic shaper sending the bytes.

shaperrcvdname The name of the traffic shaper receiving the bytes.

shaperperipname The perIP shaper name.

sentpkt The number of sent packets related to the log message.

rcvdpkt The number of received packets related to the log message.

vpn The name of the VPN tunnel used by the traffic.

vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.

vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

sessionid Session ID.

appid Application ID.

app The name of the application that triggered the action within the control list. For example, SSL.

appcat The application category that the application is associated with.

applist The name of the application control list that was used to detect and take action.

appact Application action.

user User name.

group The group name.

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

crscore Client Reputation score.

craction Client Reputation action.

Page 9
3
Message ID: 000003
Message Description: violation message
Type (type): traffic
Subtype (subtype): invalid
Level/Severity: warning

Log field Meaning

type traffic

subtype invalid

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

status The status of the traffic.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstname The destination name. This can be a name or an IP address.

dstcountry Destination country.

srccountry Source country.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

service The service where the event or activity occurred.

duration Time value in seconds.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

shaperdropsentbyte Shaper dropped sent bytes.

shaperdroprcvdbyte Shaper dropped received bytes.

shaperperipdropbyte PerIP dropped bytes.

Page 10
shapersentname The name of the traffic shaper sending the bytes.

shaperrcvdname The name of the traffic shaper receiving the bytes.

shaperperipname The perIP shaper name.

sentpkt The number of sent packets related to the log message.

rcvdpkt The number of received packets related to the log message.

vpn The name of the VPN tunnel used by the traffic.

vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.

vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

sessionid Session ID.

appid Application ID.

app The name of the application that triggered the action within the control list. For example, SSL.

appcat The application category that the application is associated with.

applist The name of the application control list that was used to detect and take action.

appact Application action.

user User name.

group The group name.

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

crscore Client Reputation score.

craction Client Reputation action.

Page 11
4
Message ID: 000004
Message Description: other message
Type (type): traffic
Subtype (subtype): invalid
Level/Severity: notice

Log field Meaning

type traffic

subtype invalid

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

status The status of the traffic.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstname The destination name. This can be a name or an IP address.

dstcountry Destination country.

srccountry Source country.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

tranip The translated IP in NAT mode. For Transparent mode, it is zero.

tranport The translated port number in NAT mode. For Transparent mode, it is zero.

transip The translated source IP in NAT mode. For Transparent mode, it is zero.

transport The translated source port number in NAT mode. For Transparent mode, it is zero.

service The service where the event or activity occurred.

duration Time value in seconds.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

sentbyte The number of sent bytes related to the log message.

Page 12
rcvdbyte The number of received bytes related to the log message.

shaperdropsentbyte Shaper dropped sent bytes.

shaperdroprcvdbyte Shaper dropped received bytes.

shaperperipdropbyte PerIP dropped bytes.

shapersentname The name of the traffic shaper sending the bytes.

shaperrcvdname The name of the traffic shaper receiving the bytes.

shaperperipname The perIP shaper name.

sentpkt The number of sent packets related to the log message.

rcvdpkt The number of received packets related to the log message.

vpn The name of the VPN tunnel used by the traffic.

vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.

vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

sessionid Session ID.

appid Application ID.

app The name of the application that triggered the action within the control list. For example, SSL.

appcat The application category that the application is associated with.

applist The name of the application control list that was used to detect and take action.

appact Application action.

user User name.

group The group name.

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

crscore Client Reputation score.

craction Client Reputation action.

Page 13
5
Message ID: 000005
Message Description: allowed icmp message
Type (type): traffic
Subtype (subtype): invalid
Level/Severity: notice

Log field Meaning

type traffic

subtype invalid

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

status The status of the traffic.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

trandisp Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither
(noop).

srcip The source IP.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstname The destination name. This can be a name or an IP address.

dstcountry Destination country.

srccountry Source country.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

tranip The translated IP in NAT mode. For Transparent mode, it is zero.

tranport The translated port number in NAT mode. For Transparent mode, it is zero.

transip The translated source IP in NAT mode. For Transparent mode, it is zero.

transport The translated source port number in NAT mode. For Transparent mode, it is zero.

service The service where the event or activity occurred.

duration Time value in seconds.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

Page 14
sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

shaperdropsentbyte Shaper dropped sent bytes.

shaperdroprcvdbyte Shaper dropped received bytes.

shaperperipdropbyte PerIP dropped bytes.

shapersentname The name of the traffic shaper sending the bytes.

shaperrcvdname The name of the traffic shaper receiving the bytes.

shaperperipname The perIP shaper name.

sentpkt The number of sent packets related to the log message.

rcvdpkt The number of received packets related to the log message.

vpn The name of the VPN tunnel used by the traffic.

vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.

vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

sessionid Session ID.

appid Application ID.

app The name of the application that triggered the action within the control list. For example, SSL.

appcat The application category that the application is associated with.

applist The name of the application control list that was used to detect and take action.

appact Application action.

user User name.

group The group name.

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

crscore Client Reputation score.

craction Client Reputation action.

Page 15
6
Message ID: 000006
Message Description: deny internal icmp message
Type (type): traffic
Subtype (subtype): invalid
Level/Severity: warning

Log field Meaning

type traffic

subtype invalid

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

status The status of the traffic.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstname The destination name. This can be a name or an IP address.

dstcountry Destination country.

srccountry Source country.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

service The service where the event or activity occurred.

duration Time value in seconds.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

shaperdropsentbyte Shaper dropped sent bytes.

shaperdroprcvdbyte Shaper dropped received bytes.

shaperperipdropbyte PerIP dropped bytes.

Page 16
shapersentname The name of the traffic shaper sending the bytes.

shaperrcvdname The name of the traffic shaper receiving the bytes.

shaperperipname The perIP shaper name.

sentpkt The number of sent packets related to the log message.

rcvdpkt The number of received packets related to the log message.

vpn The name of the VPN tunnel used by the traffic.

vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.

vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

sessionid Session ID.

appid Application ID.

app The name of the application that triggered the action within the control list. For example, SSL.

appcat The application category that the application is associated with.

applist The name of the application control list that was used to detect and take action.

appact Application action.

user User name.

group The group name.

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

crscore Client Reputation score.

craction Client Reputation action.

Page 17
7
Message ID: 000007
Message Description: deny external icmp message
Type (type): traffic
Subtype (subtype): invalid
Level/Severity: warning

Log field Meaning

type traffic

subtype invalid

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

status The status of the traffic.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstname The destination name. This can be a name or an IP address.

dstcountry Destination country.

srccountry Source country.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

service The service where the event or activity occurred.

duration Time value in seconds.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

shaperdropsentbyte Shaper dropped sent bytes.

shaperdroprcvdbyte Shaper dropped received bytes.

shaperperipdropbyte PerIP dropped bytes.

Page 18
shapersentname The name of the traffic shaper sending the bytes.

shaperrcvdname The name of the traffic shaper receiving the bytes.

shaperperipname The perIP shaper name.

sentpkt The number of sent packets related to the log message.

rcvdpkt The number of received packets related to the log message.

vpn The name of the VPN tunnel used by the traffic.

vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.

vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

sessionid Session ID.

appid Application ID.

app The name of the application that triggered the action within the control list. For example, SSL.

appcat The application category that the application is associated with.

applist The name of the application control list that was used to detect and take action.

appact Application action.

user User name.

group The group name.

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

crscore Client Reputation score.

craction Client Reputation action.

Page 19
8
Message ID: 000008
Message Description: WAN optimization traffic
Type (type): traffic
Subtype (subtype): forward
Level/Severity: notice

Log field Meaning

type traffic

subtype forward

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstname The destination name. This can be a name or an IP address.

dstcountry Destination country.

srccountry Source country.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

wanoptapptype WANOpt app type. One of: web-cache, cifs, tcp, ftp, mapi, http, web-proxy, ftp-proxy.

duration Time value in seconds.

policyid The ID number of the firewall policy that applies to the session or packet.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

wanin WAN in.

wanout WAN out.

lanin LAN in.

lanout LAN out.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

Page 20
unauthusersource Method used to detect username.

Page 21
9
Message ID: 000009
Message Description: webcache traffic
Type (type): traffic
Subtype (subtype): forward
Level/Severity: notice

Log field Meaning

type traffic

subtype forward

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstname The destination name. This can be a name or an IP address.

dstcountry Destination country.

srccountry Source country.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

wanoptapptype WANOpt app type. One of: web-cache, cifs, tcp, ftp, mapi, http, web-proxy, ftp-proxy.

duration Time value in seconds.

policyid The ID number of the firewall policy that applies to the session or packet.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

wanin WAN in.

wanout WAN out.

lanin LAN in.

lanout LAN out.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

Page 22
unauthusersource Method used to detect username.

Page 23
10
Message ID: 000010
Message Description: explicit proxy traffic
Type (type): traffic
Subtype (subtype): forward
Level/Severity: notice

Log field Meaning

type traffic

subtype forward

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstname The destination name. This can be a name or an IP address.

dstcountry Destination country.

srccountry Source country.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

wanoptapptype WANOpt app type. One of: web-cache, cifs, tcp, ftp, mapi, http, web-proxy, ftp-proxy.

duration Time value in seconds.

policyid The ID number of the firewall policy that applies to the session or packet.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

wanin WAN in.

wanout WAN out.

lanin LAN in.

lanout LAN out.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

Page 24
unauthusersource Method used to detect username.

Page 25
11
Message ID: 000011
Message Description: failed connection attempts
Type (type): traffic
Subtype (subtype): invalid
Level/Severity: warning

Log field Meaning

type traffic

subtype invalid

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstname The destination name. This can be a name or an IP address.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

duration Time value in seconds.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

sessionid Session ID.

user User name.

group The group name.

crscore Client Reputation score.

craction Client Reputation action.

Page 26
12
Message ID: 000012
Message Description: multicast allowed message
Type (type): traffic
Subtype (subtype): multicast
Level/Severity: notice

Log field Meaning

type traffic

subtype multicast

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

status The status of the traffic.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

trandisp Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither
(noop).

srcip The source IP.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstname The destination name. This can be a name or an IP address.

dstcountry Destination country.

srccountry Source country.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

tranip The translated IP in NAT mode. For Transparent mode, it is zero.

tranport The translated port number in NAT mode. For Transparent mode, it is zero.

transip The translated source IP in NAT mode. For Transparent mode, it is zero.

transport The translated source port number in NAT mode. For Transparent mode, it is zero.

service The service where the event or activity occurred.

duration Time value in seconds.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

Page 27
sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

shaperdropsentbyte Shaper dropped sent bytes.

shaperdroprcvdbyte Shaper dropped received bytes.

shaperperipdropbyte PerIP dropped bytes.

shapersentname The name of the traffic shaper sending the bytes.

shaperrcvdname The name of the traffic shaper receiving the bytes.

shaperperipname The perIP shaper name.

sentpkt The number of sent packets related to the log message.

rcvdpkt The number of received packets related to the log message.

vpn The name of the VPN tunnel used by the traffic.

vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.

vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

sessionid Session ID.

appid Application ID.

app The name of the application that triggered the action within the control list. For example, SSL.

appcat The application category that the application is associated with.

applist The name of the application control list that was used to detect and take action.

appact Application action.

user User name.

group The group name.

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

crscore Client Reputation score.

craction Client Reputation action.

Page 28
13
Message ID: 000013
Message Description: traffic forward message
Type (type): traffic
Subtype (subtype): forward
Level/Severity: notice

Log field Meaning

type traffic

subtype forward

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

status The status of the traffic.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

trandisp Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither
(noop).

srcip The source IP.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstname The destination name. This can be a name or an IP address.

dstcountry Destination country.

srccountry Source country.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

tranip The translated IP in NAT mode. For Transparent mode, it is zero.

tranport The translated port number in NAT mode. For Transparent mode, it is zero.

transip The translated source IP in NAT mode. For Transparent mode, it is zero.

transport The translated source port number in NAT mode. For Transparent mode, it is zero.

service The service where the event or activity occurred.

duration Time value in seconds.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

Page 29
sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

shaperdropsentbyte Shaper dropped sent bytes.

shaperdroprcvdbyte Shaper dropped received bytes.

shaperperipdropbyte PerIP dropped bytes.

shapersentname The name of the traffic shaper sending the bytes.

shaperrcvdname The name of the traffic shaper receiving the bytes.

shaperperipname The perIP shaper name.

sentpkt The number of sent packets related to the log message.

rcvdpkt The number of received packets related to the log message.

vpn The name of the VPN tunnel used by the traffic.

vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.

vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

sessionid Session ID.

appid Application ID.

app The name of the application that triggered the action within the control list. For example, SSL.

appcat The application category that the application is associated with.

applist The name of the application control list that was used to detect and take action.

appact Application action.

user User name.

group The group name.

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

utmaction The UTM action taken by the system.

filename The name of the file that was transferred.

virus The name of the virus detected.

attack ATTACK

hostname The hostname information.

catdesc The category description.

sender SENDER

recipient RECIPIENT

mailcount MAILCOUNT

Page 30
spamcount SPAMCOUNT

dlprule DLP rule.

utmevent The type of UTM event taking place.

utmseverity UTM severity.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

crscore Client Reputation score.

craction Client Reputation action.

Page 31
14
Message ID: 000014
Message Description: traffic local message
Type (type): traffic
Subtype (subtype): local
Level/Severity: notice

Log field Meaning

type traffic

subtype local

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

status The status of the traffic.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

trandisp Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither
(noop).

srcip The source IP.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstname The destination name. This can be a name or an IP address.

dstcountry Destination country.

srccountry Source country.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

tranip The translated IP in NAT mode. For Transparent mode, it is zero.

tranport The translated port number in NAT mode. For Transparent mode, it is zero.

transip The translated source IP in NAT mode. For Transparent mode, it is zero.

transport The translated source port number in NAT mode. For Transparent mode, it is zero.

service The service where the event or activity occurred.

duration Time value in seconds.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

Page 32
sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

shaperdropsentbyte Shaper dropped sent bytes.

shaperdroprcvdbyte Shaper dropped received bytes.

shaperperipdropbyte PerIP dropped bytes.

shapersentname The name of the traffic shaper sending the bytes.

shaperrcvdname The name of the traffic shaper receiving the bytes.

shaperperipname The perIP shaper name.

sentpkt The number of sent packets related to the log message.

rcvdpkt The number of received packets related to the log message.

vpn The name of the VPN tunnel used by the traffic.

vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.

vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

sessionid Session ID.

appid Application ID.

app The name of the application that triggered the action within the control list. For example, SSL.

appcat The application category that the application is associated with.

applist The name of the application control list that was used to detect and take action.

appact Application action.

user User name.

group The group name.

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

crscore Client Reputation score.

craction Client Reputation action.

Page 33
15
Message ID: 000015
Message Description: start forward message
Type (type): traffic
Subtype (subtype): forward
Level/Severity: notice

Log field Meaning

type traffic

subtype forward

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

status The status of the traffic.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

trandisp Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither
(noop).

srcip The source IP.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstname The destination name. This can be a name or an IP address.

dstcountry Destination country.

srccountry Source country.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

tranip The translated IP in NAT mode. For Transparent mode, it is zero.

tranport The translated port number in NAT mode. For Transparent mode, it is zero.

transip The translated source IP in NAT mode. For Transparent mode, it is zero.

transport The translated source port number in NAT mode. For Transparent mode, it is zero.

service The service where the event or activity occurred.

duration Time value in seconds.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

Page 34
sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

shaperdropsentbyte Shaper dropped sent bytes.

shaperdroprcvdbyte Shaper dropped received bytes.

shaperperipdropbyte PerIP dropped bytes.

shapersentname The name of the traffic shaper sending the bytes.

shaperrcvdname The name of the traffic shaper receiving the bytes.

shaperperipname The perIP shaper name.

sentpkt The number of sent packets related to the log message.

rcvdpkt The number of received packets related to the log message.

vpn The name of the VPN tunnel used by the traffic.

vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.

vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

sessionid Session ID.

appid Application ID.

app The name of the application that triggered the action within the control list. For example, SSL.

appcat The application category that the application is associated with.

applist The name of the application control list that was used to detect and take action.

appact Application action.

user User name.

group The group name.

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

crscore Client Reputation score.

craction Client Reputation action.

Page 35
16
Message ID: 000016
Message Description: start local message
Type (type): traffic
Subtype (subtype): local
Level/Severity: notice

Log field Meaning

type traffic

subtype local

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

status The status of the traffic.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstname The destination name. This can be a name or an IP address.

dstcountry Destination country.

srccountry Source country.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

tranip The translated IP in NAT mode. For Transparent mode, it is zero.

tranport The translated port number in NAT mode. For Transparent mode, it is zero.

transip The translated source IP in NAT mode. For Transparent mode, it is zero.

transport The translated source port number in NAT mode. For Transparent mode, it is zero.

service The service where the event or activity occurred.

duration Time value in seconds.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

sentbyte The number of sent bytes related to the log message.

Page 36
rcvdbyte The number of received bytes related to the log message.

shaperdropsentbyte Shaper dropped sent bytes.

shaperdroprcvdbyte Shaper dropped received bytes.

shaperperipdropbyte PerIP dropped bytes.

shapersentname The name of the traffic shaper sending the bytes.

shaperrcvdname The name of the traffic shaper receiving the bytes.

shaperperipname The perIP shaper name.

sentpkt The number of sent packets related to the log message.

rcvdpkt The number of received packets related to the log message.

vpn The name of the VPN tunnel used by the traffic.

vpntype The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.

vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

sessionid Session ID.

appid Application ID.

app The name of the application that triggered the action within the control list. For example, SSL.

appcat The application category that the application is associated with.

applist The name of the application control list that was used to detect and take action.

appact Application action.

user User name.

group The group name.

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

crscore Client Reputation score.

craction Client Reputation action.

Page 37
Netscan
4096
Message ID: 004096
Message Description: Network scan performed
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): vulnerability
Level/Severity: notice

Log field Meaning

type utm

subtype netscan

eventtype vulnerability

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.

start GMT epoch time the scan started.

end GMT epoch time the scan ended.

status Scan status: start, stop, pause, resume, complete.

engine Version of the netscan engine.

plugin Version of the netscan plugin.

Page 38
4097
Message ID: 004097
Message Description: Network scan performed
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): discovery
Level/Severity: notice

Log field Meaning

type utm

subtype netscan

eventtype discovery

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.

start GMT epoch time the scan started.

end GMT epoch time the scan ended.

status Scan status: start, stop, pause, resume, complete.

engine Version of the netscan engine.

plugin Version of the netscan plugin.

Page 39
4098
Message ID: 004098
Message Description: Netscan vulnerability detected
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): vulnerability
Level/Severity: notice

Log field Meaning

type utm

subtype netscan

eventtype vulnerability

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.

dstip The destination IP.

vuln Name of the detected vulnerability.

vulncat Category of the detected vulnerability.

vulnid ID of the detected vulnerability.

vulnref Reference to the detected vulnerability in FortiGuard.

severity The priority level of the attack log. Can be info, low, medium, high, or critical.

vulnscore NIST score of the detected vulnerability.

proto Protocol. Either TCP or UDP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

Page 40
4099
Message ID: 004099
Message Description: Netscan OS detected
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): discovery
Level/Severity: notice

Log field Meaning

type utm

subtype netscan

eventtype discovery

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.

dstip The destination IP.

os Operating system name.

osfamily OS family.

osgen OS generation.

osvendor OS vendor.

Page 41
4100
Message ID: 004100
Message Description: Netscan service detected
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): discovery
Level/Severity: notice

Log field Meaning

type utm

subtype netscan

eventtype discovery

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.

dstip The destination IP.

service The service where the event or activity occurred.

proto Protocol. Either TCP or UDP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

Page 42
4101
Message ID: 004101
Message Description: Notification message
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): vulnerability
Level/Severity: notice

Log field Meaning

type utm

subtype netscan

eventtype vulnerability

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.

Page 43
4102
Message ID: 004102
Message Description: Notification message
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): discovery
Level/Severity: notice

Log field Meaning

type utm

subtype netscan

eventtype discovery

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.

Page 44
4103
Message ID: 004103
Message Description: Netscan number of vulnerabilities detected
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): vulnerability
Level/Severity: notice

Log field Meaning

type utm

subtype netscan

eventtype vulnerability

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.

dstip The destination IP.

vulncnt Vulnerability count.

Page 45
4104
Message ID: 004104
Message Description: Netscan host detected
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): discovery
Level/Severity: notice

Log field Meaning

type utm

subtype netscan

eventtype discovery

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.

dstip The destination IP.

method The method information.

assetid Asset ID for this host.

assetname Asset definition for this host.

Page 46
4105
Message ID: 004105
Message Description: Netscan port detected
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): discovery
Level/Severity: notice

Log field Meaning

type utm

subtype netscan

eventtype discovery

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

action The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.

dstip The destination IP.

proto Protocol. Either TCP or UDP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

Page 47
Virus
8192
Message ID: 008192
Message Description: virus infected block
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype infected

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

Page 48
quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).

virus The name of the virus detected.

dtype Dtype.

ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg "File is infected."

Page 49
8193
Message ID: 008193
Message Description: virus infected pass
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype infected

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).

virus The name of the virus detected.

dtype Dtype.

Page 50
ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg "File is infected."

Page 51
8194
Message ID: 008194
Message Description: virus infected mime block
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype infected

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

virus The name of the virus detected.

dtype Dtype.

Page 52
ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg "File is infected."

Page 53
8195
Message ID: 008195
Message Description: virus infected mime pass
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype infected

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

virus The name of the virus detected.

dtype Dtype.

Page 54
ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg "File submitted to FortiGuard Analytics."

Page 55
8196
Message ID: 008196
Message Description: virus infected worm block
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype infected

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

virus The name of the virus detected.

dtype Dtype.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

Page 56
msg "Worm detected."

Page 57
8197
Message ID: 008197
Message Description: virus infected worm monitor
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype infected

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

virus The name of the virus detected.

dtype Dtype.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

Page 58
msg "Worm detected."

Page 59
8198
Message ID: 008198
Message Description: virus infected worm mime block
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype infected

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

virus The name of the virus detected.

dtype Dtype.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

Page 60
from Source identifier.

to Destination identifier.

msg "Worm detected."

Page 61
8199
Message ID: 008199
Message Description: virus infected worm mime monitor
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype infected

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

virus The name of the virus detected.

dtype Dtype.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

Page 62
from Source identifier.

to Destination identifier.

msg "Worm detected."

Page 63
8448
Message ID: 008448
Message Description: virus blocked (warning)
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): filename
Level/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype filename

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

filefilter The filter used to identify the affected file.

filetype The filetype of the affected file.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the
FortiGate unit assumes that they have the same content.

quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),
oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).

Page 64
url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

agent Agent.

from Source identifier.

to Destination identifier.

msg "File is blocked."

Page 65
8449
Message ID: 008449
Message Description: virus blocked (notice)
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): filename
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype filename

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

filefilter The filter used to identify the affected file.

filetype The filetype of the affected file.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the
FortiGate unit assumes that they have the same content.

quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),
oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).

Page 66
url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

agent Agent.

from Source identifier.

to Destination identifier.

msg "File is blocked."

Page 67
8450
Message ID: 008450
Message Description: virus blocked mime (warning)
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): filename
Level/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype filename

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

filefilter The filter used to identify the affected file.

filetype The filetype of the affected file.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the
FortiGate unit assumes that they have the same content.

quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),
oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).

Page 68
url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

agent Agent.

from Source identifier.

to Destination identifier.

msg "File is blocked."

Page 69
8451
Message ID: 008451
Message Description: virus blocked mime (notice)
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): filename
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype filename

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

filefilter The filter used to identify the affected file.

filetype The filetype of the affected file.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the
FortiGate unit assumes that they have the same content.

quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),
oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).

Page 70
url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

agent Agent.

from Source identifier.

to Destination identifier.

msg "File is blocked."

Page 71
8452
Message ID: 008452
Message Description: virus blocked command
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): filename
Level/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype filename

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

url The URL address.

user User name.

group The group name.

command Command information.

agent Agent.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

Page 72
msg "Command blocked."

Page 73
8453
Message ID: 008453
Message Description: virus intercepted
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): filename
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype filename

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

filefilter The filter used to identify the affected file.

filetype The filetype of the affected file.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the
FortiGate unit assumes that they have the same content.

quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),
oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).

Page 74
url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

agent Agent.

from Source identifier.

to Destination identifier.

msg "File is intercepted."

Page 75
8454
Message ID: 008454
Message Description: virus intercepted mime
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): filename
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype filename

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

filefilter The filter used to identify the affected file.

filetype The filetype of the affected file.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the
FortiGate unit assumes that they have the same content.

quarskip Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),
oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).

Page 76
virus The name of the virus detected.

dtype Dtype.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

agent Agent.

from Source identifier.

to Destination identifier.

msg "File is intercepted."

Page 77
8455
Message ID: 008455
Message Description: virus exempted
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): filename
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype filename

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

filefilter The filter used to identify the affected file.

filetype The filetype of the affected file.

file The name of the file.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

Page 78
user User name.

group The group name.

agent Agent.

from Source identifier.

to Destination identifier.

msg "File has been exempted."

Page 79
8456
Message ID: 008456
Message Description: virus exempted mime
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): filename
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype filename

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

filefilter The filter used to identify the affected file.

filetype The filetype of the affected file.

file The name of the file.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

Page 80
user User name.

group The group name.

agent Agent.

from Source identifier.

to Destination identifier.

msg "File has been exempted."

Page 81
8457
Message ID: 008457
Message Description: mms content checksum
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype infected

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the
FortiGate unit assumes that they have the same content.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

Page 82
group The group name.

agent Agent.

from Source identifier.

to Destination identifier.

msg "Blocked by MMS content checksum."

Page 83
8458
Message ID: 008458
Message Description: mms content checksum
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Level/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype infected

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the
FortiGate unit assumes that they have the same content.

file The name of the file.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

Page 84
user User name.

group The group name.

agent Agent.

from Source identifier.

to Destination identifier.

msg "Matched by MMS content checksum."

Page 85
8704
Message ID: 008704
Message Description: oversized block
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): oversize
Level/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype oversize

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

file The name of the file.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

agent Agent.

Page 86
from Source identifier.

to Destination identifier.

msg "Size limit exceeded."

Page 87
8705
Message ID: 008705
Message Description: oversized pass
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): oversize
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype oversize

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

file The name of the file.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

agent Agent.

Page 88
from Source identifier.

to Destination identifier.

msg "Size limit exceeded."

Page 89
8706
Message ID: 008706
Message Description: oversized mime block
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): oversize
Level/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype oversize

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

file The name of the file.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

from Source identifier.

Page 90
to Destination identifier.

msg "Size limit exceeded."

Page 91
8707
Message ID: 008707
Message Description: oversized mime pass
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): oversize
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype oversize

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

file The name of the file.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

from Source identifier.

Page 92
to Destination identifier.

msg "Size limit exceeded."

Page 93
8720
Message ID: 008720
Message Description: switching protocols block
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): switchproto
Level/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype switchproto

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

from Source identifier.

to Destination identifier.

Page 94
agent Agent.

switchproto Protocol change information.

msg "Switching protocols request."

Page 95
8721
Message ID: 008721
Message Description: switching protocols bypass
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): switchproto
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype switchproto

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

from Source identifier.

to Destination identifier.

Page 96
agent Agent.

switchproto Protocol change information.

msg "Switching protocols request."

Page 97
8960
Message ID: 008960
Message Description: uncompressed nested limit reached
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype scanerror

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

virus The name of the virus detected.

dtype Dtype.

Page 98
ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg "File reached uncompressed nested limit."

Page 99
8961
Message ID: 008961
Message Description: uncompressed size limit reached
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype scanerror

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

virus The name of the virus detected.

dtype Dtype.

Page 100
ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg "File reached uncompressed size limit."

Page 101
8962
Message ID: 008962
Message Description: archive is encrypted
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype scanerror

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

virus The name of the virus detected.

dtype Dtype.

Page 102
ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg "Encrypted archive."

Page 103
8963
Message ID: 008963
Message Description: archive is encrypted
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype scanerror

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

virus The name of the virus detected.

dtype Dtype.

Page 104
ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg "Encrypted archive."

Page 105
8964
Message ID: 008964
Message Description: archive is corrupted
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype scanerror

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

virus The name of the virus detected.

dtype Dtype.

Page 106
ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg "Corrupted archive."

Page 107
8965
Message ID: 008965
Message Description: archive is corrupted
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype scanerror

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

virus The name of the virus detected.

dtype Dtype.

Page 108
ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg "Corrupted archive."

Page 109
8966
Message ID: 008966
Message Description: multipart archive
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype scanerror

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

virus The name of the virus detected.

dtype Dtype.

Page 110
ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg "Multipart archive."

Page 111
8967
Message ID: 008967
Message Description: multipart archive
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype scanerror

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

virus The name of the virus detected.

dtype Dtype.

Page 112
ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg "Multipart archive."

Page 113
8968
Message ID: 008968
Message Description: nested archive
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype scanerror

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

virus The name of the virus detected.

dtype Dtype.

Page 114
ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg "Nested archive."

Page 115
8969
Message ID: 008969
Message Description: nested archive
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype scanerror

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

virus The name of the virus detected.

dtype Dtype.

Page 116
ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg "Nested archive."

Page 117
8970
Message ID: 008970
Message Description: archive is oversized
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype scanerror

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

virus The name of the virus detected.

dtype Dtype.

Page 118
ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg "Oversized archive."

Page 119
8971
Message ID: 008971
Message Description: archive is oversized
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype scanerror

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

virus The name of the virus detected.

dtype Dtype.

Page 120
ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg "Oversized archive."

Page 121
8972
Message ID: 008972
Message Description: unhandled archive type
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: warning

Log field Meaning

type utm

subtype virus

eventtype scanerror

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

virus The name of the virus detected.

dtype Dtype.

Page 122
ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg "Unhandled archive."

Page 123
8973
Message ID: 008973
Message Description: unhandled archive type
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): scanerror
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype scanerror

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

virus The name of the virus detected.

dtype Dtype.

Page 124
ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg "Unhandled archive."

Page 125
9233
Message ID: 009233
Message Description: FortiGuard analytics
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): analytics
Level/Severity: notice

Log field Meaning

type utm

subtype virus

eventtype analytics

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

status The status of the virus or packet: blocked, passthrough, monitored, analytics.

service The service where the event or activity occurred.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

direction Message direction. One of: N/A, TX, or RX.

file The name of the file.

checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.

virus The name of the virus detected.

dtype Dtype.

Page 126
ref URL of the FortiGuard IPS database entry for the attack.

url The URL address.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

agent Agent.

from Source identifier.

to Destination identifier.

sha256 SHA256 hash.

analyticssubmit Whether analytics were submitted or not. Can be false or true.

msg

Page 127
Webfilter
12288
Message ID: 012288
Message Description: Web content banned word
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): content
Level/Severity: warning

Log field Meaning

type utm

subtype webfilter

eventtype content

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

Page 128
dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

agent Agent.

from Source identifier.

to Destination identifier.

banword Banned word flagged in the message.

msg "URL was blocked because it contained banned word(s)."

Page 129
12289
Message ID: 012289
Message Description: Web content MMS banned word
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): content
Level/Severity: warning

Log field Meaning

type utm

subtype webfilter

eventtype content

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 130
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

direction Message direction. One of: N/A, TX, or RX.

agent Agent.

from Source identifier.

to Destination identifier.

banword Banned word flagged in the message.

msg "Message was blocked because it contained banned word(s)."

Page 131
12290
Message ID: 012290
Message Description: Web content exempt word
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): content
Level/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype content

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 132
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

agent Agent.

from Source identifier.

to Destination identifier.

banword Banned word flagged in the message.

msg "URL was exempted because it contained exempt word(s)."

Page 133
12291
Message ID: 012291
Message Description: Web content MMS exempt word
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): content
Level/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype content

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 134
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

direction Message direction. One of: N/A, TX, or RX.

agent Agent.

from Source identifier.

to Destination identifier.

banword Banned word flagged in the message.

msg "Message was exempted because it contained exempt word(s)."

Page 135
12292
Message ID: 012292
Message Description: Web search key word
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): content
Level/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype content

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 136
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

agent Agent.

from Source identifier.

to Destination identifier.

keyword Flagged or searched keyword.

msg "Message contained a key word in the profile list."

Page 137
12293
Message ID: 012293
Message Description: Web search
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): content
Level/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype content

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 138
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

agent Agent.

from Source identifier.

to Destination identifier.

keyword Flagged or searched keyword.

msg "Search phrase detected."

Page 139
12305
Message ID: 012305
Message Description: Web content MMS banned word
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): content
Level/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype content

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 140
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

direction Message direction. One of: N/A, TX, or RX.

agent Agent.

from Source identifier.

to Destination identifier.

banword Banned word flagged in the message.

msg "Message was logged because it contained a banned word."

Page 141
12544
Message ID: 012544
Message Description: URL filter block
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: warning

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

urlfilteridx URL filter index.

urlfilterlist URL filter list name.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

Page 142
dstintf The destination interface.

service The service where the event or activity occurred.

hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

msg "URL was blocked because it is in the URL filter list."

Page 143
12545
Message ID: 012545
Message Description: URL filter exempt
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: information

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level information

date The date at which the log was recorded.

time The time at which the log was recorded.

urlfilteridx URL filter index.

urlfilterlist URL filter list name.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

Page 144
dstintf The destination interface.

service The service where the event or activity occurred.

hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

msg "URL was exempted because it is in the URL filter list."

Page 145
12546
Message ID: 012546
Message Description: URL filter allow
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: information

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level information

date The date at which the log was recorded.

time The time at which the log was recorded.

urlfilteridx URL filter index.

urlfilterlist URL filter list name.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

Page 146
dstintf The destination interface.

service The service where the event or activity occurred.

hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

msg "URL was allowed because it is in the URL filter list."

Page 147
12547
Message ID: 012547
Message Description: URL filter invalid hostname (Block/HTTP)
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

hostname The hostname information.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

sentbyte The number of sent bytes related to the log message.

Page 148
rcvdbyte The number of received bytes related to the log message.

msg "The HTTP request contained an invalid domain name."

Page 149
12548
Message ID: 012548
Message Description: URL filter invalid hostname (Block/HTTPS)
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

hostname The hostname information.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

sentbyte The number of sent bytes related to the log message.

Page 150
rcvdbyte The number of received bytes related to the log message.

msg "The certificate for the HTTPS session contained an invalid domain name."

Page 151
12549
Message ID: 012549
Message Description: URL filter invalid hostname (Filter/HTTP)
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: information

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level information

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

hostname The hostname information.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

sentbyte The number of sent bytes related to the log message.

Page 152
rcvdbyte The number of received bytes related to the log message.

msg "The HTTP request contained an invalid domain name. The session has been filtered by IP only."

Page 153
12550
Message ID: 012550
Message Description: URL filter invalid hostname (Filter/HTTPS)
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: information

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level information

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

hostname The hostname information.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

sentbyte The number of sent bytes related to the log message.

Page 154
rcvdbyte The number of received bytes related to the log message.

msg "The certificate for this HTTPS session contained an invalid domain name. The session has been filtered by IP only."

Page 155
12553
Message ID: 012553
Message Description: Server certificate validation failed
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

msg "The server certificate validation failed."

Page 156
12554
Message ID: 012554
Message Description: Unknown SSL session ID
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

service The service where the event or activity occurred.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

msg "The SSL session was blocked because the session ID was unknown."

Page 157
12555
Message ID: 012555
Message Description: SSL session blocked due to invalid/missing server certificate
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

service The service where the event or activity occurred.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

msg "The SSL session was blocked because the server certificate was missing or invalid."

Page 158
12556
Message ID: 012556
Message Description: SSL session ignored due to invalid/missing server certificate
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

service The service where the event or activity occurred.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

msg "The SSL session was ignored because the server certificate was missing or invalid."

Page 159
12557
Message ID: 012557
Message Description: FortiGuard service inactive
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: critical

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level critical

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

msg "FortiGuard is enabled in the protection profile but the FortiGuard service is not enabled."

Page 160
12558
Message ID: 012558
Message Description: Rating error occurs
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: information

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level information

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

user User name.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

urltype URL type. One of: HTTP, HTTPS, FTP, Telnet, mail, phishing.

hostname The hostname information.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

error Error.

url The URL address.

msg "Policy allows URLs when a rating error occurs."

Page 161
12559
Message ID: 012559
Message Description: URL filter pass
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: information

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level information

date The date at which the log was recorded.

time The time at which the log was recorded.

urlfilteridx URL filter index.

urlfilterlist URL filter list name.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

Page 162
dstintf The destination interface.

service The service where the event or activity occurred.

hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

msg "URL was passed because it is in the URL filter list."

Page 163
12800
Message ID: 012800
Message Description: FortiGuard webfilter error
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): ftgd_err
Level/Severity: error

Log field Meaning

type utm

subtype webfilter

eventtype ftgd_err

level error

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 164
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

error Error.

msg "A rating error occurred."

Page 165
12801
Message ID: 012801
Message Description: FortiGuard webfilter error
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): ftgd_err
Level/Severity: warning

Log field Meaning

type utm

subtype webfilter

eventtype ftgd_err

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 166
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

error Error.

msg "A rating error occurred."

Page 167
12802
Message ID: 012802
Message Description: Daily fortiguard quota status
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): ftgd_quota
Level/Severity: information

Log field Meaning

type utm

subtype webfilter

eventtype ftgd_quota

level information

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

quotaexceeded Quota exceeded: yes or no.

quotatype The quota type, either: time or traffic.

quotaused Quota time used (in seconds).

quotamax Maximum quota time allowed (in seconds).

catdesc The category description.

user User name.

profile The name of the profile that was used to detect and take action.

Page 168
13056
Message ID: 013056
Message Description: FortiGuard webfilter category block
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): ftgd_blk
Level/Severity: warning

Log field Meaning

type utm

subtype webfilter

eventtype ftgd_blk

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 169
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

method The method information.

class The class.

classdesc The class description.

cat The category.

catdesc The category description.

Log field Meaning

type utm

subtype webfilter

eventtype ftgd_blk

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 171
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

method The method information.

class The class.

classdesc The class description.

cat The category.

catdesc The category description.

Log field Meaning

type utm

subtype webfilter

eventtype ftgd_allow

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 173
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

method The method information.

class The class.

classdesc The class description.

cat The category.

catdesc The category description.

Log field Meaning

type utm

subtype webfilter

eventtype ftgd_allow

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 175
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

method The method information.

class The class.

classdesc The class description.

cat The category.

catdesc The category description.

mode Mode.

ruletype Rule type. One of: Directory, domain, rating, unhandled.

ruledata Rule data.

ovrdtbl Override table name.

ovrdid Override ID.

msg "URL belongs to an override rule."

Page 176
13314
Message ID: 013314
Message Description: FortiGuard webfilter allow
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): ftgd_allow
Level/Severity: information

Log field Meaning

type utm

subtype webfilter

eventtype ftgd_allow

level information

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 177
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

method The method information.

class The class.

classdesc The class description.

cat The category.

catdesc The category description.

mode Mode.

ruletype Rule type. One of: Directory, domain, rating, unhandled.

ruledata Rule data.

ovrdtbl Override table name.

ovrdid Override ID.

msg "URL belongs to an override rule."

Page 178
13315
Message ID: 013315
Message Description: FortiGuard webfilter category quota counting
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): ftgd_quota_counting
Level/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype ftgd_quota_counting

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 179
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

method The method information.

class The class.

classdesc The class description.

cat The category.

catdesc The category description.

quotatype The quota type, either: time or traffic.

quotaused Quota time used (in seconds).

quotamax Maximum quota time allowed (in seconds).

msg "Webfilter quota has begun counting."

Page 180
13316
Message ID: 013316
Message Description: FortiGuard webfilter category quota expired
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): urlfilter
Level/Severity: warning

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 181
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

method The method information.

class The class.

classdesc The class description.

cat The category.

catdesc The category description.

quotatype The quota type, either: time or traffic.

quotaused Quota time used (in seconds).

quotamax Maximum quota time allowed (in seconds).

Log field Meaning

type utm

subtype webfilter

eventtype urlfilter

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 183
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

method The method information.

class The class.

classdesc The class description.

cat The category.

catdesc The category description.

msg "URL has been visited."

Page 184
13568
Message ID: 013568
Message Description: Web script filter ActiveX
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): activexfilter
Level/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype activexfilter

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 185
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

count Number of packets.

msg "ActiveX script was removed."

Page 186
13573
Message ID: 013573
Message Description: Web script filter cookie
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): cookiefilter
Level/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype cookiefilter

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 187
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

msg "Cookie was removed."

Page 188
13584
Message ID: 013584
Message Description: Web script filter applet
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): appletfilter
Level/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype appletfilter

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 189
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

count Number of packets.

msg "Java applet was removed."

Page 190
13601
Message ID: 013601
Message Description: Web cookie filter
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): cookiefilter
Level/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype cookiefilter

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 191
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

count Number of packets.

filtertype The script filter type. Can be: N/A, jscript, javascript, vbscript, or unknown.

msg "Cookie was removed entirely."

Page 192
13602
Message ID: 013602
Message Description: Web referer filter
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): cookiefilter
Level/Severity: notice

Log field Meaning

type utm

subtype webfilter

eventtype cookiefilter

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 193
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

count Number of packets.

filtertype The script filter type. Can be: N/A, jscript, javascript, vbscript, or unknown.

msg "Referer was removed from request."

Page 194
13603
Message ID: 013603
Message Description: Command blocked
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): webfilter_command_block
Level/Severity: warning

Log field Meaning

type utm

subtype webfilter

eventtype webfilter_command_block

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

hostname The hostname information.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

service The service where the event or activity occurred.

reqtype The request type, either direct or referral.

Page 195
msg "Command blocked."

Page 196
13616
Message ID: 013616
Message Description: Content type blocked
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): content
Level/Severity: warning

Log field Meaning

type utm

subtype webfilter

eventtype content

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

initiator The initiator name.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

Page 197
hostname The hostname information.

profiletype The type of profile responsible for the UTM action taken.

profile The name of the profile that was used to detect and take action.

reqtype The request type, either direct or referral.

url The URL address.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

status The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.

agent Agent.

from Source identifier.

to Destination identifier.

contenttype Content type.

msg "Blocked by HTTP Header Content Type."

Page 198
IPS
16384
Message ID: 016384
Message Description: attack signature (tcp/udp)
Type (type): utm
Subtype (subtype): ips
Event Type (eventtype): signature
Level/Severity: alert

Log field Meaning

type utm

subtype ips

eventtype signature

level alert

date The date at which the log was recorded.

time The time at which the log was recorded.

severity The priority level of the attack log. Can be info, low, medium, high, or critical.

srcip The source IP.

dstip The destination IP.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

custom Custom field.

sessionid Session ID.

status The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.

service The service where the event or activity occurred.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

count Number of packets.

attackname Attack name.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

Page 199
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

attackid The identification number of the attack log message.

sensor Sensor.

ref URL of the FortiGuard IPS database entry for the attack.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

incidentserialno Incident serial number.

Page 200
16385
Message ID: 016385
Message Description: attack signature (icmp)
Type (type): utm
Subtype (subtype): ips
Event Type (eventtype): signature
Level/Severity: alert

Log field Meaning

type utm

subtype ips

eventtype signature

level alert

date The date at which the log was recorded.

time The time at which the log was recorded.

severity The priority level of the attack log. Can be info, low, medium, high, or critical.

srcip The source IP.

dstip The destination IP.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

custom Custom field.

sessionid Session ID.

status The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.

service The service where the event or activity occurred.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

count Number of packets.

attackname Attack name.

icmpid The source port of the ICMP message.

icmptype The type of ICMP message.

icmpcode The destination port of the ICMP message.

attackid The identification number of the attack log message.

Page 201
sensor Sensor.

ref URL of the FortiGuard IPS database entry for the attack.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

incidentserialno Incident serial number.

Page 202
16386
Message ID: 016386
Message Description: attack signature (others)
Type (type): utm
Subtype (subtype): ips
Event Type (eventtype): signature
Level/Severity: alert

Log field Meaning

type utm

subtype ips

eventtype signature

level alert

date The date at which the log was recorded.

time The time at which the log was recorded.

severity The priority level of the attack log. Can be info, low, medium, high, or critical.

srcip The source IP.

dstip The destination IP.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

custom Custom field.

sessionid Session ID.

status The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.

service The service where the event or activity occurred.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

count Number of packets.

attackname Attack name.

attackid The identification number of the attack log message.

sensor Sensor.

ref URL of the FortiGuard IPS database entry for the attack.

user User name.

Page 203
group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

incidentserialno Incident serial number.

Page 204
18432
Message ID: 018432
Message Description: attack anomaly (tcp/udp)
Type (type): utm
Subtype (subtype): ips
Event Type (eventtype): anomaly
Level/Severity: alert

Log field Meaning

type utm

subtype ips

eventtype anomaly

level alert

date The date at which the log was recorded.

time The time at which the log was recorded.

severity The priority level of the attack log. Can be info, low, medium, high, or critical.

srcip The source IP.

dstip The destination IP.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

custom Custom field.

sessionid Session ID.

status The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.

service The service where the event or activity occurred.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

count Number of packets.

attackname Attack name.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

attackid The identification number of the attack log message.

sensor Sensor.

Page 205
ref URL of the FortiGuard IPS database entry for the attack.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

incidentserialno Incident serial number.

Page 206
18433
Message ID: 018433
Message Description: attack anomaly (icmp)
Type (type): utm
Subtype (subtype): ips
Event Type (eventtype): anomaly
Level/Severity: alert

Log field Meaning

type utm

subtype ips

eventtype anomaly

level alert

date The date at which the log was recorded.

time The time at which the log was recorded.

severity The priority level of the attack log. Can be info, low, medium, high, or critical.

srcip The source IP.

dstip The destination IP.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

custom Custom field.

sessionid Session ID.

status The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.

service The service where the event or activity occurred.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

count Number of packets.

attackname Attack name.

icmpid The source port of the ICMP message.

icmptype The type of ICMP message.

icmpcode The destination port of the ICMP message.

attackid The identification number of the attack log message.

Page 207
sensor Sensor.

ref URL of the FortiGuard IPS database entry for the attack.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

incidentserialno Incident serial number.

Page 208
18434
Message ID: 018434
Message Description: attack anomaly (others)
Type (type): utm
Subtype (subtype): ips
Event Type (eventtype): anomaly
Level/Severity: alert

Log field Meaning

type utm

subtype ips

eventtype anomaly

level alert

date The date at which the log was recorded.

time The time at which the log was recorded.

severity The priority level of the attack log. Can be info, low, medium, high, or critical.

srcip The source IP.

dstip The destination IP.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstintf The destination interface.

policyid The ID number of the firewall policy that applies to the session or packet.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

custom Custom field.

sessionid Session ID.

status The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.

service The service where the event or activity occurred.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

count Number of packets.

attackname Attack name.

attackid The identification number of the attack log message.

sensor Sensor.

ref URL of the FortiGuard IPS database entry for the attack.

user User name.

Page 209
group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

incidentserialno Incident serial number.

Page 210
Spam
20480
Message ID: 020480
Message Description: antispam smtp (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): smtp
Level/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype smtp

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

Page 211
dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

Page 212
20481
Message ID: 020481
Message Description: antispam smtp (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): smtp
Level/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype smtp

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 213
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

banword Banned word flagged in the message.

subject Subject.

Page 214
20482
Message ID: 020482
Message Description: antispam pop3 (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): pop3
Level/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype pop3

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 215
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

Page 216
20483
Message ID: 020483
Message Description: antispam pop3 (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): pop3
Level/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype pop3

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 217
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

banword Banned word flagged in the message.

Page 218
20484
Message ID: 020484
Message Description: antispam imap (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): imap
Level/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype imap

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 219
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

Page 220
20485
Message ID: 020485
Message Description: antispam endpoint filter (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): endpointfilter
Level/Severity: warning

Log field Meaning

type utm

subtype spam

eventtype endpointfilter

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 221
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

Page 222
20486
Message ID: 020486
Message Description: antispam endpoint filter (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): endpointfilter
Level/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype endpointfilter

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 223
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

Page 224
20487
Message ID: 020487
Message Description: antispam endpoint filter (mm7 warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): endpointfilter
Level/Severity: warning

Log field Meaning

type utm

subtype spam

eventtype endpointfilter

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 225
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

agent Agent.

Page 226
20488
Message ID: 020488
Message Description: antispam endpoint filter (mm7 notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): endpointfilter
Level/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype endpointfilter

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 227
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

agent Agent.

Page 228
20489
Message ID: 020489
Message Description: antispam endpoint filter (mm1 warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): endpointfilter
Level/Severity: warning

Log field Meaning

type utm

subtype spam

eventtype endpointfilter

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 229
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

direction The direction of the message. Either tx or rx.

agent Agent.

Page 230
20490
Message ID: 020490
Message Description: antispam endpoint filter (mm1 notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): endpointfilter
Level/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype endpointfilter

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 231
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

direction The direction of the message. Either tx or rx.

agent Agent.

Page 232
20491
Message ID: 020491
Message Description: antispam imap banned-word (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): imap
Level/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype imap

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 233
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

banword Banned word flagged in the message.

subject Subject.

Page 234
20492
Message ID: 020492
Message Description: antispam MM1 flood detection (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mms
Level/Severity: warning

Log field Meaning

type utm

subtype spam

eventtype mms

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 235
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

direction The direction of the message. Either tx or rx.

agent Agent.

Page 236
20493
Message ID: 020493
Message Description: antispam MM1 flood detection (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mms
Level/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype mms

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 237
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

direction The direction of the message. Either tx or rx.

agent Agent.

Page 238
20494
Message ID: 020494
Message Description: antispam MM4 flood detection (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mms
Level/Severity: warning

Log field Meaning

type utm

subtype spam

eventtype mms

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 239
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

Page 240
20495
Message ID: 020495
Message Description: antispam MM4 flood detection (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mms
Level/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype mms

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 241
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

Page 242
20496
Message ID: 020496
Message Description: antispam MM1 duplicate detection (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mms
Level/Severity: warning

Log field Meaning

type utm

subtype spam

eventtype mms

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 243
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

direction The direction of the traffic: incoming, outgoing, or N/A.

agent Agent.

Page 244
20497
Message ID: 020497
Message Description: antispam MM1 duplicate detection (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mms
Level/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype mms

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 245
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

direction The direction of the traffic: incoming, outgoing, or N/A.

agent Agent.

Page 246
20498
Message ID: 020498
Message Description: antispam MM4 duplicate detection (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mms
Level/Severity: warning

Log field Meaning

type utm

subtype spam

eventtype mms

level warning

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 247
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

Page 248
20499
Message ID: 020499
Message Description: antispam MM4 duplicate detection (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mms
Level/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype mms

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 249
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

Page 250
20500
Message ID: 020500
Message Description: antispam msn hotmail (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): msn
Level/Severity: information

Log field Meaning

type utm

subtype spam

eventtype msn

level information

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 251
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

subject Subject.

size The size of the message/attachments.

cc Alternate destination addresses.

attachment Email attachment.

Page 252
20501
Message ID: 020501
Message Description: antispam yahoo mail (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): yahoo
Level/Severity: information

Log field Meaning

type utm

subtype spam

eventtype yahoo

level information

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 253
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

subject Subject.

size The size of the message/attachments.

cc Alternate destination addresses.

attachment Email attachment.

Page 254
20502
Message ID: 020502
Message Description: antispam gmail (notice)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): google
Level/Severity: information

Log field Meaning

type utm

subtype spam

eventtype google

level information

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 255
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

subject Subject.

size The size of the message/attachments.

cc Alternate destination addresses.

attachment Email attachment.

Page 256
20503
Message ID: 020503
Message Description: antispam smtp general (info)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): smtp
Level/Severity: information

Log field Meaning

type utm

subtype spam

eventtype smtp

level information

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 257
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

banword Banned word flagged in the message.

subject Subject.

size The size of the message/attachments.

cc Alternate destination addresses.

attachment Email attachment.

Page 258
20504
Message ID: 020504
Message Description: antispam pop3 general (info)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): pop3
Level/Severity: information

Log field Meaning

type utm

subtype spam

eventtype pop3

level information

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 259
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

banword Banned word flagged in the message.

subject Subject.

size The size of the message/attachments.

cc Alternate destination addresses.

attachment Email attachment.

Page 260
20505
Message ID: 020505
Message Description: antispam imap general (info)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): imap
Level/Severity: information

Log field Meaning

type utm

subtype spam

eventtype imap

level information

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 261
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

banword Banned word flagged in the message.

subject Subject.

size The size of the message/attachments.

cc Alternate destination addresses.

attachment Email attachment.

Page 262
20506
Message ID: 020506
Message Description: antispam mapi (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mapi
Level/Severity: information

Log field Meaning

type utm

subtype spam

eventtype mapi

level information

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 263
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

subject Subject.

size The size of the message/attachments.

Page 264
20507
Message ID: 020507
Message Description: antispam mapi (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mapi
Level/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype mapi

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 265
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

banword Banned word flagged in the message.

Page 266
20508
Message ID: 020508
Message Description: antispam mapi (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): mapi
Level/Severity: notice

Log field Meaning

type utm

subtype spam

eventtype mapi

level notice

date The date at which the log was recorded.

time The time at which the log was recorded.

policyid The ID number of the firewall policy that applies to the session or packet.

custom Custom field.

indentidx The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.

sessionid Session ID.

user User name.

group The group name.

srcname The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".

osname Name of the device's OS.

osversion Version number (if available) of the device's OS.

unauthuser Unauthenticated user name.

unauthusersource Method used to detect username.

vd The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".

srcip The source IP.

srcport The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.

srcintf The source interface. For outgoing traffic originating from the firewall, it is unknown.

dstip The destination IP.

dstport The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.

dstintf The destination interface.

service The service where the event or activity occurred.

profile The name of the profile that was used to detect and take action.

Page 267
profiletype The type of profile responsible for the UTM action taken.

status The status of the email message. One of: exempted, blocked, or detected.

from Source identifier.

to Destination identifier.

tracker Tracker ID.

sentbyte The number of sent bytes related to the log message.

rcvdbyte The number of received bytes related to the log message.

subject Subject.

size The size of the message/attachments.

Page 268
Addendum: Variable Event Logs

All logs below are in the category: Event.

These log messages were not documented in the previous versions of the 5.0 Log Message
Reference due to their variable structure not fitting the format. They will be documented here
instead. This issue is specific to 5.0, and future versions of the LMR will not require an
addendum.
The Format column lists the log fields present in that log message. [s] represents a string of text
or characters. [n] represents a number or value.

ID Severity Subtype Macro Format Description

20001 information system LOG_ID_CLIENT_ client [s] is disassociated paed log

DISASSOCIATED

20002 notice system LOG_ID_DOMAIN_ user=system ui=system The domain name in alert
UNRESOLVABLE action=[s] status=failure e-mail.s sender is not
msg="Can't resolve the IP resolvable
address of [s]"

20003 notice system LOG_ID_MAIL_SENT_FAIL user=system ui=system The alert e-mail send failed
action=alert-email
status=failure count=[n]
msg="Failed to send alert
email from [s] to ([s])"

20004 unknown system LOG_ID_POLICY_TOO_BIG user="[s]" ui=[s] Policy is too big

status=failure msg="Policy
[n] is too big for system, it's
installed partially."

20005 information system LOG_ID_PPP_LINK_UP msg="modem: PPP link is modemd log

up"

20006 information system LOG_ID_PPP_LINK_DOWN msg="modem: PPP link is modemd log

down"

20007 critical system 20007 service=kernel Socket is exhausted

status=failure proto=[n]
src=[n].[n].[n].[n] src_
port=[n] nat=[n].[n].[n].[n]
dst=[n].[n].[n].[n] dst_
port=[n] msg="NAT port is
exhausted."

20011 information system LOG_ID_CLIENT_NEW_ Accepted association from paed log

ASSOCIATION [s]

20012 information system LOG_ID_CLIENT_WPA_1X Client [s] does 1X paed log

20013 information system LOG_ID_CLIENT_WPA_SSN Client [s] does WPA paed log

Page 594
ID Severity Subtype Macro Format Description

20014 warning system LOG_ID_TEST user="admin" test

action="login"
status="success"
msg="user admin logged
into the fw - [n]"

20015 information system LOG_ID_IEEE802_NEW_ action=authentication wpad log

STATION status=start msg="Client
does 801.1x"

20016 information system LOG_ID_MODEM_EXCEED_ msg="modem: Redial limit modemd log

REDIAL_COUNT exceeded... giving up"

20017 information system LOG_ID_MODEM_FAIL_TO_ msg="modem: unable to modemd log

OPEN open modem device -
check hardware"

20018 critical system LOG_ID_GW_GRP_STATE_ interface="[s]" gw_ Gateway group state is

CHANGED group=[n] status=[s] gw_ changed
status=[s] msg="The status
of [s] for gateway group [n]
is [s]"

20019 critical system LOG_ID_ROUTE_INFO_ interface="[s]" status=[s] Routing information is changed

CHANGED msg="[s]" because the gateway is
up/down

20021 information system LOG_ID_MAIL_RESENT user=system ui=system The alert e-mail resend
action=alert-email
status=success count=[n]
msg="Resending alert
e-mail with [n] pending
alert(s) from [s] to ([s])"

20025 notice system LOG_ID_REPORTD_ msg="Report generation Reporting Complete

REPORT_SUCCESS succeeded for layout:[s]."
file="[s]" filesize=[n]
datarange="[s]"
reporttype="[s]"
processtime=[n]

20026 error system LOG_ID_REPORTD_ msg="[s]" Reporting Failure

REPORT_FAILURE

20027 warning system LOG_ID_REPORT_DEL_OLD_ msg="Delete old report db Delete old report db records
REC records" datarange="[s]"

20031 critical system LOG_ID_RAD_OUT_OF_MEM msg="Interface [s] Out of ravdv_iface_set_config() finds a

memory in [s]:[s]:[n]" pointer pointing to a wrong
address

20032 critical system LOG_ID_RAD_NOT_FOUND msg="Interface [s] not ravdv_iface_same_config()

found in [s]:[s]:[n]" cannot find the corresponding
interface by name

20033 information system LOG_ID_RAD_MOBILE_IPV6 msg="using Mobile IPv6 An interface uses Mobile IPv6
extensions" extensions

Page 595
ID Severity Subtype Macro Format Description

20034 critical system LOG_ID_RAD_IPV6_OUT_ msg="MinRtrAdvInterval for MinRtrAdvInterval using Mobile

OF_RANGE [s] must be between [n] and Ipv6 extension is out of range
[n]"

20035 critical system LOG_ID_RAD_MIN_OUT_OF_ msg="MinRtrAdvInterval MinRtrAdvInterval is out of

RANGE must be between [n] and [n] range
for [s]"

20036 critical system LOG_ID_RAD_MAX_OUT_ msg="MaxRtrAdvInterval MaxRtrAdvInterval using

OF_RANGE for [s] must be between [n] Mobile Ipv6 extension is out of
and [n]" range

20037 critical system LOG_ID_RAD_MAX_ADV_ msg="MaxRtrAdvInterval MaxRtrAdvInterval is out of

OUT_OF_RANGE must be between [n] and [n] range
for [s]"

20038 critical system LOG_ID_RAD_MTU_OUT_ msg="AdvLinkMTU must AdvLinkMTU is out of range

OF_RANGE be zero or between [n] and
[n] for [s]"

20039 critical system LOG_ID_RAD_MTU_TOO_ msg="AdvLinkMTU must AdvLinkMTU is too small

SMALL be zero or greater than [n]
for [s]"

20040 critical system LOG_ID_RAD_TIME_TOO_ msg="AdvReachableTime AdvReachableTimeis too small

SMALL must be less than [n] for [s]"

20041 critical system LOG_ID_RAD_HOP_OUT_ msg="AdvCurHopLimit AdvCurHopLimit in Router

OF_RANGE must not be greater than [n] Advertisement packet is too
for [s]" big

20042 critical system LOG_ID_RAD_DFT_HOP_ msg="AdvDefaultLifetime AdvCurHopLimit in Router

OUT_OF_RANGE for [s] must be zero or Advertisement packet is out of
between [n] and [n]" range

20043 critical system LOG_ID_RAD_AGENT_OUT_ msg="HomeAgentLifetime HomeAgentLifetime in Router

OF_RANGE must be between [n] and [n] Advertisement packet is out of
for [s]" range

20044 critical system LOG_ID_RAD_AGENT_FLAG_ msg="AdvHomeAgentFlag AdvHomeAgentFlag

NOT_SET must be set with HomeAgentLifetime in Router
HomeAgentInfo" Advertisement packet must be
set with HomeAgentInfo

20045 critical system LOG_ID_RAD_PREFIX_TOO_ msg="invalid prefix length prefix length is too long
LONG for [s]"

20046 critical system LOG_ID_RAD_PREF_TIME_ msg="AdvValidLifetime AdvValidLifetime is less than

TOO_SMALL must be greater than AdvPreferredLifetime
AdvPreferredLifetime for
[s]"

20047 critical system LOG_ID_RAD_FAIL_IPV6_ msg="can't create IPv6 router advertisement

SOCKET socket(AF_INET6): [s]" daemon (radvd) failed to create
an IPv6 socket

20048 critical system LOG_ID_RAD_FAIL_OPT_ msg="setsockopt(IPV6_ Radvd failed to set IPV6_

IPV6_PKTINFO PKTINFO): [s]" PKTINFO option

Page 596
ID Severity Subtype Macro Format Description

20049 critical system LOG_ID_RAD_FAIL_OPT_ msg="setsockopt(IPV6_ Radvd failed to set IPV6_

IPV6_CHECKSUM CHECKSUM): [s]" CHECKSUM option

20050 critical system LOG_ID_RAD_FAIL_OPT_ msg="setsockopt(IPV6_ Radvd failed to set IPV6_

IPV6_UNICAST_HOPS UNICAST_HOPS): [s]" UNICAST_HOPS option

20051 critical system LOG_ID_RAD_FAIL_OPT_ msg="setsockopt(IPV6_ Radvd failed to set IPV6_

IPV6_MULTICAST_HOPS MULTICAST_HOPS): [s]" MULTICAST_HOPS option

20052 critical system LOG_ID_RAD_FAIL_OPT_ msg="setsockopt(IPV6_ Radvd failed to set IPV6_

IPV6_HOPLIMIT HOPLIMIT): [s]" HOPLIMIT option

20053 critical system LOG_ID_RAD_FAIL_OPT_ msg="setsockopt(ICMPV6_ Radvd failed to set ICMPV6_

IPPROTO_ICMPV6 FILTER): [s]" FILTER option

20054 information system LOG_ID_RAD_EXIT_BY_ msg="radvd receive radvd has received a signal,
SIGNAL signal=[n]" and is going to exit

20055 critical system LOG_ID_RAD_FAIL_CMDB_ msg="Can not create query Radvd cannot create query to
QUERY to interface at [s]:[s]:[n]!" interface by using cmf_query_
create()

20056 critical system LOG_ID_RAD_FAIL_CMDB_ msg="Internal error in cmf_ Radvd occurs an internal error
FOR_EACH query_for_each()!" when it uses cmf_query_for_
each()

20057 critical system LOG_ID_RAD_FAIL_FIND_ msg="Interface [s]:[n] not Radvd failed to find a virtual
VIRT_INTF found in the list!" interface by interface index

20058 information system LOG_ID_RAD_UNLOAD_INTF msg="Interface [s]:[n] Radvd reloads a specific

unloaded!" interface

20059 warning system LOG_ID_RAD_NO_PKT_INFO msg="received packet with Radvd received a packet with
no pkt_info!" no pkt_info

20060 warning system LOG_ID_RAD_INV_ICMPV6_ msg="received icmpv6 Radvd received an icmpv6

LEN packet with invalid length: packet with invalid length
[n]"

20061 critical system LOG_ID_RAD_INV_ICMPV6_ msg="icmpv6 filter failed" Radvd received an unwanted
TYPE type of icmpv6 packet

20062 warning system LOG_ID_RAD_INV_ICMPV6_ msg="received icmpv6 RA Radvd received icmpv6 RA

RA_LEN packet with invalid length: packet with invalid length
[n]"

20063 warning system LOG_ID_RAD_ICMPV6_NO_ msg="received icmpv6 RA Radvd received icmpv6 RA

SRC_ADDR packet with non-linklocal packet with non-linklocal
source address" source address

20064 warning system LOG_ID_RAD_INV_ICMPV6_ msg="received icmpv6 RS Radvd received icmpv6 RS

RS_LEN packet with invalid length: packet with invalid length
[n]"

20065 warning system LOG_ID_RAD_INV_ICMPV6_ msg="received icmpv6 Radvd received icmpv6 RS/RA
CODE RS/RA packet with invalid packet with invalid code
code: [n]"

Page 597
ID Severity Subtype Macro Format Description

20066 warning system LOG_ID_RAD_INV_ICMPV6_ msg="received RS or RA Radvd received icmpv6 RS/RA

HOP with invalid hoplimit [n] from packet with wrong hoplimit
[s]"

20067 warning system LOG_ID_RAD_MISMATCH_ msg="our AdvCurHopLimit AdvCurHopLimit on our

HOP on [s] doesn't agree with interface does not agree with a
[s]" remote site

20068 warning system LOG_ID_RAD_MISMATCH_ msg="our AdvManagedFlag on our

MGR_FLAG AdvManagedFlag on [s] interface does not agree with a
doesn't agree with [s]" remote site

20069 warning system LOG_ID_RAD_MISMATCH_ msg="our AdvOtherConfigFlag on our

OTH_FLAG AdvOtherConfigFlag on [s] interface does not agree with a
doesn't agree with [s]" remote site

20070 warning system LOG_ID_RAD_MISMATCH_ msg="our AdvReachableTime on our

TIME AdvReachableTime on [s] interface does not agree with a
doesn't agree with [s]" remote site

20071 warning system LOG_ID_RAD_MISMATCH_ msg="our AdvRetransTimer AdvRetransTimer on our

TIMER on [s] doesn't agree with interface does not agree with a
[s]" remote site

20072 critical system LOG_ID_RAD_EXTRA_DATA msg="trailing garbage in Radvd finds extra data in RA
RA on [s] from [s]" packet

20073 critical system LOG_ID_RAD_NO_OPT_DATA msg="zero length option in Radvd finds a RA packet with
RA on [s] from [s]" no option data

20074 critical system LOG_ID_RAD_INV_OPT_LEN msg="option length greater option length is greater than
than total length in RA on total length in RA packet
[s] from [s]"

20075 warning system LOG_ID_RAD_MISMATCH_ msg="our AdvLinkMTU on AdvLinkMTU on our interface

MTU [s] doesn't agree with [s]" does not agree with a remote
site

20077 warning system LOG_ID_RAD_MISMATCH_ msg="our AdvPreferredLifetime on our

PREF_TIME AdvPreferredLifetime on [s] interface does not agree with a
for [s] doesn't agree with remote site
[s]"

20078 critical system LOG_ID_RAD_INV_OPT msg="invalid option [n] in Radvd finds an invalid option in
RA on [s] from [s]" RA packet from a remote site

20079 information system LOG_ID_RAD_READY msg="radvd started" Radvd daemon is ready to

serve

20080 critical system LOG_ID_RAD_FAIL_TO_RCV msg="recvmsg: [s]" Recvmsg() in radvd failed

20081 critical system LOG_ID_RAD_INV_HOP msg="received a bogus Radvd received a packet with a
IPV6_HOPLIMIT from the wrong IPV6_HOPLIMIT
kernel! len=[n], data=[n]"

20082 critical system LOG_ID_RAD_INV_PKTINFO msg="received a bogus Radvd received a packet with a
IPV6_PKTINFO from the wrong IPV6_PKTINFO
kernel! len=[n], index=[n]"

Page 598
ID Severity Subtype Macro Format Description

20083 warning system LOG_ID_RAD_FAIL_TO_ msg="problem checking Radvd failed to check whether
CHECK all-routers membership on we've joined the all-routers
[s]" multicast group

20084 warning system LOG_ID_RAD_FAIL_TO_ msg="sendmsg: [s]" sendmsg () in radvd failed

SEND

20085 information system 20085 status="clash" proto=[n] session clash

msg="session clash"[s]

20086 unknown system 20086 msg="==[s] xh0(sp_[n], xh0 crashed

fmc[n]) crashed, master is
fmc[n]=="

20090 notice | system LOG_ID_INTF_LINK_STA_ intf=[s] status=[s] Interface link status changed
information CHG msg="interface [s] link
status is [s]"

20101 warning system LOG_ID_WEB_LIC_EXPIRE msg="FortiGuard web FortiGuard web filtering license
filtering license will expire in expiring
[n] day(s)"

20102 warning system LOG_ID_SPAM_LIC_EXPIRE msg="FortiGuard FortiGuard anti-spam license

anti-spam license will expiring
expire in [n] day(s)"

20103 warning system LOG_ID_AV_LIC_EXPIRE msg="FortiGuard AV FortiGuard AV update license

update license will expire in expiring
[n] day(s)"

20104 warning system LOG_ID_IPS_LIC_EXPIRE msg="FortiGuard IPS FortiGuard IPS update license
update license will expire in expiring
[n] day(s)"

20105 warning system LOG_ID_LOG_UPLOAD_SKIP ui=[s] action=upload Log uploading

error="Daily volume
exceeded" msg="Log
upload to FortiCloud
skipped (Daily volume
exceeded)."

20107 warning system LOG_ID_LOG_UPLOAD_ERR action=upload error="[s]" uploading error

user="[s]" server=[s]
port=[n] msg="Log upload
to [s] error on vdom [s]"

20108 notice system LOG_ID_LOG_UPLOAD_ action=upload upload status

DONE status=completed
user="[s]" server=[s]
port=[n] msg="Log upload
to [s] completed on vdom
[s]"

20110 notice system LOG_ID_HPAPI_ESPD_ msg="hp_api: Connection hp_api log

START to ESPd has been
initialized"

20111 warning system LOG_ID_HPAPI_ESPD_ msg="hp_api: Connection hp_api log

RESET to ESPd has been reset,
exiting"

Page 599
ID Severity Subtype Macro Format Description

20113 error system LOG_ID_IPSA_DOWNLOAD_ msg="Fail to download IPSA error

FAIL IPSA DB!"

20114 error system LOG_ID_IPSA_SELFTEST_ msg="IPSA self test failed, IPSA error
FAIL disable IPSA!"

20115 error system LOG_ID_IPSA_STATUSUPD_ msg="Fail to update IPSA IPSA error

FAIL driver status!"

20200 notice system LOG_ID_FIPS_SELF_TEST user="[s]" ui=[s] running self-test

action=self-test
msg="Administrator [s]
initiates the [s] self-test
from [s]"

20201 notice system LOG_ID_FIPS_SELF_ALL_ user="[s]" ui=[s] running self-test

TEST action=self-test
msg="Administrator [s]
initiates all self-tests from
[s]"

20202 warning system LOG_ID_DISK_FORMAT_ msg="Partitioning or Error in partitioning or

ERROR formatting error ([s], [s]) formatting
partition=[n] format=[n]
label=[s]"

20203 information system LOG_ID_DAEMON_ action=daemon-shutdown daemon shutdown

SHUTDOWN daemon=[s] pid=[n]
msg="[s] shut down"

20204 information system LOG_ID_DAEMON_START action=daemon-startup daemon started

daemon=[s] pid=[n]
msg="[s] has started"

20205 critical system LOG_ID_DISK_FORMAT_REQ user="[s]" ui=[s] format disk

action=format-disk
msg="User [s] requested to
format [s] disk from [s]"

20206 warning system LOG_ID_DISK_SCAN_REQ user="[s]" ui=[s] scan disk

action=scan-disk
msg="User [s] requested to
scan [s] disk from [s]"

20300 unknown system LOG_ID_BGP_NB_STAT_CHG msg="BGP: bgp neighbor status change

%%BGP-5-ADJCHANGE:
neighbor [s] [s] [s]"

22000 warning system LOG_ID_INV_PKT_LEN msg="Packet length does Packet length does not match
not match that specified in that specified in the request
the request header." header.

22001 warning system LOG_ID_UNSUPPORTED_ msg="Protocol version-[n] Unsupported protocol version

PROT_VER is not supported"

22002 warning system LOG_ID_INV_REQ_TYPE msg="Request type [n] is Other request than http, https,
not supported." ftp, mail and av is not
supported

Page 600
ID Severity Subtype Macro Format Description

22003 warning system LOG_ID_FAIL_SET_SIG_ sigaction([n])failed: [s] failed to set up a signal handler
HANDLER

22004 warning system LOG_ID_FAIL_CREATE_ Socket() failed: [s] failed to create a socket
SOCKET

22005 warning system LOG_ID_FAIL_CREATE_ failed to create a [s]/udp failed to create a udp socket to
SOCKET_RETRY socket to receive URL receive URL request
request: [s]

22006 warning system LOG_ID_FAIL_REG_CMDB_ msg="Failed to register for Failed to register for cmdb
EVENT cmdb events." events

22009 warning system LOG_ID_FAIL_FIND_AV_ name=[s] status=failure failed to find av profile by ID

PROFILE msg="failed to find its AV
protection profile"

22010 error system LOG_ID_SENDTO_FAIL process="[s]" reason="[s]" safe_sendto() failed

msg="failed to send urlfilter
packet"

22011 unknown system 22011 service=kernel Kernel enters conserve mode

conserve=on free="[n]
pages" red="[n] pages"
msg="Kernel enters
conserve mode"

22012 unknown system 22012 service=kernel Kernel leaves conserve mode

conserve=exit free="[n]
pages" green="[n] pages"
msg="Kernel leaves
conserve mode"

22013 alert system 22013 action=pba-block-exhaust Alert ippool pba block exhaust
saddr=[n].[n].[n].[n]
poolname="[s]" msg="Pba
ippool port-block has been
exhausted"

22014 alert | system 22014 action=pba-natip-exhaust Alert ippool pba natip exhaust
notice saddr=[n].[n].[n].[n]
poolname="[s]" msg="Pba
ippool natip has been
exhausted"

22015 notice system LOG_ID_EXCEED_VD_RES_ service=kernel msg="[s] Exceed vdom resource limit
LIMIT vdom([n]) limit. count=[n]
limit=[n]"

22016 notice system 22016 action=pba-close Deallocate ippool pba

saddr=[n].[n].[n].[n]
nat=[n].[n].[n].[n]
portbegin=[n] portend=[n]
poolname="[s]"
duration=[n] msg="Pba
ippool close"

22020 warning system LOG_ID_FAIL_CREATE_HA_ msg="Socket() failed: [s]" Failed to create a ha_socket
SOCKET

Page 601
ID Severity Subtype Macro Format Description

22021 warning system LOG_ID_FAIL_CREATE_HA_ msg="Failed to create a Failed to create a udp socket
SOCKET_RETRY udp socket to relay URL to relay URL requests
requests: [s]"

22100 warning system LOG_ID_QUAR_DROP_ count=[n] duration=[n] Quarantine dropped transfer

TRAN_JOB limit=[n] used=[n] fams_ jobs
pause=[n] action=transfer
status=drop reason=[s]
msg="In the past [n]
seconds, [n] files were
dropped by quard."

22101 warning system LOG_ID_QUAR_DROP_TLL_ count=[n] action=transfer Quarantine dropped transfer

JOB status=drop jobs
reason=poor-network-cond
ition msg="[n] files were
dropped by quard to [s]: [n]
reached max retries, [n]
reached TTL."

22102 critical system LOG_ID_LOG_DISK_FAILURE msg="Log disk failure is Erroneous SMART status
imminent, logs should be
backed up"

22104 critical system 22104 action=power-supply-monit Power supply restore

or status=restore unit=[s]
msg="Power supply [s]
restore"

22105 critical system LOG_ID_POWER_FAILURE action=power-supply-monit Power supply failure

or status=failure unit=[s]
msg="Power supply [s] [s]"

22106 warning | system LOG_ID_POWER_ action=ipmc-sensor-monito IPMC sensor failure

information OPTIONAL_NOT_DETECTED r status=failure msg="[s]"

22107 warning system LOG_ID_VOLT_ANOM action=ipmc-sensor-monito IPMC sensor failure

r status=failure msg="[s]"

22108 warning system LOG_ID_FAN_ANOM action=ipmc-sensor-monito IPMC sensor failure

r status=failure msg="[s]"

22110 critical system LOG_ID_SPARE_BLOCK_ msg="Available spare Available spare blocks is low
LOW blocks of boot device are
getting low (remaining [n])."

22200 warning system LOG_ID_AUTO_UPT_CERT user=system Certificate will be auto-update

action=certificate-update
status=warning cert=[s]
msg="CA certificate [s] will
auto-update in [n] days."

22201 warning system LOG_ID_AUTO_GEN_CERT user=system Certificate will be

action=certificate-regenerat auto-regenerate
e status=warning cert=[s]
msg="Local certificate [s]
will auto-regenerate in [n]
days."

Page 602
ID Severity Subtype Macro Format Description

22202 error system LOG_ID_AUTO_UPT_CERT_ user=system Certificate failed to

FAIL action=certificate-update auto-update
status=failure cert=[s]
msg="[s]"

22203 error system LOG_ID_AUTO_GEN_CERT_ user=system Certificate failed to

FAIL action=certificate-regenerat auto-regenerate
e status=failure cert=[s]
msg="[s]"

22700 critical system LOG_ID_IPS_FAIL_OPEN msg="IPS session scan IPS fail open
resumed, exit fail open
mode."

22800 critical system LOG_ID_SCAN_SERV_FAIL service=[s] mode=[s] Scan services session fail
msg="The system has [s] mode
session fail mode"

22801 critical system LOG_ID_SCAN_LEAVE_ service=[s] conserve=exit Scan services exited conserve
CONSERVE_MODE total=[n] free=[n] mode
entermargin=[n]
exitmargin=[n] msg="The
system exited conserve
mode"

22802 critical system LOG_ID_SYS_ENTER_ service=[s] sysconserve=on System services entered

CONSERVE_MODE total=[n] free=[n] conserve mode
entermargin=[n]
exitmargin=[n] msg="The
system has entered system
conserve mode"

22803 critical system LOG_ID_SYS_LEAVE_ service=[s] System exited conserve mode

CONSERVE_MODE sysconserve=exit total=[n]
free=[n] entermargin=[n]
exitmargin=[n] msg="The
system exited system
conserve mode"

22804 critical system LOG_ID_LIC_STATUS_CHG service=license status=[s] License Status Change

msg="License status
changed to [s]"

22805 warning system LOG_ID_FAIL_TO_VALIDATE_ service=license License Status Warning

LIC status=warning
msg="License could not be
validated for over 4 hours"

22806 warning system LOG_ID_DUP_LIC service=license License Status Duplicate

status=warning Warning
msg="Detected duplicate
license in use"

22810 critical system LOG_ID_SCAN_ENTER_ service=[s] conserve=on Scan services entered

CONSERVE_MODE total=[n] free=[n] conserve mode
entermargin=[n]
exitmargin=[n] msg="The
system has entered
conserve mode"

Page 603
ID Severity Subtype Macro Format Description

22900 notice system LOG_ID_CAPUTP_SESSION msg="[s]" action=[s] caputp-session

src=[n].[n].[n].[n]

22901 notice system LOG_ID_FAZ_CON action=connect FortiAnalyzer Connection

status=success
msg="Connected to
FortiAnalyzer [s]"

22902 notice system LOG_ID_FAZ_DISCON action=disconnect FortiAnalyzer Disconnection

status=success
reason="[s]"
msg="Disconnected from
FortiAnalyzer [s]"

22903 critical system LOG_ID_FAZ_CON_ERR action=connect FortiAnalyzer Connection

status=failure reason="[s]"
msg="Failed to connect
FortiAnalyzer [s]"

22910 notice system LOG_ID_EVENT_SLA_ [s]="[n]" [s]="[s]" [s]="ping" SLA Probe information
PROBE_PING [s]="[s]" msg="SLA Probe
event: change state from [s]
to [s]"

22911 notice system LOG_ID_EVENT_SLA_ [s]="[n]" [s]="[s]" [s]="[s]" SLA Probe information
PROBE_HTTPGET [s]="http-get" [s]="[s]"
msg="SLA Probe event:
change state from [s] to [s]"

22916 notice system LOG_ID_FDS_STATUS status=[s] msg="FortiGuard FortiGuard Message Service

Message Service server is status
[s]"

22917 notice system LOG_ID_FDS_SMS_QUOTA user=system msg="SMS SMS quota used up

quota is used up."

23101 unknown vpn LOG_ID_IPSEC_TUNNEL_UP action=[s] tunnel_id=[n] VPN event log message
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"

23102 unknown vpn LOG_ID_IPSEC_TUNNEL_ action=[s] tunnel_id=[n] VPN event log message
DOWN [s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"

23103 unknown vpn LOG_ID_IPSEC_TUNNEL_ action=[s] tunnel_id=[n] VPN event log message
STAT [s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"

26001 information router LOG_ID_DHCP_MSG interface="[s]" dhcp_ DHCP request and response
| unknown msg="[s]" dir=[s] log
mac=[s]:[s]:[s]:[s]:[s]:[s]
ip=[n].[n].[n].[n] lease=[n]
hostname="[s]" msg="[s]"

Page 604
ID Severity Subtype Macro Format Description

26002 error router LOG_ID_DHCP_NO_SHARE_ interface="[s]" No shared No shared network found

NET network for network [s] ([s])

26003 information router LOG_ID_DHCP_STAT interface="[s]" total=[n] DHCP Statistics

used=[n] msg="[s]"

26004 error router LOG_ID_DHCP_MULT_SUB_ interface="[s]" Address Address range spans multiple
NET range [s] to [s], netmask [s] subnets
spans [s]!

26005 error router LOG_ID_DHCP_INV_ADDR_ interface="[s]" Address Address range doesn't belong
RANGE range [s] to [s] not on net to the net
[s]/[s]!

29001 unknown router LOG_ID_PPPD_MSG user="[s]" Pppd log message

local=[n].[n].[n].[n]
remote=[n].[n].[n].[n]
assigned=[n].[n].[n].[n]
stat="[s]" msg="[s]"

29002 notice | router LOG_ID_PPPD_AUTH_SUC user="[s]" PPPD authentication success

debug local=[n].[n].[n].[n] log message
remote=[n].[n].[n].[n]
assigned=[n].[n].[n].[n]
action=auth_success
msg="User '[s]' using [s]
with authentication protocol
[s], [s]"

29003 notice router LOG_ID_PPPD_AUTH_FAIL local=[n].[n].[n].[n] PPPD authentication failure log

remote=[n].[n].[n].[n] message
assigned=[n].[n].[n].[n]
action=auth_failed msg="[s]
is trying to connect using [s]
with authentication protocol
[s], failed"

29009 notice router LOG_ID_PPPOE_STATUS_ gateway=[n].[n].[n].[n] PPPoE status report

REPORT assigned=[n].[n].[n].[n]
msg="PPPoE status report"

29011 error router LOG_ID_PPPD_FAIL_TO_ Can't execute [s]: [s] pppd cannot execute a
EXEC program

29012 unknown router LOG_ID_PPP_OPT_ERR [s] ppp has received wrong

options

29013 notice router LOG_ID_PPPD_START msg="pppd is started" pppd is started

29014 information router LOG_ID_PPPD_EXIT msg="pppd is exiting" pppd is exiting

29015 error router LOG_ID_PPP_RCV_BAD_ Peer IP is the same as an ppp has received bad options
PEER_IP interface IP[s].
IP([n].[n].[n].[n])

29016 error router LOG_ID_PPP_RCV_BAD_ Local IP is the same as an ppp has received bad options
LOCAL_IP interface IP[s].
IP([n].[n].[n].[n])

Page 605
ID Severity Subtype Macro Format Description

29017 unknown router LOG_ID_PPP_OPT_NOTIF [s] ppp has received wrong

options

29020 notice router LOG_ID_WIRELESS_SET_ wireless set command [s] [s]

FAIL failed

32001 information system LOG_ID_ADMIN_LOGIN_ user="[s]" ui=[s] Admin logged in successfully

SUCC action=login
status=success
reason=none profile="[s]"
msg="Administrator [s]
logged in successfully from
[s]"

32002 alert system LOG_ID_ADMIN_LOGIN_FAIL user=test ui=cli Failed admin login attempt
action=login status=failed
reason=test msg="Alarm
testing"

32003 information system LOG_ID_ADMIN_LOGOUT user="[s]" ui=[s] Admin logged out

action=logout
status=success
duration=[n] [s]reason=[s]
msg="Administrator [s] [s]
[s]"

32004 emergency system LOG_ID_ALARM_TEST_FAIL action=error-mode alarm testing

reason=self-test
msg="Alarm testing"

32005 information system 32005 user="[s]" Admin overrided vdom

action=vdom-override successfully
status=success
reason=none
msg="Administrator [s]
vdom overridden to [s]"

32006 information system LOG_ID_ADMIN_ENTER_ user="[s]" ui=[s] A super admin has entered to
VDOM action=vdom-switch this vdom
reason=none msg="User [s]
has entered the virtual
domain [s]"

32007 information system LOG_ID_ADMIN_LEFT_VDOM user="[s]" ui=[s] A super admin has left the
action=vdom-switch current vdom
reason=none msg="User [s]
has left the virtual domain
[s]"

32008 warning system LOG_ID_VIEW_LOG_FAIL user="[s]" ui=[s] msg="User Failed to view log
[s] failed to access the [s]
logs from [s]"

32009 information system LOG_ID_SYSTEM_START msg="Fortigate started[s]" System started

32010 emergency system LOG_ID_DISK_LOG_FULL msg="[s] is [n]% Log full

| full.System will stop [s]
information logging."
| unknown

Page 606
ID Severity Subtype Macro Format Description

32011 notice system LOG_ID_LOG_ROLL action=roll-log Log rotation

reason=file-size log=[s]
msg="Disk log has rolled."

32012 information system LOG_ID_FIPS_LEAVE_ERR_ action=exit-error-mode CC exiting error mode

MOD msg="System exiting out of
error mode."

32014 warning system LOG_ID_CS_LIC_EXPIRE msg="FortiGuard customer FortiGuard customer support

support license will expire license expiring
in [n] day(s)"

32015 warning system LOG_ID_DISK_LOG_USAGE msg="Log disk is [n]% full" Log full

32018 emergency system LOG_ID_FIPS_ENTER_ERR_ action=error-mode FIPS error mode

MOD reason=[s] msg="System
enters error-mode due to
[s]"

32020 warning system LOG_ID_SSH_CORRPUT_ ui=https msg="Corrupted Corrupted MAC detected

MAC MAC packet detected"

32021 alert system LOG_ID_ADMIN_LOGIN_ ui=[s] action=login Admin login disabled

DISABLE status=failed
reason=exceed_limit
msg="Login disabled from
IP [s] for [n] seconds
because of [n] bad
attempts"

32022 notice system LOG_ID_VDOM_ENABLED user="[s]" ui=[s] msg="User vdom enabled

[s] enabled virtual domain
[s] from [s]"

32023 warning | system LOG_ID_MEM_LOG_FULL msg="Memory log is [n]% Log full

information full"

32024 notice system LOG_ID_ADMIN_PASSWD_ user="[s]" Admin password expiry

EXPIRE action=admin-password
status=expired
msg="Password of
administrator [s] has
expired."

32026 critical system LOG_ID_STORE_CONF_FAIL Cannot store config due to Cannot store config due to first
first line error: require first line error
line in file [s] from process
[n]

32027 notice system LOG_ID_VIEW_LOG_SUCC user="[s]" ui=[s] log=[s] User displayed disk logs
msg="User [s] has viewed
the disk logs from [s]"

32028 information system LOG_ID_LOG_DEL_DIR msg="System deleted Log full

directory [s]."

32029 information system LOG_ID_LOG_DEL_FILE action=delete Log deleted

msg="System deleted log
file [s]"

Page 607
ID Severity Subtype Macro Format Description

32030 notice system LOG_ID_SEND_FDS_STAT user="[s]" ui=[s] send fds stats

action=send-fds-stats
msg="User [s] requested to
send FDS statistics from
[s]"

32035 notice system LOG_ID_VDOM_DISABLED user="[s]" ui=[s] msg="User vdom disabled

[s] disabled virtual domain
[s] from [s]"

32045 warning system LOG_ID_MGR_LIC_EXPIRE msg="FortiGuard FortiGuard management

management service service license expiring
license will expire in [n]
day(s)"

32048 warning system LOG_ID_SCHEDULE_EXPIRE msg="onetime schedule [s] onetime schedule expiring
will expire in [n] day(s)"

32051 notice system LOG_ID_LOG_UPLOAD ui=[s] action=upload Log uploading

status=start msg="Start
uploading disk logs to [s]
from vdom [s]."

32086 warning system LOG_ID_ENTER_ user=[s] ui=lcd action=[s] System has been changed to
TRANSPARENT status=success transparent mode LCD via LCD
msg="System has been
changed to transparent
mode LCD via LCD"

32087 warning system LOG_ID_ENTER_NAT user=[s] ui=lcd action=[s] System has been changed to
status=success NAT mode LCD via LCD
msg="System has been
changed to NAT mode LCD
via LCD"

32095 warning system LOG_ID_GUI_CHG_SUB_ user="[s]" ui=[s] action=[s] A user has performed an action
MODULE status=[s] msg="[s] by user to the firewall via GUI. The
[s] via [s]" action can be one of the
followings: reboot, shutdown,
reload, backup, factory_reset,
restore, upgrade,switch_mode,
download, upload, clear_mlog,
del_log, update, downgrade,
del_session, bootup

32096 warning system LOG_ID_GUI_DOWNLOAD_ user="[s]" ui=[s] action=[s] A user has downloaded a
LOG status=[s] hash=[s] file=[s] logging file from the firewall via
msg="[s] by user [s] via [s]" GUI

32100 warning system LOG_ID_FORTI_TOKEN_ user="[s]" action=token_ FortiToken synchronization

SYNC sync msg="User [s]
synchronized his/her
FortiToken"

32101 notice system LOG_ID_LCD_CHG_CONF user="[s]" ui=[s] msg="[s] Administrator has changed
by [s]" configuration from LCD

Page 608
ID Severity Subtype Macro Format Description

32102 unknown system LOG_ID_CHG_CONFIG user="[s]" ui=[s] A user has changed the
module="[s]" configuration
submodule="[s]" msg="[s]
made a change from [s]:[s]"

32103 notice system LOG_ID_NEW_FIRMWARE user=system New firmware is available from

action=firmware FortiGuard
status=new msg="New
firmware is available from
FortiGuard"

32120 notice system LOG_ID_RPT_ADD_DATASET user="[s]" ui=[s] name="[s]" Report Dataset is added
msg="User [s] added a
report dataset [s] from [s]"

32122 notice system LOG_ID_RPT_DEL_DATASET user="[s]" ui=[s] name="[s]" A report dataset is deleted
msg="User [s] delete a
report dataset [s] from [s]"

32123 notice system LOG_ID_RPT_ADD_LAYOUT_ user="[s]" ui=[s] name="[n]" Report Summary entries is
ITEM msg="User [s] added a added
report summary entry [n]
from [s]"

32124 notice system LOG_ID_RPT_DEL_LAYOUT_ user="[s]" ui=[s] name="[n]" A report summary entries is
ITEM msg="User [s] delete a deleted
report summary entry [n]
from [s]"

32125 notice system LOG_ID_RPT_ADD_CHART user="[s]" ui=[s] name="[s]" Report Chart widget is added
msg="User [s] added a
report chart widget [s] from
[s]"

32126 notice system LOG_ID_RPT_DEL_CHART user="[s]" ui=[s] name="[s]" A report chart widget is deleted
msg="User [s] delete a
report chart widget [s] from
[s]"

32129 notice system LOG_ID_ADD_GUEST user="[s]" ui=[s] name="[s]" A new guest user is added
status=[s] msg="User [s]
added guest user [s] from
[s]"

32130 notice system LOG_ID_CHG_USER user="[s]" ui=[s] name="[s]" A local user's setting is
old_status=[s] new_ changed
status=[s] passwd=[s]
msg="User [s] changed
local user [s] setting from
[s]"

32131 notice system LOG_ID_DEL_GUEST user="[s]" ui=[s] name="[s]" A guest user is deleted
status=[s] msg="User [s]
deleted guest user [s] from
[s]"

32132 notice system LOG_ID_ADD_USER user="[s]" ui=[s] name="[s]" A new local user is added
status=[s] msg="User [s]
added local user [s] from
[s]"

Page 609
ID Severity Subtype Macro Format Description

32138 critical system LOG_ID_REBOOT device is rebooted

32139 critical | system LOG_ID_UPD_SIGN_DB user="[s]" ui=[s] Update src-vis object.

warning | action=update msg="User
notice [s] requested a geoip object
update from [s]"

32140 notice system 32140 user="[s]" ui=[s] ntp server status change
field=date-time msg="The
[s] ntp server, [s]([s]), is
determined [s] at [s]"

32142 alert | error system LOG_ID_BACKUP_CONF action=backup backup configuration

| warning | status=success
notice msg="Configuration
backed up to flash disk
after system upgrading"

32143 critical system 32143 user="[s]" ui="[s]" update image

action=update-image
msg="User [s] loaded a
wrong layout image from
[s]."

32148 notice system LOG_ID_GET_CRL user="[s]" ui=[s] get CRL

action=crl-update crl=[s]
msg="User [s] requested a
CRL update from [s]"

32149 notice system LOG_ID_COMMAND_FAIL user="[s]" ui=[s] ret=[n] command failure

msg="Command failed:'[s]'
Return code [n]: [s]"

32151 notice system LOG_ID_ADD_IP6_LOCAL_ [s] A new ipv6 firewall local in

POL policy is added

32152 notice system LOG_ID_CHG_IP6_LOCAL_ [s] A ipv6 firewall local in policy's

POL setting is changed

32153 notice system LOG_ID_DEL_IP6_LOCAL_ [s] A ipv6 firewall local in policy is

POL deleted

32155 notice system LOG_ID_ACT_FTOKEN_REQ user="[s]" ui=[s] Activate FortiToken

action=fortitoken-activate
serialno=[s] msg="User [s]
has requested to activate
FortiToken [s]."

32156 notice system LOG_ID_ACT_FTOKEN_ action=fortitoken-activate Activate FortiToken

SUCC serialno=[s] status=success
msg="Activation of
FortiToken [s] succeeded."

32157 notice system LOG_ID_SYNC_FTOKEN_ user="[s]" ui=[s] Synchronize FortiToken

SUCC action=fortitoken-synchroni
ze serialno=[s]
status=success
msg="Administrator [s]
resynchronized FortiToken
[s] successfully."

Page 610
ID Severity Subtype Macro Format Description

32158 notice system LOG_ID_SYNC_FTOKEN_ user="[s]" ui=[s] Synchronize FortiToken

FAIL action=fortitoken-synchroni
ze serialno=[s] status=failed
msg="Administrator [s]
failed to resynchronize
FortiToken [s], because [s]."

32159 notice system LOG_ID_ACT_FTOKEN_FAIL action=fortitoken-activate Activate FortiToken

serialno=[s] status=failed
msg="Activation of
FortiToken [s] failed,
because [s]."

32168 notice system LOG_ID_REACH_VDOM_ user="[s]" ui=[s] adding new entry failed
LIMIT msg="Adding new entry
failed: vdom property limit
has been reached when
user [s] adds [s].[s] from [s]"

32170 alert system LOG_ID_ALARM_MSG action=alarm alarmid=[n] alarm

groupid=[n] msg="[s]"

32171 alert system LOG_ID_ALARM_ACK user="[s]" ui=[s] alarm ack

action=alarm-ack
alarmid=[n] acktime="[s]"
msg="[s]"

32172 notice system LOG_ID_ADD_IP4_LOCAL_ [s] A new firewall local in policy is

POL added

32173 notice system LOG_ID_CHG_IP4_LOCAL_ [s] A firewall local in policy's

POL setting is changed

32174 notice system LOG_ID_DEL_IP4_LOCAL_ [s] A firewall local in policy is

POL deleted

32188 warning system LOG_ID_SSL_PROXY_CA_ msg="SSL Proxy CA [s]

INIT_FAIL initialization failed"

32200 critical system LOG_ID_SHUTDOWN user="[s]" ui=[s] shutdown device

action=shutdown
msg="User [s] shutdown
the device from [s].[s]"

32201 critical system LOG_ID_LOAD_IMG_SUCC user="[s]" ui=[s] loaded an image

action=loaded-image
msg="User [s] loaded the
image from [s], the new
image does not support CC
mode."

32202 critical system LOG_ID_RESTORE_IMG user="[s]" ui=[s] restore the image

action=restore-image
msg="User [s] restored the
image from [s] ([s],build[s]
-> [s],build[s])"

Page 611
ID Severity Subtype Macro Format Description

32203 critical | system LOG_ID_RESTORE_CONF user="[s]" ui=[s] restore the configuration

warning | action=restore-configuratio
notice n msg="User [s] restored
the configuration from [s]"

32204 critical | system LOG_ID_RESTORE_FGD_ user="[s]" ui=[s] action=[s] restore the fortiguard service
notice SVR msg="User [s] restored [s]
file from [s]"

32205 critical | system LOG_ID_RESTORE_VDOM_ user="[s]" ui=[s] action=[s] restore VM license

notice LIC msg="User [s] restored [s]
file from [s]"

32206 warning system LOG_ID_RESTORE_SCRIPT user="system" restore script

action=restore-script
msg="System restored
script [s] from management
station"

32207 warning system LOG_ID_RETRIEVE_CONF_ user="[s]" ui=[s] retrieve configuration list failure
LIST action=retrieve-[s]
msg="User [s] failed to
retrieve the [s] list from
management station"

32208 critical system LOG_ID_IMP_PKCS12_CERT user="[s]" ui=[s] import the pkcs12 certificate
action=import-certificate
msg="User [s] imported the
certificate from [s]"

32209 critical | system LOG_ID_RESTORE_USR_ user="[s]" ui=[s] restore the user-defined IPS
notice DEF_IPS action=restore-ips-signatur signatures
e status=success
msg="Administrator [s]
restored the user-defined
IPS signatures from [s]"

32210 notice system LOG_ID_BACKUP_IMG user="[s]" ui=[s] backup image

action=backup
status=success
msg="Firmware image
backed up to flash disk for
system [s]"

32211 notice system LOG_ID_UPLOAD_REVISION user="[s]" ui=[s] upload revision

action=upload
status=success msg="User
[s] upload the [s] from [s] to
flash disk"

32212 notice system LOG_ID_DEL_REVISION action=delete revision DB deletion

status=success
msg="[s]:[n] has been
deleted from revision data
base"

Page 612
ID Severity Subtype Macro Format Description

32213 warning system LOG_ID_RESTORE_ user="system" restore template

TEMPLATE action=restore-cfg
msg="System restored [s]
file [s] from management
station"

32214 warning system LOG_ID_RESTORE_FILE user="system" restore failure

action=restore-[s]
msg="System failed to
restore [s] file [s] from
management station"

32215 critical system LOG_ID_UPT_IMG user="[s]" ui="[s]" update image

action=update-image
msg="User [s] loaded a
wrong image from [s]."

32217 warning | system LOG_ID_UPD_IPS user="[s]" ui="[s]" An user has updated the IPS
notice action=update msg="User package by SCP
[s] has updated IPS
package by SCP"

32218 warning system LOG_ID_UPD_DLP user="[s]" An user failed to update the

ui="Fortimanager" DLP fingerprint database by
action=update msg="User SCP
[s] failed to update DLP
fingerprint database by
SCP"

32219 warning system LOG_ID_BACKUP_OUTPUT user="[s]" ui="[s]" An user has backed up the
action=backup msg="User result of standardized error
[s] backed up the result of output by SCP
batch mode commands by
SCP"

32220 warning system LOG_ID_BACKUP_ user="[s]" ui="[s]" An user has backed up the
COMMAND action=backup msg="User result of batch mode
[s] backed up the result of commands by SCP
batch mode commands by
SCP"

32221 warning system LOG_ID_UPD_VDOM_LIC user="[s]" ui="[s]" An user has installed the VM
action=update msg="User license by SCP
[s] has installed VM license
by SCP"

32222 notice system LOG_ID_GLB_SETTING_CHG user="[s]" ui=[s] global setting change

field=virtual-domain
action=[s] msg="User [s]
changed global setting from
[s]"

32223 error | system LOG_ID_BACKUP_USER_ user="[s]" ui=[s] backup the user-defined IPS
notice DEF_IPS action=backup signatures failure
status=failure
msg="Administrator [s]
failed to back up the
user-defined IPS signatures
from [s]"

Page 613
ID Severity Subtype Macro Format Description

32224 notice system LOG_ID_BACKUP_LOG user="[s]" ui=[s] backup log

action=backup msg="User
[s] backed up [s] log from
[s]"

32225 notice system LOG_ID_DEL_ALL_REVISION action=delete revision DB clearance

status=success
msg="[s]:revision data base
corruption detected, reset."

32226 critical system LOG_ID_LOAD_IMG_FAIL user="[s]" ui=[s] loaded an image

action=loaded-image
status=failure msg="User
[s] loaded a wrong image
from [s]."

32240 critical system LOG_ID_SYS_USB_MODE action=reboot System is operating in USB

status=success mode
msg="System is rebooted
and operating in USB mode
with configurations loaded
from USB (read-only)"

32252 critical system LOG_ID_FACTORY_RESET user="[s]" ui=[s] factory reset

action=factory-reset
msg="User [s] reset to the
factory settings from [s]"

32253 critical system LOG_ID_FORMAT_RAID user="[s]" ui=[s] config raid

action=format-rebuild-level
msg="User [s] formatted
the RAID disk from [s]"

32254 critical system LOG_ID_ENABLE_RAID user="[s]" ui=[s] config raid

action=enable-raid
msg="User [s] enabled
RAID from [s]"

32255 critical system LOG_ID_DISABLE_RAID user="[s]" ui=[s] config raid

action=disable-raid
msg="User [s] disabled
RAID from [s]"

32300 notice system LOG_ID_UPLOAD_RPT_IMG user="[s]" ui=[s] status=[s] upload the report image file
action=upload-report-imag
e reason="[s]" msg="User
'[s]' [s] upload the report
image file '[s]' from [s]([s])"

32301 notice system LOG_ID_ADD_VDOM user="[s]" ui=[s] Vdom is added

action=add-vdom
msg="Virtual domain [s] is
added"

32302 notice system LOG_ID_DEL_VDOM user="[s]" ui=[s] Vdom is deleted

action=del-vdom
msg="Virtual domain [s] is
deleted"

Page 614
ID Severity Subtype Macro Format Description

32340 critical system LOG_ID_LOG_DISK_UNAVAIL msg="Log disk is Log disk is unavailable

unavailable"

32341 notice system LOG_ID_LOG_DISK_ msg="Disk log status disk log status changed
DEFAULT_DISABLED changed to disabled in
upgrade process."

32400 alert system LOG_ID_CONF_CHG user="[s]" ui=[s] config changed

msg="Configuration is
changed in the admin
session"

32545 critical system LOG_ID_SYS_RESTART user=none ui=none System restart

action=reboot
msg="System will reboot
due to scheduled daily
restart."

32546 warning system LOG_ID_APPLICATION_ action=crash msg="Pid: [s], Application crash

CRASH application: [s], Firmware:
[s], Signal [n] received,
Backtrace:[s]"

35001 notice system LOG_ID_HA_SYNC_VIRDB msg="HA slave sync HA slave sync virdb
virdb([s]) [s]"

35002 notice system LOG_ID_HA_SYNC_ETDB msg="HA slave sync HA slave sync etdb
etdb([s]) [s]"

35003 notice system LOG_ID_HA_SYNC_EXDB msg="HA slave sync HA slave sync exdb
exdb([s]) [s]"

35004 notice system LOG_ID_HA_SYNC_FLDB msg="HA slave sync HA slave sync fldb
fldb([s]) [s]"

35005 notice system LOG_ID_HA_SYNC_IPS msg="HA slave sync ids([s]) HA slave sync ids package
package [s]"

35007 notice system LOG_ID_HA_SYNC_AV msg="HA slave sync AV([s]) HA slave sync AV package
package [s]"

35008 notice system LOG_ID_HA_SYNC_VCM msg="HA slave sync HA slave sync VCM package
VCM([s]) package [s]"

35009 notice system LOG_ID_HA_SYNC_CID msg="HA slave sync HA slave sync CID package
CID([s]) package [s]"

35010 error system LOG_ID_HA_SYNC_FAIL msg="HA slave sync failed HA slave sync failed
in [n] turns"

36880 warning system LOG_ID_EVENT_SYSTEM_ msg="Number of detected user device data store limit
MAC_HOST_STORE_LIMIT user devices exceeds limit
that can be persistently
stored. Detected [n]; can
save [n]."

Page 615
ID Severity Subtype Macro Format Description

37124 error vpn MESGID_NEG_I_P1_ERROR msg="IPsec phase 1 error" IPsec phase 1 error log
action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" status=[s]
error_reason="[s]" peer_
notif="[s]"

37125 error vpn MESGID_NEG_I_P2_ERROR msg="IPsec phase 2 error" IPsec phase 2 error log
action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" status=[s]
error_reason="[s]"

37126 error vpn MESGID_NEG_NO_STATE_ msg="IPsec no state error" IPsec no state error log
ERROR action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" status=[s]
error_reason="[s]"

37133 notice vpn MESGID_INSTALL_SA msg="install IPsec SA" install IPsec SA log
action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" role=[s] in_
spi="[s]" out_spi="[s]"

37134 notice vpn MESGID_DELETE_P1_SA msg="delete IPsec phase 1 delete IPsec phase 1 SA log
SA" action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]"

37135 notice vpn MESGID_DELETE_P2_SA msg="delete IPsec phase 2 delete IPsec phase 2 SA log
SA" action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" enc_
spi="[s]" dec_spi="[s]"

Page 616
ID Severity Subtype Macro Format Description

37136 error vpn MESGID_DPD_FAILURE msg="IPsec DPD failure" IPsec DPD failure log
action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" status=[s]

37137 error vpn MESGID_CONN_FAILURE msg="IPsec connection IPsec connection failure log
failure" action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" status=[s]

37138 notice vpn MESGID_CONN_UPDOWN msg="IPsec connection IPsec connection status

status change" action=[s] change log
remip=[s] locip=[s]
remport=[n] locport=[n]
outintf=[s] cookies="[s]"
user="[s]" group="[s]"
xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" tunnelip=[s]
tunnelid=[n]
tunneltype="ipsec"
duration=[n] sent=[n]
rcvd=[n] nextstat=[n]
tunnel="[s]"

37139 notice vpn MESGID_P2_UPDOWN msg="IPsec phase 2 status IPsec phase 2 status change
change" action=[s] log
remip=[s] locip=[s]
remport=[n] locport=[n]
outintf=[s] cookies="[s]"
user="[s]" group="[s]"
xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" phase2_
name=[s]

37140 notice vpn MESGID_AUTO_IPSEC msg="auto-ipsec status auto-ipsec status log

change" action=[s]
remip=[s] locip=[s]
remport=[n] locport=[n]
outintf=[s] cookies="[s]"
user="[s]" group="[s]"
xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" status=[s]
reason="[s]"

Page 617
ID Severity Subtype Macro Format Description

37141 notice vpn MESGID_CONN_STATS msg="IPsec tunnel IPsec tunnel statistics log
statistics" action=[s]
remip=[s] locip=[s]
remport=[n] locport=[n]
outintf=[s] cookies="[s]"
user="[s]" group="[s]"
xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" tunnelip=[s]
tunnelid=[n]
tunneltype="[s]"
duration=[n] sent=[n]
rcvd=[n] nextstat=[n]
tunnel="[s]"

37188 error vpn MESGID_NEG_I_P1_ERROR_ msg="IPsec phase 1 error" IPsec phase 1 error log
IKEV2 action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" vpntunnel="[s]"
status=[s] error_
reason="[s]"

37189 error vpn MESGID_NEG_I_P2_ERROR_ msg="IPsec phase 2 error" IPsec phase 2 error log
IKEV2 action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" vpntunnel="[s]"
status=[s] error_
reason="[s]"

37190 error vpn MESGID_NEG_NO_STATE_ msg="IPsec no state error" IPsec no state error log
ERROR_IKEV2 action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" vpntunnel="[s]"
status=[s] error_
reason="[s]"

37197 notice vpn MESGID_INSTALL_SA_IKEV2 msg="install IPsec SA" install IPsec SA log
action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" vpntunnel="[s]"
role=[s] in_spi="[s]" out_
spi="[s]"

37198 notice vpn MESGID_DELETE_P1_SA_ msg="delete IPsec phase 1 delete IPsec phase 1 SA log
IKEV2 SA" action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" vpntunnel="[s]"

Page 618
ID Severity Subtype Macro Format Description

37199 notice vpn MESGID_DELETE_P2_SA_ msg="delete IPsec phase 2 delete IPsec phase 2 SA log
IKEV2 SA" action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" vpntunnel="[s]"
enc_spi="[s]" dec_spi="[s]"

37200 error vpn MESGID_DPD_FAILURE_ msg="IPsec DPD failure" IPsec DPD failure log
IKEV2 action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" vpntunnel="[s]"
status=[s]

37201 error vpn MESGID_CONN_FAILURE_ msg="IPsec connection IPsec connection failure log
IKEV2 failure" action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" vpntunnel="[s]"
status=[s]

37202 notice vpn MESGID_CONN_UPDOWN_ msg="IPsec connection IPsec connection status

IKEV2 status change" action=[s] change log
remip=[s] locip=[s]
remport=[n] locport=[n]
outintf=[s] cookies="[s]"
user="[s]" group="[s]"
vpntunnel="[s]" tunnelip=[s]
tunnelid=[n]
tunneltype="ipsec"
duration=[n] sent=[n]
rcvd=[n] nextstat=[n]
tunnel="[s]"

37203 notice vpn MESGID_P2_UPDOWN_ msg="IPsec phase 2 status IPsec phase 2 status change
IKEV2 change" action=[s] log
remip=[s] locip=[s]
remport=[n] locport=[n]
outintf=[s] cookies="[s]"
user="[s]" group="[s]"
vpntunnel="[s]" phase2_
name="[s]"

37204 notice vpn MESGID_CONN_STATS_ msg="IPsec tunnel IPsec tunnel statistics log
IKEV2 statistics" action=[s]
remip=[s] locip=[s]
remport=[n] locport=[n]
outintf=[s] cookies="[s]"
user="[s]" group="[s]"
vpntunnel="[s]" tunnelip=[s]
tunnelid=[n]
tunneltype="[s]"
duration=[n] sent=[n]
rcvd=[n] nextstat=[n]
tunnel="[s]"

Page 619
ID Severity Subtype Macro Format Description

37888 notice system MESGID_HA_GROUP_ msg="HA group is deleted" HA group delete log
DELETE ha_group=[n]

37889 notice system MESGID_VC_DELETE msg="Virtual cluster is Virtual cluster delete log
deleted" vcluster=[n]

37890 notice system MESGID_VC_MOVE_VDOM msg="Virtual cluster's Virtual cluster move vdom log
vdom is moved" from_
vcluster=[n] to_vcluster=[n]
vdname="[s]"

37891 notice system MESGID_VC_ADD_VDOM msg="Virtual cluster's Virtual cluster add vdom log
vdom is added" to_
vcluster=[n] vdname="[s]"

37892 notice system MESGID_VC_MOVE_MEMB_ Virtual cluster move member

STATE state log

37893 notice system MESGID_VC_DETECT_ msg="Virtual cluster Virtual cluster detect member
MEMB_DEAD detected member dead" dead log
vcluster=[n] ha_group=[n]
sn="[s]"

37894 notice system MESGID_VC_DETECT_ msg="Virtual cluster Virtual cluster detect member
MEMB_JOIN detected member join" join log
vcluster=[n] ha_group=[n]
sn="[s]"

37895 notice system MESGID_VC_ADD_HADEV msg="Virtual cluster add Virtual cluster add HA
HA device" vcluster=[n] device(interface) log
devintfname="[s]"

37896 notice system MESGID_VC_DEL_HADEV msg="Virtual cluster delete Virtual cluster delete HA
HA device(interface)" device(interface) log
vcluster=[n]
devintfname="[s]"

37897 notice system MESGID_HADEV_READY msg="HA device(interface) HA device(interface) ready log

ready" ha_role=[s]
devintfname="[s]"

37898 warning system MESGID_HADEV_FAIL msg="HA device(interface) HA device(interface) fail log

fail" ha_role=[s]
devintfname="[s]"

37899 notice system MESGID_HADEV_PEERINFO msg="HA device(interface) HA device(interface) peerinfo

peerinfo" ha_role=[s] log
devintfname="[s]"

37900 notice system MESGID_HBDEV_DELETE msg="Heartbeat Heartbeat device(interface)

device(interface) delete" delete log
devintfname="[s]"

37901 critical system MESGID_HBDEV_DOWN msg="Heartbeat Heartbeat device(interface)

device(interface) down" ha_ down log
role=[s] hbdn_reason="[s]"
devintfname="[s]"

Page 620
ID Severity Subtype Macro Format Description

37902 information system MESGID_HBDEV_UP msg="Heartbeat Heartbeat device(interface) up

device(interface) up" ha_ log
role=[s] devintfname="[s]"

37903 information system MESGID_SYNC_STATUS msg="The sync status with The sync status with the
the master" sync_type=[s] master log
sync_status="[s]"

37904 information system MESGID_HA_ACTIVITY msg="HA activity report" HA activity report log
ip=[s] ha-prio=[n]
activity="[s]"

38010 alert user LOG_ID_FIPS_ENCRY_FAIL user="[s]" ui=[s] Encryption failed

action=encryption
cipher=aes-128-cbc
status=failed msg="EVP
encryption failed"

38011 alert user LOG_ID_FIPS_DECRY_FAIL user="[s]" ui=[s] Decryption failed

action=decryption
cipher=aes-128-cbc
status=failed msg="EVP
decryption failed"

38012 notice user LOG_ID_ENTROPY_TOKEN user=system Seeding from entropy token

action=seeding
msg="Seeding PRNG from
entropy token"

38031 notice user LOG_ID_FSSO_LOGON user="[s]" src=[n].[n].[n].[n] authentication information

server="[s]"
action=FSSO-polling-logon
status=success
reason="[s]"
msg="FSSO-polling-logon
event from [s]: user [s]
logged on [n].[n].[n].[n]"

38032 notice user LOG_ID_FSSO_LOGOFF user="[s]" src=[n].[n].[n].[n] authentication information

server="[s]"
action=FSSO-polling-logoff
status=success
reason="[s]"
msg="FSSO-polling-logoff
event from [s]: user [s]
logged off [n].[n].[n].[n]"

38033 notice user LOG_ID_FSSO_SVR_STATUS user="[s]" server="[s]" authentication information

action=FSSO-polling-AD-s
erver
msg="FSSO-polling-AD-se
rver status changes: [s] ->
[s]"

Page 621
ID Severity Subtype Macro Format Description

38400 notice system LOGID_EVENT_NOTIF_ user="[s]" from="[s]" The system successfully sent a
SEND_SUCC to="[s]" service="[s]" notification message log
proto=[s] dst=[s] dport=[n]
nf_type=[s] virus="[s]"
profile="[s]"
profiletype="[s]"
profilegroup="[s]" count=[n]
duration=[n]
msg="Successfuly sent a
notification message."

38401 warning system LOGID_EVENT_NOTIF_ user="[s]" from="[s]" The system was unable to
SEND_FAIL to="[s]" service="[s]" send a notification message
proto=[s] dst=[s] dport=[n] log
nf_type=[s] virus="[s]"
profile="[s]"
profiletype="[s]"
profilegroup="[s]" count=[n]
duration=[n] msg="Unable
to send notification
message." sess_
duration=[n]

38402 notice system LOGID_EVENT_NOTIF_DNS_ hostname="[s]" The system was unable to

FAIL service="[s]" profile="[s]" resolve an MMSC hostname
profiletype="[s]" profile_ log
vd="[s]" msg="Unable to
resolve hostname."

38403 notice system LOGID_EVENT_NOTIF_ msg="[s] ([s])" Insufficient resource

INSUFFICIENT_RESOURCE

38404 notice system LOGID_EVENT_NOTIF_ hostname="[s]" msg="[s]" Unable to resolve FortiGuard

HOSTNAME_ERROR hostname

38405 notice system LOGID_NOTIF_CODE_ user="[s]" send activation code

SENDTO_SMS_PHONE action=send-activation-cod
e msg="Send token [s]
activation code [s] to [s]"

38406 notice system LOGID_NOTIF_CODE_ user="[s]" send activation code

SENDTO_SMS_TO action=send-activation-cod
e msg="Send token [s]
activation code [s] to [s]"

38407 notice system LOGID_NOTIF_CODE_ user="[s]" send activation code

SENDTO_EMAIL action=send-activation-cod
e msg="Send token [s]
activation code [s] to [s]"

38408 information system LOGID_EVENT_OFTP_SSL_ dst=[n].[n].[n].[n] dstport=[n] SSL connection established.

CONNECTED action=connect
status=success msg="SSL
connection to [n].[n].[n].[n]
is successfully
established."

Page 622
ID Severity Subtype Macro Format Description

38409 information system LOGID_EVENT_OFTP_SSL_ dst=[n].[n].[n].[n] dstport=[n] SSL connection closed.

DISCONNECTED action=disconnect
status=success msg="SSL
connection to [n].[n].[n].[n]
is successfully closed."

38410 information system LOGID_EVENT_OFTP_SSL_ dst=[n].[n].[n].[n] dstport=[n] SSL connection failure.

FAILED reason="[s]([n])"
action=connect
status=failure msg="SSL
read to [n].[n].[n].[n] has
failed."

38656 notice user LOGID_EVENT_RAD_RPT_ count=[n] duration=[n] RADIUS

PROTO_ERROR msg="[s]" protocol/profile/context error,
missing stop
packet,accounting or other
report log

38657 notice user LOGID_EVENT_RAD_RPT_ count=[n] duration=[n] RADIUS

PROF_NOT_FOUND msg="[s]" protocol/profile/context error,
missing stop
packet,accounting or other
report log

38658 notice user LOGID_EVENT_RAD_RPT_ count=[n] duration=[n] RADIUS

CTX_NOT_FOUND msg="[s]" protocol/profile/context error,
missing stop
packet,accounting or other
report log

38659 notice user LOGID_EVENT_RAD_RPT_ count=[n] duration=[n] RADIUS

ACCT_STOP_MISSED msg="[s]" protocol/profile/context error,
missing stop
packet,accounting or other
report log

38660 notice user LOGID_EVENT_RAD_RPT_ count=[n] duration=[n] RADIUS

ACCT_EVENT msg="[s]" protocol/profile/context error,
missing stop
packet,accounting or other
report log

38661 notice user LOGID_EVENT_RAD_RPT_ count=[n] duration=[n] RADIUS

OTHER msg="[s]" protocol/profile/context error,
missing stop
packet,accounting or other
report log

38662 notice user LOGID_EVENT_RAD_STAT_ carrier_ep="[s]" ip=[s] rsso_ RADIUS protocol errors
PROTO_ERROR key="[s]" msg="[s]" acct_ occurred log
stat=[s] reason="[s]"

38663 notice user LOGID_EVENT_RAD_STAT_ carrier_ep="[s]" ip=[s] rsso_ RADIUS start or interim-update
PROF_NOT_FOUND key="[s]" msg="[s]" acct_ packet receivedwith missing or
stat=[s] reason="[s]" invalid profile specified

38664 notice user LOGID_EVENT_RAD_STAT_ carrier_ep="[s]" ip=[s] rsso_ RADIUS no context found for
CTX_NOT_FOUND key="[s]" msg="[s]" user

Page 623
ID Severity Subtype Macro Format Description

38665 notice user LOGID_EVENT_RAD_STAT_ carrier_ep="[s]" ip=[s] rsso_ RADIUS stop packet was
ACCT_STOP_MISSED key="[s]" msg="[s]" acct_ missed
stat=[s] reason="[s]"

38666 notice user LOGID_EVENT_RAD_STAT_ carrier_ep="[s]" ip=[s] rsso_ RADIUS accounting event
ACCT_EVENT key="[s]" msg="[s]" acct_
stat=[s] reason="[s]"

38667 notice user LOGID_EVENT_RAD_STAT_ carrier_ep="[s]" ip=[s] rsso_ RADIUS other dynamic profile
OTHER key="[s]" msg="[s]" acct_ event
stat=[s] reason="[s]"
count=[n]

39424 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

USER_TUNNEL_UP tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"

39425 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

USER_TUNNEL_DOWN tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
duration=[n] sent=[n]
rcvd=[n] msg="[s]"

39426 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

USER_SSL_LOGIN_FAIL tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"

39936 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

SESSION_WEB_TUNNEL_ tunneltype="[s]" tunnel_
STATS id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] next_stats=[n]
duration=[n] sent=[n]
rcvd=[n] msg="[s]"

39937 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

SESSION_WEBAPP_DENY tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] app-type="[s]"
msg="[s]"

39938 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

SESSION_WEBAPP_PASS tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] app-type="[s]"
msg="[s]"

Page 624
ID Severity Subtype Macro Format Description

39939 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

SESSION_WEBAPP_ tunneltype="[s]" tunnel_
TIMEOUT id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] app-type="[s]"
msg="[s]"

39940 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

SESSION_WEBAPP_CLOSE tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] app-type="[s]"
msg="[s]"

39941 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

SESSION_SYS_BUSY tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"

39942 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

SESSION_CERT_OK tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"

39943 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

SESSION_NEW_CON tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"

39944 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

SESSION_ALERT tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] alert="[s]"
desc="[s]" msg="[s]"

39945 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

SESSION_EXIT_FAIL tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"

39946 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

SESSION_EXIT_ERR tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"

Page 625
ID Severity Subtype Macro Format Description

39947 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

SESSION_TUNNEL_UP tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"

39948 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

SESSION_TUNNEL_DOWN tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
duration=[n] sent=[n]
rcvd=[n] msg="[s]"

39949 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

SESSION_TUNNEL_STATS tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] next_stats=[n]
duration=[n] sent=[n]
rcvd=[n] msg="[s]"

39950 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

SESSION_TUNNEL_ tunneltype="[s]" tunnel_
UNKNOWNTAG id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"

39951 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

SESSION_TUNNEL_ERROR tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"

39952 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

SESSION_ENTER_ tunneltype="[s]" tunnel_
CONSERVE_MODE id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"

39953 unknown vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" SSL user event log

SESSION_LEAVE_ tunneltype="[s]" tunnel_
CONSERVE_MODE id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"

40001 unknown vpn LOG_ID_PPTP_TUNNEL_UP action=[s] tunnel_id=[n] VPN event log message
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"

Page 626
ID Severity Subtype Macro Format Description

40002 unknown vpn LOG_ID_PPTP_TUNNEL_ action=[s] tunnel_id=[n] VPN event log message
DOWN [s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"

40003 unknown vpn LOG_ID_PPTP_TUNNEL_ action=[s] tunnel_id=[n] VPN event log message
STAT [s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"

40014 warning vpn LOG_ID_PPTP_REACH_ status=failure The maximum number of PPTP

MAX_CON action=connect connections has been reached
msg="PPTP: the maximum
number of connections has
been reached. No more
clients can connect."

40016 warning vpn LOG_ID_L2TPD_SVR_ action=disconnect L2TPD disconnection

DISCON status=success
reason="interface not
found" msg="L2TPD
closed all client
connections in vdom '[s]'
because failed to find
interface by device index"

40017 warning vpn LOG_ID_L2TPD_CLIENT_ action=connect L2TP client connection

CON_FAIL status=failure reason="no
ip available" msg="No IP
addresses left to assign in
virtual domain: [s]"

40019 information vpn LOG_ID_L2TPD_CLIENT_ action=disconnect L2TP client disconnection

DISCON status=success
msg="Client [n].[n].[n].[n]
control connection (id [n])
finished"

40021 debug vpn LOG_ID_PPTP_NOT_CONIG status=failure pptp is not configured (in this
action=connect virtual domain)
msg="PPTP: connection
request in unconfigured
virtual domain: [s]"

40022 warning vpn LOG_ID_PPTP_NO_IP_AVAIL status=failure No ip available

action=connect
msg="PPTP: No IP
addresses left to assign in
virtual domain: [s]"

40024 warning vpn LOG_ID_PPTP_OUT_MEM status=failure action=start Not enough memory

msg="failed to expand pptp
config list due to not
enough memory"

Page 627
ID Severity Subtype Macro Format Description

40034 notice vpn LOG_ID_PPTP_START action=start PPTPD start

status=success
msg="PPTPD started
successfully"

40035 error vpn LOG_ID_PPTP_START_FAIL action=start status=failure PPTPD start

reason="failed to create
socket" msg="PPTPD
failed to start because
failed to create socket"

40036 notice vpn LOG_ID_PPTP_EXIT action=exit status=success PPTPD exit

msg="PPTPD exited
successfully"

40037 information vpn LOG_ID_PPTPD_SVR_ action=disconnect PPTPD disconnect

DISCON status=success
reason="PPTP setting is
changed" msg="PPTPD
closed all client
connections in vdom '[s]'
because PPTP setting was
changed"

40038 information vpn LOG_ID_PPTPD_CLIENT_ action=connect PPTPD client connection

CON status=success
msg="Client [n].[n].[n].[n]
control connection started"

40039 information vpn LOG_ID_PPTPD_CLIENT_ action=disconnect PPTPD client disconnection

DISCON status=success
msg="Client [n].[n].[n].[n]
control connection
finished"

40101 unknown vpn LOG_ID_L2TP_TUNNEL_UP action=[s] tunnel_id=[n] VPN event log message
[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"

40102 unknown vpn LOG_ID_L2TP_TUNNEL_ action=[s] tunnel_id=[n] VPN event log message
DOWN [s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"

40103 unknown vpn LOG_ID_L2TP_TUNNEL_ action=[s] tunnel_id=[n] VPN event log message
STAT [s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"

40114 notice vpn LOG_ID_L2TPD_START action=start L2TPD starting

status=success
msg="L2TPD started
successfully"

Page 628
ID Severity Subtype Macro Format Description

40115 notice vpn LOG_ID_L2TPD_EXIT action=exit status=success L2TPD exiting

msg="L2TPD exited
successfully"

40118 information vpn LOG_ID_L2TPD_CLIENT_ action=connect L2TP client connection

CON status=success
msg="Client [s] control
connection started (id [n]),
assigned ip [n].[n].[n].[n]"

40704 notice system LOG_ID_EVENT_SYS_PERF action="perf-stats" cpu=[n] system performace log

mem=[n] totalsession=[n]
msg="Performance
statistics"

40960 notice wad LOGID_EVENT_WAD_ fwserver_name="[s]" addr_ Web proxy forward server error
WEBPROXY_FWD_SRV_ type=[s] ip=[s] fqdn="[s]"
ERROR port=[n] msg="[s]"

41000 notice system LOG_ID_UPD_FGT_SUCC [s] msg="Fortigate [s] Administrator has updated
[s][s][s] [s][s][s] [s][s][s] fortigate successfully
[s][s][s] [s][s][s] [s][s][s]
[s][s][s] [s][s][s] from [s]"

41001 critical system LOG_ID_UPD_FGT_FAIL [s] msg="Fortigate [s] Administrator has failed to
failed" update fortigate

41002 notice system LOG_ID_UPD_SRC_VIS status=update src-vis=yes Administrator has updated

msg="FortiGate updated src-vis plugin successfully
src-vis ([s])"

41003 critical system LOG_ID_INVALID_UPD_LIC action=update Invalid update license

status=failure msg="HA
member [s] does not have
valid license"

41005 notice system LOG_ID_UPD_VCM status=update vcm=yes Administrator has updated

msg="FortiGate updated VCM plugin successfully
VCM ([s])"

41984 information vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" user="[s]" Certificate log

CERT_LOAD ui="[s]" name="[s]"
msg="[s]" cert-type=[s]

41985 information vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" user="[s]" Certificate log

CERT_REMOVAL ui="[s]" name="[s]"
msg="[s]" cert-type=[s]

41987 information vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" cert-type=[s] Certificate log

CERT_UPDATE status="[s]" name="[s]"
method="[s]" msg="[s]"

41988 information vpn LOG_ID_EVENT_SSL_VPN_ action="info" user="[s]" SSL Setting Updated

SETTING_UPDATE ui="[s]" msg="User
changed SSL setting"

41989 information vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" cert-type=[s] Certificate log

CERT_ERR status="[s]" name="[s]"
method="[s]" msg="[s]"

Page 629
ID Severity Subtype Macro Format Description

41990 information vpn LOG_ID_EVENT_SSL_VPN_ action="[s]" cert-type=[s] Certificate log

CERT_UPDATE_FAILED status="[s]" name="[s]"
method="[s]" msg="[s]"

43008 notice user LOG_ID_EVENT_AUTH_ src=[s] dst=[s] policyid=3 Authentication log

SUCCESS user="user"
group="usergroup"
ui="HTTP([s])"
action=authentication
status=success
reason="reason"
msg="User user succeeded
in authentication"

43009 notice user LOG_ID_EVENT_AUTH_ src=[s] dst=[s] policyid=3 Authentication log

FAILED user="user"
group="usergroup"
ui="HTTP([s])"
action=authentication
status=failure
reason="reason"
msg="User user failed in
authentication"

43010 warning user LOG_ID_EVENT_AUTH_ src=[s] dst=[s] policyid=3 Authentication log

LOCKOUT user="user"
group="usergroup"
ui="HTTP([s])"
action=authentication
status=locked_out
reason="reason"
msg="User from [s] was
locked out"

43011 notice user LOG_ID_EVENT_AUTH_ src=[s] dst=[s] policyid=[n] Authentication log

TIME_OUT user="[s]" group="[s]"
ui="[s]" action=[s]
status=[s]
reason="Authentication
timed out" msg="[s]"

43012 notice user LOG_ID_EVENT_AUTH_ src=[s] dst=[s] proto=[n] FSSO Authentication log
FSAE_AUTH_SUCCESS policyid=[n] user="[s]"
adgroup="[s]" ui="[s]"
action=[s] status=[s]
reason="[s]" msg="[s]"

43013 notice user LOG_ID_EVENT_AUTH_ src=[s] dst=[s] proto=[n] FSSO Authentication log
FSAE_AUTH_FAIL policyid=[n] user="[s]"
adgroup="[s]" ui="[s]"
action=[s] status=[s]
reason="[s]" msg="[s]"

43014 notice user LOG_ID_EVENT_AUTH_ src=[s] user="[s]" FSSO log on/off

FSAE_LOGON server="[s]" action=[s]
msg="[s]"

43015 notice user LOG_ID_EVENT_AUTH_ src=[s] user="[s]" FSSO log on/off

FSAE_LOGOFF server="[s]" action=[s]
msg="[s]"

Page 630
ID Severity Subtype Macro Format Description

43016 notice user LOG_ID_EVENT_AUTH_ src=[s] dst=[s] policyid=[n] NTLM authentication log
NTLM_AUTH_SUCCESS user="[s]" adgroup="[s]"
group="[s]" ui="[s]"
action=[s] status=[s]
reason="[s]" msg="[s]"

43017 notice user LOG_ID_EVENT_AUTH_ src=[s] dst=[s] policyid=[n] NTLM authentication log
NTLM_AUTH_FAIL user="[s]" adgroup="[s]"
group="[s]" ui="[s]"
action=[s] status=[s]
reason="[s]" msg="[s]"

43018 warning user LOG_ID_EVENT_AUTH_ src=[s] dst=[s] initiator=[s] Fortiguard override failed log
FGOVRD_FAIL status=[s] reason="[s]"
msg="[s]"

43019 warning user LOG_ID_EVENT_AUTH_ src=[s] dst=[s] initiator=N/A Fortiguard override log
FGOVRD_TBL_FULL status=failure
reason="reason"
msg="FortiGuard Web
Filtering override table is
full"

43020 notice user LOG_ID_EVENT_AUTH_ src=[s] dst=[s] initiator=[s] Fortiguard override succeeded
FGOVRD_SUCCESS status=[s] reason="[s]" log
scope=[s] scope_data="[s]"
rule_type=[s] rule_
data="[s]" offsite=[s]
expiry="[s]" oldwprof="[s]"
newwprof="[s]" msg="[s]"

43021 notice user LOG_ID_EVENT_AUTH_ dst=[s] ui="HTTP(0.0.0.0)" Endpoint log

ENDPOINT_CHECK msg="forticlient msg"

43022 notice user LOG_ID_EVENT_AUTH_ dst=[s] ui="HTTP(0.0.0.0)" Endpoint log

ENDPOINT_LICENSE msg="forticlient msg"

43023 notice user LOG_ID_EVENT_AUTH_ dst=[s] ui="N/A(0.0.0.0)" Endpoint log

ENDPOINT_DET_RECORD msg="forticlient msg"

43024 notice user LOG_ID_EVENT_AUTH_ dst=[s] ui="HTTP(0.0.0.0)" Endpoint log

ENDPOINT_DET_SESSION msg="forticlient msg"

43025 notice user LOG_ID_EVENT_AUTH_ src=[s] dst=[s] policyid=[n] Wad-auth HTTP log
PROXY_SUCCESS user="[s]" group="[s]"
ui="[s]" action=[s]
status=[s] reason="[s]"
msg="[s]"

43026 notice user LOG_ID_EVENT_AUTH_ src=[s] dst=[s] policyid=[n] Wad-auth FTP log
PROXY_FAILED user="[s]" group="[s]"
ui="[s]" action=[s]
status=[s] reason="[s]"
msg="[s]"

43027 notice user LOG_ID_EVENT_AUTH_ src=[s] dst=[s] policyid=[n] Wad-auth time out log
PROXY_TIME_OUT user="[s]" group="[s]"
ui="[s]" action=[s]
status=[s] reason="user
timed out" msg="[s]"

Page 631
ID Severity Subtype Macro Format Description

43028 notice user LOG_ID_EVENT_AUTH_ src=[s] dst=[s] policyid=[n] Wad-auth HTTP log
PROXY_AUTHORIZATION_ user="[s]" group="[s]"
FAILED ui="[s]" action=[s]
status=[s] reason="[s]"
msg="[s]"

43029 notice user LOG_ID_EVENT_AUTH_ src=[s] dst=[s] initiator=[s] Fortiguard override succeeded
WARNING_SUCCESS status=[s] reason="[s]" log
scope=[s] scope_data="[s]"
rule_type=[s] rule_
data="[s]" offsite=[s]
expiry="[s]" oldwprof="[s]"
newwprof="[s]" msg="[s]"

43030 warning user LOG_ID_EVENT_AUTH_ src=[s] dst=[s] initiator=[s] Fortiguard override failed log
WARNING_TBL_FULL status=[s] reason="[s]"
msg="[s]"

43264 information system LOGID_MMS_STATS proto=[s] infected=[n] MMS Statistics log

suspicious=[n] scanned=[n]
intercepted=[n] blocked=[n]
checksum=[n] duration=[n]

43520 notice wireless LOG_ID_EVENT_WIRELESS_ action="[s]" msg="[s]" wireless system activity log
SYS

43522 notice wireless LOG_ID_EVENT_WIRELESS_ sn="[s]" ap="[s]" physical AP activity log

WTP approfile="[s]" ip=[s]
meshmode="[s]"
snmeshparent="[s]"
action="[s]" reason="[s]"
msg="[s]"

43524 notice wireless LOG_ID_EVENT_WIRELESS_ sn="[s]" ap="[s]" vap="[s]" wireless client activity log
STA ssid="[s]" user="[s]"
group="[s]" mac=[s] ip=[s]
channel=[n] radioband="[s]"
security="[s]" action="[s]"
reason="[s]" msg="[s]"

43526 notice wireless LOG_ID_EVENT_WIRELESS_ sn="[s]" ap="[s]" ip="[s]" physical AP radio activity log
WTPR radioid=[n]
configcountry="[s]"
opercountry="[s]"
cfgtxpower=[n]
opertxpower=[n]
action="[s]" msg="[s]"

43527 notice wireless LOG_ID_EVENT_WIRELESS_ action="[s]" ssid="[s]" wireless rogue AP status config
ROGUE_CFG bssid=[s] apstatus=[n] log
msg="[s]"

43529 notice wireless LOG_ID_EVENT_WIRELESS_ sn="[s]" ap="[s]" vap="[s]" wireless client load balancing
CLB ssid="[s]" mac="[s]" log
radioband="[s]"
stacount=[n] action="[s]"
reason="[s]" msg="[s]"

Page 632
ID Severity Subtype Macro Format Description

43530 notice wireless LOG_ID_EVENT_WIRELESS_ action="[s]" wireless wids detected log

WIDS_WL_BRIDGE Threattype="[s]" live=[n]
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" seq=[n]
Encrypt=[n] TAMAC="[s]"
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]"

43532 notice wireless LOG_ID_EVENT_WIRELESS_ action="[s]" wireless wids detected log

WIDS_NL_PBRESP Threattype="[s]" live=[n]
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" seq=[n]
Encrypt=[n] TAMAC="[s]"
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]"

43533 notice wireless LOG_ID_EVENT_WIRELESS_ action="[s]" wireless wids

WIDS_MAC_OUI Threattype="[s]" live=[n] invalid-OUI-detect log
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" seq=[n]
Encrypt=[n] TAMAC=[s]
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" Invalidmac=[s]

43534 notice wireless LOG_ID_EVENT_WIRELESS_ action="[s]" wireless wids long-dur-detect

WIDS_LONG_DUR Threattype="[s]" live=[n] log
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" seq=[n]
Encrypt=[n] TAMAC=[s]
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" Dur=[n]

43535 notice wireless LOG_ID_EVENT_WIRELESS_ action="[s]" wireless wids

WIDS_WEP_IV Threattype="[s]" live=[n] weak-wepiv-detect log
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" seq=[n]
Encrypt=[n] TAMAC=[s]
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" Weakwepiv=[s]

Page 633
ID Severity Subtype Macro Format Description

43542 notice wireless LOG_ID_EVENT_WIRELESS_ action="[s]" wireless wids

WIDS_EAPOL_FLOOD Threattype="[s]" live=[n] eapol-packet-flood log
TAMAC=[s] manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" eapoltype=[s]
eapolcnt=[n]

43544 notice wireless LOG_ID_EVENT_WIRELESS_ action="[s]" wireless wids

WIDS_MGMT_FLOOD Threattype="[s]" live=[n] mgmt-flood-detect log
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" TAMAC=[s]
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" mgmtcnt=[n]

43546 notice wireless LOG_ID_EVENT_WIRELESS_ action="[s]" wireless wids detected log

WIDS_SPOOF_DEAUTH Threattype="[s]" live=[n]
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" seq=[n]
Encrypt=[n] TAMAC="[s]"
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]"

43548 notice wireless LOG_ID_EVENT_WIRELESS_ action="[s]" wireless wids detected log

WIDS_ASLEAP Threattype="[s]" live=[n]
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" seq=[n]
Encrypt=[n] TAMAC="[s]"
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]"

43550 notice wireless LOG_ID_EVENT_WIRELESS_ sn="[s]" ap="[s]" radioid=[n] wireless station presence
STA_LOCATE radioband="[s]" detection log
stamac="[s]" signal=[n]
noise=[n] action="[s]"
msg="[s]"

43776 notice system LOGID_EVENT_NAC_ src=[s] dst=[s] src_int=[s] NAC quarantine event log
QUARANTINE proto=[n] service="[s]"
action=[s] user="[s]"
group="[s]" policyid=[n]
banned_src=[s] banned_
rule="[s]" sensor="[s][n]"

43800 critical system LOG_ID_EVENT_ELBC_ [s]="blade-join" [s]="[n]" blade joins cluster

BLADE_JOIN [s]="[n]" [s]="[s]" [s]="blade
in slot [n] of chassis [n] is
ready to process traffic"

Page 634
ID Severity Subtype Macro Format Description

43801 critical system LOG_ID_EVENT_ELBC_ [s]="blade-leave" [s]="[n]" blade leaves cluster

BLADE_LEAVE [s]="[n]" [s]="[s]" [s]="blade
in slot [n] of chassis [n] is no
longer ready to process
traffic"

43802 critical system LOG_ID_EVENT_ELBC_ [s]="master-found" [s]="[n]" master blade found

MASTER_BLADE_FOUND [s]="[n]" [s]="[s]" [s]="blade
in slot [n] of chassis [n]
became master. there was
no previous master."

43803 critical system LOG_ID_EVENT_ELBC_ [s]="master-lost" [s]="[n]" master blade lost

MASTER_BLADE_LOST [s]="[n]" [s]="[s]" [s]="blade
in slot [n] of chassis [n] is no
longer master. there is no
new master."

43804 critical system LOG_ID_EVENT_ELBC_ [s]="master-changed" master blade changed

MASTER_BLADE_CHANGE [s]="[n]" [s]="[n]" [s]="[n]"
[s]="[n]" [s]="[s]" [s]="blade
in slot [n] of chassis [n] is no
longer master. blade in slot
[n] of chassis [n] is the new
master"

43805 critical system LOG_ID_EVENT_ELBC_ [s]="channel-activate" ELBC channel becomes active

ACTIVE_CHANNEL_FOUND [s]="[n]" [s]="[n]" [s]="[s]"
[s]="[n]" [s]="Channel [n]
(FortiSwitch in slot [n]) of
chassis [n] became active.
there was no previous
active channel"

43806 critical system LOG_ID_EVENT_ELBC_ [s]="channel-deactivate" ELBC channel becomes

ACTIVE_CHANNEL_LOST [s]="[n]" [s]="[n]" [s]="[s]" inactive
[s]="[n]" [s]="Channel [n]
(FortiSwitch in slot [n]) of
chassis [n] became
inactive. there is currently
no active channel."

43807 critical system LOG_ID_EVENT_ELBC_ [s]="channel-failover" ELBC channel failover

ACTIVE_CHANNEL_CHANGE [s]="[n]" [s]="[n]" [s]="[s]"
[s]="[n]" [s]="[n]"
[s]="Channel [n]
(FortiSwitch in slot [n]) of
chassis [n] failed over to
channel [n] (FortiSwitch in
slot [n])."

43808 critical system LOG_ID_EVENT_ELBC_ [s]="chassis-activated" chassis becomes active

CHASSIS_ACTIVE [s]="[n]" [s]="[s]"
[s]="chassis [n] became
active and will process
traffic"

Page 635
ID Severity Subtype Macro Format Description

43809 critical system LOG_ID_EVENT_ELBC_ [s]="chassis-deactivated" chassis becomes inactive

CHASSIS_INACTIVE [s]="[n]" [s]="[s]"
[s]="chassis [n] became
passive and will not
process traffic"

44288 information router LOG_ID_DNS_RESPONSE policyid=22 src=[s] dst=[s] test dns event log
src_int="eth0" dst_
int="switch0" user="user"
group="group" dns_
name="fotinet dns" dns_
ip="1.1.1.1"

44544 information system LOGID_EVENT_CONFIG_ user="[s]" ui="[s]" config path log

PATH action=[s] cfgtid=[n]
cfgpath="[s]" msg="[s]"

44545 information system LOGID_EVENT_CONFIG_OBJ user="[s]" ui="[s]" config obj log

action=[s] cfgtid=[n]
cfgpath="[s]" cfgobj="[s]"
msg="[s]"

44546 information system LOGID_EVENT_CONFIG_ user="[s]" ui="[s]" config attr log

ATTR action=[s] cfgtid=[n]
cfgpath="[s]" cfgattr=[s]
msg="[s]"

44547 information system LOGID_EVENT_CONFIG_ user="[s]" ui="[s]" config obj attr log
OBJATTR action=[s] cfgtid=[n]
cfgpath="[s]" cfgobj="[s]"
cfgattr=[s] msg="[s]"

44801 notice system 44801 limit=[n] [Inbound/Outbound]

msg=”[Inbound/Outbound] bandwidth rate exceeded
bandwidth rate exceeded
the shaper limit.”

45000 debug router LOG_ID_VSD_SSL_RCV_HS serial=[s] policy=[n] SSL handshake received

identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
handshake=[s] msg=[s]

45001 error router LOG_ID_VSD_SSL_RCV_ serial=[s] policy=[n] SSL received incorrect

WRG_HS identidx=[n] vip="[s]" handshake message
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
expected=[s] received=[s]
msg="Incorrect SSL
handshake message"

45002 debug router LOG_ID_VSD_SSL_SENT_HS serial=[s] policy_id=[n] SSL handshake sent

identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=send
handshake=[s] msg=[s]

Page 636
ID Severity Subtype Macro Format Description

45003 error router LOG_ID_VSD_SSL_WRG_ serial=[s] policy=[n] SSL handshake has invalid
HS_LEN identidx=[n] vip="[s]" length
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
len=[n] msg="Incorrect SSL
handshake length"

45004 debug router LOG_ID_VSD_SSL_RCV_CCS serial=[s] policy=[n] SSL ChangeCipherSpec

identidx=[n] vip="[s]" received
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
msg=ChangeCipherSpec

45005 error router LOG_ID_VSD_SSL_RSA_DH_ serial=[s] policy=[n] RSA verification of

FAIL identidx=[n] vip="[s]" Diffie-Hellman parameters
src=[s] src-port=[n] dst=[s] failed
dst-port=[n] action=close
msg="RSA verification of
Diffie-Hellman parameters
failed"

45006 debug router LOG_ID_VSD_SSL_SENT_ serial=[s] policy=[n] SSL ChangeCipherSpec sent

CCS identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=send
msg=ChangeCipherSpec

45007 error router LOG_ID_VSD_SSL_BAD_ serial=[s] policy=[n] Hash in SSL Finished does not
HASH identidx=[n] vip="[s]" match calculated hash
src=[s] src-port=[n] dst=[s]
dst-port=[n] local=[s]
remote=[s] action=close
msg="Hash in SSL Finished
does not match calculated
hash"

45009 error router LOG_ID_VSD_SSL_DECRY_ serial=[s] policy=[n] SSL decryption failure

FAIL identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
reason=[n] msg="SSL
decryption failure"

45010 debug router LOG_ID_VSD_SSL_ serial=[s] policy=[n] SSL session closed

SESSION_CLOSED identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
msg="SSL session closed"

45011 error router LOG_ID_VSD_SSL_LESS_ serial=[s] policy=[n] SSL minor version less than
MINOR identidx=[n] vip="[s]" configured minimum value
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
min-minor=[n]
recv-minor=[n] msg="SSL
minor below mininum
configured value"

Page 637
ID Severity Subtype Macro Format Description

45012 warning router LOG_ID_VSD_SSL_REACH_ serial=[s] policy=[n] SSL maximum connection limit
MAX_CON identidx=[n] vip="[s]" reached
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
msg="SSL maximum
connections reached"

45013 error router LOG_ID_VSD_SSL_NOT_ serial=[s] policy=[n] None of the offered SSL
SUPPORT_CS identidx=[n] vip="[s]" CipherSuites are supported
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
msg="None of the offered
CipherSuites are
supported"

45016 debug router LOG_ID_VSD_SSL_HS_FIN serial=[s] policy=[n] SSL handshake complete

identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n]
action=complete
msg="SSL Handshake
complete"

45017 error router LOG_ID_VSD_SSL_HS_TOO_ serial=[s] policy=[n] SSL handshake too long
LONG identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
handshake=[s] len=[n]
max=[n] msg="SSL
Handshake too long"

45018 debug router LOG_ID_VSD_SSL_MORE_ serial=[s] policy=[n] SSL minor version larger than
MINOR identidx=[n] vip="[s]" configured maximum value
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=recv
max-minor=[n]
recv-minor=[n] msg="SSL
capping minor version at
maximum configured value"

45019 error router LOG_ID_VSD_SSL_SENT_ serial=[s] policy=[n] SSL Alert sent

ALERT_ERR identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=send
level=[n] desc=[n]
msg="SSL Alert sent"

45020 debug router LOG_ID_VSD_SSL_ vip="[s]" addr=[s] port=[n] SSL session state expiry
SESSION_EXPIRE created="[s]" id=[s]
action=expire msg="SSL
session state expired"

45021 debug router LOG_ID_VSD_SSL_SENT_ serial=[s] policy=[n] SSL Alert sent

ALERT identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=send
level=[n] desc=[n]
msg="SSL Alert sent"

Page 638
ID Severity Subtype Macro Format Description

45022 debug router LOG_ID_VSD_SSL_RCV_CH serial=[s] policy=[n] SSL ClientHello received

identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
handshake=ClientHello
msg=ClientHello ssl2=[n]
major=[n] minor=[n]
session_
id="[s]"[s][s][s][s][s][s]

45023 debug router LOG_ID_VSD_SSL_RCV_SH serial=[s] policy=[n] SSL ServerHello received

identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
handshake=ServerHello
msg=ServerHello major=[n]
minor=[n] cipher=[s]
session_id="[s]"[s][s][s]

45024 debug router LOG_ID_VSD_SSL_SENT_SH serial=[s] policy=[n] SSL ServerHello sent

identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=send
handshake=ServerHello
msg=ServerHello major=[n]
minor=[n] cipher=[s]
session_id="[s]"[s][s][s]

45025 error | router LOG_ID_VSD_SSL_RCV_ serial=[s] policy=[n] SSL Alert received

debug ALERT identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
level=[n] desc=[n]
msg="SSL Alert received"

45027 error router LOG_ID_VSD_SSL_INVALID_ serial=[s] policy=[n] Invalid SSL ContentType

CONT_TYPE identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
type=[n] msg="Invalid SSL
ContentType"

45029 error router LOG_ID_VSD_SSL_BAD_ serial=[s] policy=[n] SSL ChangeCipherSpec has

CCS_LEN identidx=[n] vip="[s]" bad length
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=close
msg="Bad length in SSL
ChangeCipherSpec"

45031 error router LOG_ID_VSD_SSL_BAD_DH serial=[s] policy=[n] SSL Diffie-Hellman has bad
identidx=[n] vip="[s]" value
src=[s] src-port=[n] dst=[s]
dst-port=[n]min=[n] max=[n]
received=[n] action=close
msg="[s]"

Page 639
ID Severity Subtype Macro Format Description

45032 error router LOG_ID_VSD_SSL_PUB_ serial=[s] policy=[n] Certificate's public key is too
KEY_TOO_BIG identidx=[n] vip="[s]" big for SSL offloading
src=[s] src-port=[n] dst=[s]
dst-port=[n]len=[n] max=[n]
action=close msg="[s]"

45033 error router LOG_ID_VSD_SSL_NOT_ serial=[s] policy=[n] None of the offered SSL
SUPPORT_CM identidx=[n] vip="[s]" CompressionMethods are
src=[s] src-port=[n] dst=[s] supported
dst-port=[n] action=close
msg="None of the offered
CompressionMethods are
supported"

45056 notice system LOG_ID_FCC_EXCEED action=[s] status=[s] forticlient license exceed msg
license_limit=[n]
reason="[s]" repeat=[n]
msg="FortiClient license
maximum has been
reached."

45057 information system LOG_ID_FCC_ADD action=[s] status=[s] add forticlient connection msg
license_limit=[s] license_
used=[n] used_for_type=[n]
connection_type=[s]
count=[n] user="[s]" ip=[s]
name="[s]" forticlient_
id="[s]" msg="Add a
FortiClient Connection."

45058 information system LOG_ID_FCC_CLOSE close forticlient connection

msg

45059 notice system LOG_ID_FCC_UPGRADE_ action=[s] status=[s] upgrade forticlient license msg
SUCC ui="[s]" user="[s]" license_
limit=[s] msg="FortiClient
license has been
upgraded."

45060 error system LOG_ID_FCC_UPGRADE_ action=[s] status=[s] upgrade forticlient license

FAIL ui="[s]" user="[s]" failed msg
reason="[s]" msg="Failed
to upgrade FortiClient
license."

45100 warning system LOG_ID_EC_REG_FAIL user="[s]" hostname="[s]" FortiClient registration fail msg
ip=[n].[n].[n].[n] forticlient_
id=[s] interface=[s]
msg="FortiClient
registration failed due to
blocked UID."

45101 notice system LOG_ID_EC_REG_SUCCEED user="[s]" hostname="[s]" FortiClient registration succeed

ip=[n].[n].[n].[n] forticlient_ msg
id=[s] interface=[s]
msg="FortiClient
registration succeeded."

Page 640
ID Severity Subtype Macro Format Description

45102 notice system LOG_ID_EC_REG_RENEWED user="[s]" hostname="[s]" FortiClient registration renew

ip=[n].[n].[n].[n] forticlient_ msg
id=[s] interface=[s]
msg="FortiClient
registration renewed."

45103 notice system LOG_ID_EC_REG_BLOCK forticlient_id=[s] FortiClient registration block

msg="FortiClient is blocked msg
for registration."

45104 notice system LOG_ID_EC_REG_UNBLOCK forticlient_id=[s] FortiClient registration unblock

msg="FortiClient is msg
unblocked for registration."

45105 notice system LOG_ID_EC_REG_DEREG forticlient_id=[s] FortiClient registration

msg="FortiClient is de-register msg
de-registered."

45106 notice system LOG_ID_EC_REG_LIC_ msg="FortiClient FortiClient registration license

UPGRADED registration license upgrade msg
upgraded."

45107 notice system LOG_ID_EC_CONF_ user="[s]" hostname="[s]" FortiClient configuration

DISTRIBUTED ip=[n].[n].[n].[n] forticlient_ distribute msg
id=[s] interface=[s]
msg="FortiClient
configuration distributed."

45108 notice system LOG_ID_EC_FTCL_UNREG user="[s]" hostname="[s]" FortiClient unregister msg

ip=[n].[n].[n].[n] forticlient_
id=[s] interface=[s]
msg="FortiClient
unregistered."

45109 notice system LOG_ID_EC_FTCL_LOGOFF user="[s]" hostname="[s]" FortiClient logoff msg

ip=[n].[n].[n].[n] forticlient_
id=[s] interface=[s]
msg="FortiClient logged
off."

45110 notice system LOG_ID_EC_FTCL_ENABLE_ user="[s]" hostname="[s]" FortiClient disable SYNC_

NOTSYNC ip=[n].[n].[n].[n] forticlient_ WITH_FGT msg
id=[s] interface=[s]
msg="FortiClient SYNC_
WITH_FGT disabled."

46000 notice system LOG_ID_VIP_REAL_SVR_ENA vip="[s]" VIP realserver has been

server=[n].[n].[n].[n] port=[n] enabled.
status=[s] action=enable
msg="ldb server enabled"

46001 alert system LOG_ID_VIP_REAL_SVR_ vip="[s]" VIP realserver has been

DISA server=[n].[n].[n].[n] port=[n] disabled.
status=[s] action=disable
msg="ldb server disabled"

46002 notice system LOG_ID_VIP_REAL_SVR_UP vip="[s]" VIP realserver has become up.
server=[n].[n].[n].[n] port=[n]
status=[s] action=up
msg="ldb server up"

Page 641
ID Severity Subtype Macro Format Description

46003 alert system LOG_ID_VIP_REAL_SVR_ vip="[s]" VIP realserver has been down.
DOWN server=[n].[n].[n].[n] port=[n]
status=[s] action=down
msg="ldb server down"

46004 notice system LOG_ID_VIP_REAL_SVR_ vip="[s]" VIP realserver has started

ENT_HOLDDOWN server=[n].[n].[n].[n] port=[n] holddown period.
status=[s] action=holddown
msg="ldb server entered
holddown period"
interval=[n](sec)

46005 alert system LOG_ID_VIP_REAL_SVR_ vip="[s]" VIP realserver has failed

FAIL_HOLDDOWN server=[n].[n].[n].[n] port=[n] holddown.
status=[s] action=holddown
msg="ldb server health
checking failed during
holddown period"

46006 debug system LOG_ID_VIP_REAL_SVR_FAIL vip="[s]" Health monitor has detected

server=[n].[n].[n].[n] port=[n] VIP realserver health problem.
status=[s]
monitor-name=[s]
monitor-type=[s]
action=check msg="ldb
server health checking
failed"

46084 error system LOG_EVENT_REPUTATION_ action=reputation_purge reputation tracking data

VDOM_PURGE_ERROR status=failure reason="[s]" maintenance
msg="Failed to complete
reputation db maintenance
for vdom [s]"

46085 information system LOG_EVENT_REPUTATION_ action=reputation_purge reputation tracking data

VDOM_PURGE_SUCCESS status=success maintenance
msg="Completed
reputation db maintenance"

46092 information system LOG_EVENT_REPUTATION_ action=reputation_clear reputation report

ERASE_DATA_ERROR status=failure reason="[s]"
msg="Failed to erase
reputation db for vdom [s]"

46093 information system LOG_EVENT_REPUTATION_ action=reputation_clear reputation report

ERASE_DATA_SUCCESS status=success
msg="Erased reputation db
for vdom [s]"

47201 emergency system LOG_ID_AMC_ENTER_ msg="The AMC card in slot AMC card entered bypass
BYPASS [s] has entered bypass mode
mode due to [s]."

47202 emergency system LOG_ID_AMC_EXIT_BYPASS msg="The AMC card in slot AMC card exited bypass mode
[s] has exited bypass mode
due to [s]."

47203 emergency system LOG_ID_ENTER_BYPASS msg="The bypass ports Bypass ports pair entered
pair have entered bypass bypass mode
mode."

Page 642
ID Severity Subtype Macro Format Description

47204 emergency system LOG_ID_EXIT_BYPASS msg="The bypass ports Bypass ports pair exited
pair have exited bypass bypass mode
mode."

48000 debug wad LOG_ID_WAD_SSL_RCV_HS session_id=[s] policyid=[n] SSL handshake received

src=[n].[n].[n].[n] srcport=[n]
dst=[n].[n].[n].[n] dstport=[n]
action=receive
handshake="[s]"

48001 error wad LOG_ID_WAD_SSL_RCV_ session_id=[s] policyid=[n] SSL handshake has invalid
WRG_HS src=[n].[n].[n].[n] srcport=[n] length
dst=[n].[n].[n].[n] dstport=[n]
action=receive
msg="Incorrect SSL
handshake length. len:[n]"

Page 643

Fortinet Messages PDF
No ratings yet
Fortinet Messages PDF
643 pages
Fortios Handbook 60 PDF
No ratings yet
Fortios Handbook 60 PDF
3,149 pages
Manual Fortinet 100D
No ratings yet
Manual Fortinet 100D
163 pages
NSE4 Prep Session Presentation
No ratings yet
NSE4 Prep Session Presentation
164 pages
Fortigate Cli 50
No ratings yet
Fortigate Cli 50
1,129 pages
Fortigate Troubleshooting 50
100% (1)
Fortigate Troubleshooting 50
74 pages
Troubleshooting
No ratings yet
Troubleshooting
96 pages
Troubleshooting PDF
No ratings yet
Troubleshooting PDF
96 pages
Transparent Mode Fortigate Getting Started 52
100% (1)
Transparent Mode Fortigate Getting Started 52
84 pages
Comandos Fortigate-Cli-50 PDF
No ratings yet
Comandos Fortigate-Cli-50 PDF
1,135 pages
Fortios Handbook 50
No ratings yet
Fortios Handbook 50
2,777 pages
Fortigate Firewall 50 PDF
No ratings yet
Fortigate Firewall 50 PDF
191 pages
FortiOS 5.0 - Security Profiles
No ratings yet
FortiOS 5.0 - Security Profiles
182 pages
Fortigate Security Profiles 5.2
No ratings yet
Fortigate Security Profiles 5.2
147 pages
Fortigate Firewall 52 PDF
No ratings yet
Fortigate Firewall 52 PDF
193 pages
FGT1 02 Logging and Monitoring V2
No ratings yet
FGT1 02 Logging and Monitoring V2
36 pages
TTT-Delta Between 6.4 and 7.0
No ratings yet
TTT-Delta Between 6.4 and 7.0
69 pages
Krumm20Heller20 20del20inicienso20a20la20osmoterapia
No ratings yet
Krumm20Heller20 20del20inicienso20a20la20osmoterapia
3,157 pages
Troubleshooting Device Detection Traps
No ratings yet
Troubleshooting Device Detection Traps
7 pages
FortiOS 5.0 Handbook
No ratings yet
FortiOS 5.0 Handbook
277 pages
Fort I Net Open Ports
No ratings yet
Fort I Net Open Ports
14 pages
Fortios v5.0 Notes
No ratings yet
Fortios v5.0 Notes
54 pages
Forticlient XML 52 PDF
100% (1)
Forticlient XML 52 PDF
88 pages
FortiOS 5.2 Handbook
No ratings yet
FortiOS 5.2 Handbook
197 pages
Fortigate Logging and Reporting 52
No ratings yet
Fortigate Logging and Reporting 52
56 pages
Fortigate Firewall 54
No ratings yet
Fortigate Firewall 54
190 pages
Fortigate Logging 60
No ratings yet
Fortigate Logging 60
56 pages
Fortigate Security - Profiles 5.2 PDF
No ratings yet
Fortigate Security - Profiles 5.2 PDF
157 pages
Fortios™ Handbook - Logging and Reporting
No ratings yet
Fortios™ Handbook - Logging and Reporting
56 pages
Best Practices Forti OS 5.2
No ratings yet
Best Practices Forti OS 5.2
37 pages
Manual CLI Fortigate 5.0
No ratings yet
Manual CLI Fortigate 5.0
178 pages
Troubleshooting 522
No ratings yet
Troubleshooting 522
100 pages
FortiOS 52 Handbook
No ratings yet
FortiOS 52 Handbook
2,770 pages
OK Fortigate Security Profiles 540
No ratings yet
OK Fortigate Security Profiles 540
251 pages
Fortios Handbook
No ratings yet
Fortios Handbook
2,667 pages
Fortigate VM Install Guide 40 Mr2
No ratings yet
Fortigate VM Install Guide 40 Mr2
22 pages
FortiGate-620B Install Guide
No ratings yet
FortiGate-620B Install Guide
62 pages
Fortios Handbook 50
No ratings yet
Fortios Handbook 50
2,637 pages
FGT1 02 Logging and Monitoring
No ratings yet
FGT1 02 Logging and Monitoring
36 pages
Log Reference
No ratings yet
Log Reference
170 pages
Fortigate Install System Admin 50
No ratings yet
Fortigate Install System Admin 50
248 pages
Fortigate Fortios Log Message Reference
No ratings yet
Fortigate Fortios Log Message Reference
182 pages
Fortios 5.4.0 Log Reference
No ratings yet
Fortios 5.4.0 Log Reference
127 pages
Release Notes: Fortios 7.2.4
No ratings yet
Release Notes: Fortios 7.2.4
62 pages
Fortigate Logging Reporting
No ratings yet
Fortigate Logging Reporting
68 pages
4 Logging and Monitoring
No ratings yet
4 Logging and Monitoring
31 pages
Fortimail® Secure Messaging Platform 5.0.0 Log Message Reference
No ratings yet
Fortimail® Secure Messaging Platform 5.0.0 Log Message Reference
66 pages
Security Profiles
No ratings yet
Security Profiles
200 pages
Fortios v5.2.11 Log Reference
No ratings yet
Fortios v5.2.11 Log Reference
103 pages
Fortigate Advanced Routing 50
No ratings yet
Fortigate Advanced Routing 50
176 pages
Fortigate Advanced Routing 50 PDF
100% (1)
Fortigate Advanced Routing 50 PDF
176 pages
Fortinet Fortigate and Splunk: Deployment Guide
No ratings yet
Fortinet Fortigate and Splunk: Deployment Guide
8 pages
Learning Linux Binary Analysis: Learning Linux Binary Analysis
From Everand
Learning Linux Binary Analysis: Learning Linux Binary Analysis
Ryan "elfmaster" O'Neill
4/5 (1)
Practical Rust 1.x Cookbook
From Everand
Practical Rust 1.x Cookbook
Rustacean Team
No ratings yet
Practical Rust 1.x Cookbook: 100+ Solutions across Command Line, CI/CD, Kubernetes, Networking, Code Performance and Microservices
From Everand
Practical Rust 1.x Cookbook: 100+ Solutions across Command Line, CI/CD, Kubernetes, Networking, Code Performance and Microservices
Rustacean Team
No ratings yet
Building Telephony Systems with OpenSIPS - Second Edition
From Everand
Building Telephony Systems with OpenSIPS - Second Edition
Goncalves Flavio E.
No ratings yet
Mastering Metasploit - Second Edition
From Everand
Mastering Metasploit - Second Edition
Nipun Jaswal
5/5 (1)
Mastering Metasploit
From Everand
Mastering Metasploit
Nipun Jaswal
No ratings yet
Mastering Swift 3 - Linux
From Everand
Mastering Swift 3 - Linux
Jon Hoffman
No ratings yet
Basic Information About C language PDF
From Everand
Basic Information About C language PDF
Suraj Das
No ratings yet
Interchangeable Instruments Virtual: Ivi-6.1: Ivi High-Speed Lan Instrument Protocol (Hislip)
No ratings yet
Interchangeable Instruments Virtual: Ivi-6.1: Ivi High-Speed Lan Instrument Protocol (Hislip)
49 pages
Assignment 6
No ratings yet
Assignment 6
14 pages
Network Design - Paper 1 Notes
No ratings yet
Network Design - Paper 1 Notes
8 pages
DLNA Guidelines June 2016 - Part 1-2 XDMR
No ratings yet
DLNA Guidelines June 2016 - Part 1-2 XDMR
14 pages
EJPT Cheat Sheet
100% (2)
EJPT Cheat Sheet
49 pages
Computer awareness-WPS Office
No ratings yet
Computer awareness-WPS Office
2 pages
Technical Overview: Azure Sentinel Level 400
No ratings yet
Technical Overview: Azure Sentinel Level 400
40 pages
Application Layer
No ratings yet
Application Layer
107 pages
SJ-20161220134736-010-ZXA10 C300&C350&C320 (V2.1.0) Optical Access Convergence Equipment Configuration Management - PDF - 805260 PDF
No ratings yet
SJ-20161220134736-010-ZXA10 C300&C350&C320 (V2.1.0) Optical Access Convergence Equipment Configuration Management - PDF - 805260 PDF
232 pages
IMS For LTE
No ratings yet
IMS For LTE
149 pages
Distributed Systems Concept & Design Fourth Edition
No ratings yet
Distributed Systems Concept & Design Fourth Edition
26 pages
Zhiell Tutornew
No ratings yet
Zhiell Tutornew
12 pages
Ansi - Scte 104 2012
No ratings yet
Ansi - Scte 104 2012
140 pages
Eve Cook Book 1.12 PDF
No ratings yet
Eve Cook Book 1.12 PDF
237 pages
Wanscam Quick Setup Guide of IP Camera 12-03-15
No ratings yet
Wanscam Quick Setup Guide of IP Camera 12-03-15
17 pages
Enterprise Network Design and Implementation Using Cisco Packet Tracer
No ratings yet
Enterprise Network Design and Implementation Using Cisco Packet Tracer
12 pages
Dragonblood: Attacking The Dragonfly: Handshake of WPA3
No ratings yet
Dragonblood: Attacking The Dragonfly: Handshake of WPA3
50 pages
Service Manual: Echolife Hg850 Gpon Terminal
No ratings yet
Service Manual: Echolife Hg850 Gpon Terminal
81 pages
Konfigurasi VoIP 2 Router
No ratings yet
Konfigurasi VoIP 2 Router
3 pages
Teste Avaya APSS - 2V00290A
No ratings yet
Teste Avaya APSS - 2V00290A
11 pages
Microsens Ftto en PDF
No ratings yet
Microsens Ftto en PDF
16 pages
CNS Model Answers Unit 2
No ratings yet
CNS Model Answers Unit 2
38 pages
OT BASE Asset Discovery Installation and First Steps
No ratings yet
OT BASE Asset Discovery Installation and First Steps
8 pages
RTN 950A V100R009C10 Product Description
No ratings yet
RTN 950A V100R009C10 Product Description
265 pages
Ericsson BSC Commands PDF
0% (3)
Ericsson BSC Commands PDF
2 pages
1 - Unit I - PART - 1 - WEB DESIGNING
No ratings yet
1 - Unit I - PART - 1 - WEB DESIGNING
83 pages
Unit I Introducing IOS XR
No ratings yet
Unit I Introducing IOS XR
27 pages
Fs j179 Ip Phone Uc8095en
No ratings yet
Fs j179 Ip Phone Uc8095en
4 pages
KCNA Exam Question Dump
No ratings yet
KCNA Exam Question Dump
9 pages
MS01 User Guide V2.1
100% (1)
MS01 User Guide V2.1
38 pages