SonicOS Log Event Reference Guide - TULOCKdesbrq3.n-con.net/.../Documents/SonicOS_Log_Event_Reference_Gui… · 2 SONICOS LOG EVENT REFERENCE GUIDE Note: Not all log event messages

COMPREHENSIVE INTERNET SECURITY™

S o n i c WALL Internet Security Ap p l i a n c e s

SonicOS Log Event Reference Guide

Using the SonicOS Log Event Reference Guide

This reference guide lists and describes SonicOS log event messages. Reference a log event mes-sage by using the alphabetical index of log event messages. This document contains the following sections:• “SonicOS Log Event Messages Overview” on page 1• “Configuring SonicOS ‘Log’ > ‘View’” on page 4• “Referencing the SonicOS ‘Log’ > ‘View ’ Field Display” on page 7• “Index of Log Event Messages” on page 9• “Index of Syslog Tag Field Description” on page 57

SonicOS Log Event Messages OverviewDuring the operation of a SonicWALL security appliance, SonicOS software sends log event mes-sages to the ‘Log’ > ‘View’ page in the SonicWALL management interface.In Figure 1, the ‘Log’ > ‘View’ page is displayed.Figure 1 SonicOS Enhanced ‘Log’ > ‘View’ page

Event logging automatically begins when the SonicWALL security appliance is powered on and con-figured. SonicOS supports a traffic log containing entries with multiple fields. Log event messages provide operational informational and debugging information to help you diag-nose problems with communication lines, internal hardware, or your firmware configuration.

Note: For the SonicOS CLI console display, use the show log command to display log events. Refer to the SonicOS CLI Reference Guide located on the SonicWALL Web site: <http://www.sonicwall.com/support/documentation.html>

SONICOS LOG EVENT REFERENCE GUIDE 1

Note: Not all log event messages indicate operational issues with your SonicWALL security appliance.

SonicOS Log EntriesEach log entry contains the date and time of the event and a brief message describing the event. The SonicWALL manages log events in the following manner:• TCP, UDP, or ICMP packets dropped

When IP packets are dropped by the SonicWALL security appliance, dropped TCP, UDP and ICMP messages are displayed. The messages include the source and destination IP addresses of the packet. The TCP or UDP port number or the ICMP code follows the IP address. Log event messages usually include the name of the service in quotation marks.

• Web, FTP, Gopher, or Newsgroup blockedWhen a computer attempts to connect to the blocked site or newsgroup, a log event is displayed. Blocked is defined as a Web site, connection, or event that is denied access from the SonicWALL security appliance. The computer’s IP address, Ethernet address, the name of the blocked Web site, and the Content Filter List Code is displayed. Code definitions for the 12 Content Filter List categories are shown below.

• ActiveX, Java, Cookie or Code Archive blockedWhen ActiveX, Java or Web cookies are blocked, messages with the source and destination IP addresses of the connection attempt is displayed.

• Ping of Death, IP Spoof, and SYN Flood AttacksThe IP address of the machine under attack and the source of the attack is displayed. In most attacks, the source address shown is fake and does not reflect the real source of the attack.

SonicOS ‘Log View Settings’The ‘Log View Settings’ section of the ‘Log’ > ‘View’ page provides you the filtering controls to filter log event messages based on your configured log filter logic. It also contains the following log manage-ment buttons:• Refresh—Renews the ‘Log View’ table with current log event messages.• Clear Log—Empties the entries in the ‘Log View’ table.• E-mail Log—E-mails log event messages to your configured SMTP server or list of e-mail

addresses.• Export Log—Exports the log into a plain .txt or .csv file format.

1. Violence 7. Cult

2. Intimate Apparel/Swim-suit

8. Drugs/Illegal Drugs

3. Nudism 9. Criminal Skills/Illegal Skills

4. Adult/Mature Content/Pornography

10. Sex Education

5. Weapons 11. Gambling

6. Hate/Racism 12. Alcohol & Tobacco

2 SONICOS LOG EVENT REFERENCE GUIDE

SonicOS ‘Log View’ Display FormatThe ‘Log’ > ‘View’ page displays log event messages in following format for alert notification:• Time—Displays the hour and minute the event occurred.• Priority—Displays the level urgency for the event.• Category—Displays the event type.• Message—Displays a description of the event.• Source—Displays the source IP address of incoming IP packet.• Destination—Displays the destination IP address of incoming IP packet.• Note—Displays displays additional information specific to a particular event occurrence.• Rule—Displays the source and destination zones for the access rule. This field provides a link to

the access rule defined in the ‘Firewall’ > ‘Access Rules’ page.The display fields for a log event message provides you with data to verify your configurations, trou-ble-shoot your security appliance, and track IP traffic.


Configuring SonicOS ‘Log’ > ‘View’ The ‘Log’ > ‘View” page in the Web-based SonicWALL management interface allows you to export log reports, e-mail log reports, and monitor real-time Syslog data. As soon as you power on your Son-icWALL security appliance, SonicOS software sends Syslog data to your log. In the SonicWALL man-agement interface, you can navigate through the subcategories of the ‘Log’ setting for reporting and customizing log reports.In Figure 2, the ‘Log’ > ‘View’ page is displayed.Figure 2 SonicOS Enhanced ‘Log’ > ‘View’ page


Setting the Log Filter LogicBy default, the SonicOS filter logic is set to “Priority && Category && Source && Destination.” The double ampersand symbols (&&) indicate the boolean expression “and.” The default SonicOS filter logic displays all log events.In Figure 3, the ‘Log’ > ‘View’ > ‘Log View Settings’ page is displayed.Figure 3 SonicOS ‘Log View Settings’

Applying Custom Log Event Message FiltersThis section provides examples on using the ‘Log View Settings’ to filter log event messages dis-played in the ‘Log View’ page.

Configuration Example: Filtering Log Event Messages by Priority ValueTo set the log filter logic to display only log event messages with a priority level of Emergency:1. Select Emergency from the filter-Priority Value pull-down menu.

2. Click on the Apply Filters button.

Configuration Example: Filtering Log Event Messages by Category ValueTo set the log filter logic to display only log event messages with a category event type of Attacks:1. Select Attacks from the filter-Category Value pull-down menu.


Apply filters

Reset filters

Export logsDefault filter logic

Group filtersDefault filter logic value

Log Event Message Filters


Configuration Example: Filtering Log Event Messages by Source ValueTo set the log filter logic to display only log event messages associated to a source IP address:1. Enter the source IP address or select an interface from the filter-Source Value pull-down menu.


Configuration Example: Filtering Log Event Messages by Destination ValueTo set the log filter logic to display only log event messages associated to a destination IP address:1. Enter the destination IP address or select an interface from the filter-Source Value pull-down

menu. 2. Click on the Apply Filters button.

Using Group FiltersUse Group filters to change the default SonicOS filter logic (Priority && Category && Source && Des-tination) from double ampersand symbols (&&) to double pipe symbols (||) to indicate the boolean expression “or.” When using group filters, select two or more Group Filters checkboxes.

Note: If you select only one Group Filter checkbox, the filter logic will remain the same. Selecting only the Priority-Group Filter checkbox provides you with the following filter logic:

(Priority) && Category && Source && Destination

Configuration Example: Using the ‘Priority’ Group Filter and ‘Category Group’ FilterTo set the log filter logic to display log event messages with a priority level of Emergency or a category event type of Attack:1. Select the ‘Priority’ group filter checkbox.

2. Select the ‘Category’ group filter checkbox.3. Select Emergency from the filter-Priority Value pull-down menu. 4. Select Attacks from the filter-Category Value pull-down menu. Figure 4 illustrates the SonicOS filter logic updated as follows:

(Priority || Category) && Source && Destination

Figure 4 SonicOS Log Group Filters

A filter logic using the boolean expression “||” is less restrictive than the default filter logic using the boolean expression “&&”. With the boolean expression “||”, log event messages are displayed if they match either filter values. With the boolean expression “&&”, log event messages are displayed if they match both filter values.


Exporting the Logs to a FileThis section provides instructions to export your log to a file. To export the log to a file:1. Click on the Export Log button. You will be prompted to select a export file format type as

illustrated in Figure 5.Figure 5 SonicOS Export Log

2. Select a file format: Plain text format used in log and alert e-mail—Saves the log file as plain text, which can be used for alert e-mails.Comma-Separated Value (CSV) format—Saves the log file for importing into Microsoft Excel or other presentation development application.

3. Click on the Export button.4. Save the exported log file to a location on your personal computer’s hard drive.

Note: You can export a log to a file with applied filter settings.

Referencing the SonicOS ‘Log’ > ‘View ’ Field Display

SonicOS 2.5 Enhanced and Standard releases and greater provide the SonicOS ‘Log’ > ‘View’ field display as illustrated in Figure 6.Figure 6 SonicOS ‘Log’ > ‘View’ Field Display

Time and Date Stamp

Priority

Category

Message Descrition

Source IP Address

Destination IP

Log Event Notes

Network Rule


Referencing the SonicWALL Firmware ‘Log’ > ‘View Log’ Field DisplaySonicWALL Firmware 6.6.0.0 release and greater provide the SonicWALL Firmware ‘Log’ > ‘View Log’ field display as illustrated in Figure 7. Figure 7 SonicWALL Firmware Log’ > ‘View Log’ Field Display

Time and Date Stamp

Event Message

Source IP Address

Destination IP Address

Additional Information

Rule Number (If Applicable)


Index of Log Event MessagesThis section contains a list of log event messages for all SonicWALL Firmware and SonicOS Software Releases, ordered alphabetically. Use your web browser’s Find function to search for a command.

Log Event Message Symbols Key

TCP IP Layered-Data Packet Processing and SonicOS Log Event Handling In specific cases of multi-layer packet processing, a TCP connection initially logged as "open," will be rejected by a deeper layer of packet processing. In these cases, the connection request has not been forwarded by the SonicWALL security appliance, and the initial Connection Open SonicOS log event message should be ignored in favor of the TCP Connection Dropped log event message.

Each log event message described in the following table provides the following log event details:• SonicOS Category—Displays the SonicOS Software category event type.• Legacy Category—Displays the SonicWALL Firmware Software category event type.• Priority Level—Displays the level of urgency of the log event message.• Log Message ID Number—Displays the ID number of the log event message.• SNMP Trap Type—Displays the SNMP Trap ID number of the log event message.

Log Event Message Symbol Description Context

%s Ethernet Port Down Represents a character string. [WAN | LAN | DMZ] Ethernet Port Down

The cache is full; %u openconnections; some will be dropped

Represents a numerical string. The cache is full; [40,000] openconnections; some will be dropped

Log Event Message

SonicOS Category

Legacy Category

Priority Level

Log Message ID Number

SNMP Trap Type

Log Event Type

#Web site hit Network Traffic Connection Traffic Information 97 --- Standard HTTP Traffic Report

%s VPN IKE User Activity Information 171 --- Standard Message String

%s High Availability

--- Error 826 --- Simple Message String


--- Warning 827 --- Simple Message String


--- Information 828 --- Simple Message String


--- Alert 829 --- Simple |Message String


--- Notice 830 --- Simple Message String


--- Debug 831 --- Simple Message String

%s ARS --- Information 840 --- Standard Message String

%s ARS --- Notice 841 --- Standard Message String


%s ARS --- Debug 842 --- Standard Message String

%s Ethernet Port Down

Firewall Event System Error Error 333 641 Simple Message String

%s Ethernet Port Up Firewall Event System Error Warning 332 640 Simple Message String

%s-payload processing error

VPN IKE Debug Error 616 --- Standard Message String

SonicWALL Registration Update Needed: Restore your existing security service subscriptions by clicking here.

Security Services Maintenance Warning 496 --- Simple

802.11b Management

Wireless 802.11b Management

Information 518 --- Simple Destination

A prior version of preferences was loaded because the most recent preferences file was inaccessible

Firewall Event System Error Warning 572 648 Simple

A SonicOS Standard to Enhanced Upgrade was performed

Firewall Event Maintenance Information 611 --- Simple

Access attempt from host out of compliance with GSC policy

Security Services Maintenance Information 761 --- Standard

Access attempt from host without Anti-Virus agent installed


Access attempt from host without GSC installed

Security Services Maintenance Information 763 524 Standard

Access rule added Security Services User Activity Information 440 --- Simple Rule

Access rule deleted Firewall Rule User Activity Information 442 --- Simple Rule String

Access rule modified

Firewall Rule User Activity Information 441 --- Simple Rule

Access to proxy server denied

Network Access Blocked Sites Notice 60 705 Standard Note Blocked

ActiveX access denied

Network Access Blocked Code Notice 18 --- Standard Note Blocked


ActiveX or Java archive access denied

Network Access Blocked Code Notice 20 --- Standard Note Blocked

ADConnector %s response timed-out; applying caching policy

Security Services --- Error 769 --- Standard Message String

Add an attack message

Firewall Event Attack Error 143 525 Simple String

Adding Dynamic Entry for Bound MAC Address

Network --- Information 813 --- Standard Note ENET

Adding L2TP IP pool Address object Failed.

L2TP Server System Error Error 603 661 Simple

Adding to multicast policyList, interface:%s

Multicast --- Debug 697 --- Standard Message String

Adding to Multicast policyList, VPN SPI:%s


Administrator logged out

Authentication Access

User Activity Information 261 --- Standard

Administrator logged out -inactivity timer expired



Administrator login allowed



Administrator login denied due to bad credentials


Attack Alert 30 560 Standard

Administrator login denied from %s; logins disabled from this interface


Attack Alert 35 506 Standard Message String

Adminstrator name changed


Maintenance Information 328 --- Standard

All DDNS associations have been deleted

DDNS Maintenance Information 783 --- Simple


All preference values have been set to factory default values


Allowed LDAP server certificate with wrong host name

RADIUS User Activity Warning 752 --- Standard Note String

Anti-Spyware Detection Alert: %s

Intrusion Detection

Attack Alert 795 576 Standard AS Message String

Anti-Spyware Prevention Alert: %s

Intrusion Detection

Attack Alert 794 575 Standard AS Message String

Anti-Spyware Service Expired

Security Services Maintenance Warning 796 577 Simple

Anti-Virus agent out-of-date on host


Anti-Virus Licenses Exceeded


ARP request packet received


ARP request packet sent


ARP response packet received


ARP response packet sent


ARP timeout Network Debug Debug 45 --- Standard

Association Flood from WLAN station

WLAN IDS WLAN IDS Alert 548 903 Simple Destination

Authentication timeout during Remotely Triggered Dial-out session


User Activity Information 821 --- Simple

Back Orifice attack dropped

Intrusion Detection


Backup active High Availability System Error Information 825 --- Simple

Backup firewall being preempted by Primary

High Availability System Error Error 152 619 Simple

Backup firewall has transitioned to Active

High Availability Maintenance Information 145 --- Simple


Backup firewall has transitioned to Idle


Backup going Active in preempt mode after reboot


Backup missed heartbeats from Primary


Backup received error signal from Primary


Backup received reboot signal from Primary


Backup shut down because license is expired

High Availability System Error Error 824 --- Simple

Backup will be shut down in %s minutes

High Availability System Error Error 823 --- Simple Message String

Bad CRL format VPN PKI User Activity Alert 277 --- Simple Destination

Blocked Quick Mode for Client using Default KeyID

VPN Client System Error Error 505 660 Standard

BOOTP Client IP address on LAN conflicts with remote device IP, deleting IP address from remote table

BOOTP Maintenance Information 619 --- Standard Destination

BOOTP reply relayed to local device

BOOTP Maintenance Information 620 --- Standard Destination

BOOTP Request received from remote device

BOOTP Debug Debug 621 --- Standard Destination

BOOTP server response relayed to remote device

BOOTP Debug Debug 618 --- Standard Destination

Broadcast packet dropped

Network Access Debug Debug 46 --- Standard Note Protocol

Cannot connect to the CRL server

VPN PKI User Activity Alert 274 --- Simple Destination

Cannot Validate Issuer Path


Certificate on Revoked list (CRL)



CFL auto-download dis-abled, time prob-lem detected

Security Services Maintenance Information 268 --- Simple

CLI administrator logged out



CLI administrator login allowed



CLI administrator login denied due to bad credentials


User Activity Warning 200 --- Simple

Computed hash does not match hash received from peer

VPN IKE User Activity Warning 410 --- Standard Destination

Connection Closed Network Traffic Connection Traffic Information 537 --- Standard Traffic Report

Connection Opened Network Traffic Connection Information 98 --- Standard Note Protocol

Connection timed out


Cookie removed Network Access Blocked Code Notice 21 --- Standard String Service

CRL has expired VPN PKI User Activity Alert 874 --- Simple Destination

CRL loaded from VPN PKI User Activity Information 270 --- Simple Destination

CRL missing - Issuer requires CRL checking.


CRL validation failure for Root Certificate


Crypto DES test failed

Crypto Test Maintenance Error 360 --- Simple

Crypto DH test failed


Crypto Hardware 3Des test failed


Crypto Hardware 3DES with SHA test failed


Crypto Hardware AES test failed

Crypto Test Maintenance Error 610 --- Standard

Crypto hardware DES test failed


Crypto Hardware DES with SHA test failed



Crypto Hmac-MD5 fest failed


Crypto Hmac-Sha1 test failed


Crypto MD5 test failed


Crypto RSA test failed


Crypto Sha1 test failed


DDNS association %s disabled

DDNS Maintenance Information 781 --- Simple Message String

DDNS association %s enabled


DDNS association %s added


DDNS association %s deactivated


DDNS association %s deleted


DDNS Association %s put on line


DDNS association %s taken Offline locally


DDNS Failure: Provider %s

DDNS System Error Error 774 --- Simple Message String





DDNS Update success for domain %s

DDNS Maintenance Information 776 --- Standard Message String

DDNS Warning: Provider %s

DDNS System Error Warning 777 --- Simple Message String


Deleting from Multicast policy list, interface: %s


Deleting from Multicast policy list, VPN SPI: %s


Deleting IPSec SA VPN IKE User Activity Information 92 --- Standard Note SPI

DHCP client enabled but not ready

DHCP Client Maintenance Information 504 --- Simple

DHCP Client did not get DHCP ACK.

DHCP Client Maintenance Information 109 --- Standard

DHCP Client failed to verify and lease has expired. Go to INIT state.


DHCP Client got a new IP address lease.

DHCP Client Maintenance Information 121 --- Standard Destination

DHCP Client got ACK from server.


DHCP Client got NACK.


DHCP Client is declining address offered by the server.


DHCP Client sending REQUEST and going to REBIND state.


DHCP Client sending REQUEST and going to RENEW state.


DHCP DISCOVER received from remote device

DHCP Relay Debug Information 474 --- Standard Destination

DHCP lease dropped. Lease from Central Gateway conflicts with Relay IP

DHCP Relay Maintenance Warning 228 --- Standard Destination


DHCP lease dropped. Lease from Central Gateway conflicts with Remote Management IP

DHCP Relay Maintenance Warning 484 --- Standard Destination

DHCP lease relayed to local device

DHCP Relay Maintenance Information 223 --- Standard Destination

DHCP lease relayed to remote device


DHCP lease to LAN device conflicts with remote device, deleting remote IP entry


DHCP NAK received from server


DHCP OFFER received from server


DHCP Ranges altered automatically due to change in network settings for interface %s

Firewall Event --- Information 832 --- Simple Message String

DHCP RELEASE received from remote device


DHCP RELEASE relayed to Central Gateway


DHCP REQUEST received from remote device


DHCP Server not available. Did not get any DHCP OFFER.


Diagnostic Code A

Firewall Hardware

System Error Error 93 611 Simple Note String

Diagnostic Code B

Firewall Hardware


Diagnostic Code C

Firewall Hardware



Diagnostic Code D

Firewall Hardware

System Error Error 64 610 Standard Note Code

Diagnostic Code D

Firewall Hardware


Diagnostic Code E

VPN IPSec System Error Error 61 609 Standard Note Code

Diagnostic Code F

Firewall Hardware


Diagnostic Code G

Firewall Hardware


Diagnostic Code H

Firewall Hardware


Diagnostic Code I

Firewall Hardware


Disconnecting L2TP Tunnel due to traffic timeout

L2TP Client Maintenance Information 215 --- Simple

Disconnecting PPPoE due to traffic timeout

PPPPoE Maintenance Information 168 --- Simple

Disconnecting PPTP Tunnel due to traffic timeout

PPTP Maintenance Information 389 --- Simple

Discovered HA Backup Firewall


DNS packet allowed Network Access Debug Information 602 --- Standard Policy

Drop WLAN traffic from non SonicPoint devices

Intrusion Detection

Attack Error 662 572 Standard

Dynamic IPSec client connected

VPN IPSec User Activity Information 62 --- Standard Destination

EIGRP packet dropped

Network Access Debug Notice 714 --- Standard Note String

E-Mail fragment dropped

Intrusion Detection


Error initializing Hardware acceleration for VPN

Firewall Hardware

Maintenance Error 374 --- Simple

Error Rebooting HA Peer Firewall



Error setting the IP address of the backup, please manually set to backup LAN IP


Error synchronizing HA peer firewall (%s)

High Availability System Error Error 158 662 Simple Message String

Exceeded Max multicast address limit

Multicast --- Warning 703 --- Standard

Failed payload validation

VPN IKE User Activity Warning 405 --- Standard

Failed payload verification after decryption. Possible preshared key mismatch


Failed to find certificate


Failed to get CRL from


Failed to Process CRL from


Failed to resolve name

Network Maintenance Information 84 --- Simple Destination

Failed to synchronize Relay IP Table

DHCP Relay System Error Warning 234 632 Standard

Failure to reach Interface %s probe

High Availability System Error Error 675 647 Simple Message String

Fan Failure Firewall Hardware

System Environment

Alert 576 102 Simple

Forbidden E-Mail attachment deleted

Intrusion Detection

Attack Error 248 534 Standard Destination

Forbidden E-Mail attachment disabled

Intrusion Detection

Attack Alert 165 527 Standard Destination

Found Rogue Access Point


Found Rogue Access Point


Fragmented packet dropped

Network TCP | UDP | ICMP Notice 28 --- Standard Note Protocol


Fraudulent Microsoft certificate found; access denied

Intrusion Detection


FTP: Data connection from non default port dropped

Network Access Attack Alert 538 557 Standard

FTP: PASV response bounce attack dropped.

Intrusion Detection

Attack Alert 528 556 Standard Note String

FTP: PASV response spoof attack dropped

Intrusion Detection


FTP: PORT bounce attack dropped.

Intrusion Detection


Gateway Anti-Virus Alert: %s

Security Services Attack Alert 809 --- Standard Message String

Gateway Anti-Virus Service expired

Security Services Maintenance Warning 810 --- Simple

Global VPN Client connection is not allowed. Appliance is not registered.

VPN Client System Error Information 529 643 Standard

Global VPN Client License Exceeded: Connection denied.

VPN Client System Error Information 494 658 Standard

Global VPN Client version cannot enforce personal firewall. Minimum Version required is 2.1

VPN Client User Activity Information 604 --- Standard Destination

Got DHCP OFFER. Selecting.


GSC policy out-of-date on host


Guest account '%s' created


User Activity Information 558 --- Standard Message String

Guest account '%s' deleted



Guest account '%s' disabled




Guest account '%s' pruned



Guest account '%s' re-enabled



Guest account '%s' re-generated



Guest login denied. Guest '%s' is already logged in. Please try again later.



H.323/H.225 Connect

VoIP VoIP Debug 634 --- Standard Note String

H.323/H.225 Setup VoIP VoIP Debug 633 --- Standard Note String

H.323/H.245 Address


H.323/H.245 End Session


H.323/RAS Admission Confirm


H.323/RAS Admission Reject


H.323/RAS Admission Request


H.323/RAS Bandwidth Reject


H.323/RAS Disengage Confirm


H.323/RAS Disengage Reject


H.323/RAS Gatekeeper Reject


H.323/RAS Location Confirm


H.323/RAS Location Reject


H.323/RAS Registration Reject


H.323/RAS Unknown Message Response



H.323/RAS Unregistration Reject


HA packet processing error


HA Peer Firewall Rebooted


HA Peer Firewall Synchronized


Hardware Failover settings were not upgraded.


Header verification failed


HTTP management port has changed

Firewall Event Maintenance Information 340 --- Simple Note String

HTTP method detected; examining stream for host header

Network Access TCP Debug 882 --- Standard Policy

HTTPS management port has changed

Firewall Event Maintenance Information 341 --- Simple Note String

ICMP checksum error

Network Access UDP Notice 886 --- Standard

ICMP packet allowed

Network Access Debug Information 597 --- Standard Policy

ICMP packet dropped

Network Access ICMP Notice 38 --- Standard Policy

ICMP packet dropped

Network Access ICMP Notice 523 --- Standard ICMP Service

ICMP packet from LAN allowed

Network Access Debug Information 598 --- Standard ICMP Service

ICMP packet from LAN dropped

Network Access LAN ICMP | LAN TCP

Notice 175 --- Standard ICMP Service

If not already enabled, enabling NTP is recommended

Firewall Hardware

System Error Warning 540 645 Simple

IGMP packet dropped, wrong checksum received on interface %s

Multicast --- Notice 683 --- Standard Message String


IGMP Leave group message Received on interface %s

Multicast --- Information 682 --- Standard Message String

IGMP packet dropped, decoding error

Multicast --- Notice 686 --- Standard

IGMP Packet Not handled. Packet type: %s


IGMP querier Router detected on interface %s


IGMP querier Router detected on VPN tunnel, SPI %S


IGMP state table entry time out,deleting interface: %s for multicast address: %s


IGMP state table entry time out,deleting VPN SPI:%s for Multicast address: %s


IGMP V2 client joined multicast Group: %s


IGMP V2 Membership report received from interface %s


IGMP V3 client joined multicast Group: %s


IGMP V3 Membership report received from inter-face %s


IGMP V3 packet dropped, unsupported Record type: %s


IGMP V3 reord type: %s not Handled


IKE ID mismatch %s VPN IKE Debug Debug 658 --- Simple Message String


IKE Initiator drop: Packet dest address does not match selected local interface address

VPN IKE User Activity Information 544 --- Standard

IKE Initiator: Accepting IPSec proposal (Phase 2)

VPN IKE User Activity Information 372 --- Standard Note String

IKE Initiator: Accepting peer lifetime. (Phase 1)

VPN IKE User Activity Information 445 --- Standard Destination

IKE Initiator: Aggressive Mode complete (Phase 1).


IKE Initiator: Main Mode complete (Phase 1)


IKE Initiator: Received notify. NO_PROPOSAL_CHOSEN


IKE Initiator: Start Aggressive Mode negotiation (Phase 1)


IKE Initiator: Start Main Mode negotiation (Phase 1)


IKE Initiator: Start Quick Mode (Phase 2).


IKE Initiator: Using secondary gateway to negotiate


IKE negotiation aborted due to timeout


IKE negotiation complete. Adding IPSec SA. (Phase 2)



IKE Responder drop: Packet dest address does not match selected local interface address


IKE Responder: %s policy does not allow static IP for Virtual Adapter.

VPN Client System Error Error 660 --- Standard Message String

IKE Responder: Accepting IPSec proposal (Phase 2)


IKE Responder: Aggressive Mode complete (Phase 1)


IKE Responder: AH Perfect Forward Secrecy mismatch

VPN IKE User Activity Warning 258 544 Standard

IKE Responder: Algorithms and/or keys do not match


IKE Responder: Default LAN gateway is not set but peer is proposing to use this SA as a default route

VPN IKE Attack Error 516 553 Standard Note String

IKE Responder: Default LAN gateway is set but peer is not proposing to use this SA as a default route

VPN IKE User Activity Warning 253 539 Standard Note String

IKE Responder: ESP Perfect Forward Secrecy mismatch


IKE Responder: IKE proposal does not match (Phase 1)



IKE Responder: IP Address already exists in the DHCP relay table. Client traffic not allowed.

VPN Client System Error Error 659 --- Standard Note String

IKE Responder: IPSec proposal does not match (Phase 2)


IKE Responder: Main Mode complete (Phase 1)


IKE Responder: Mode %d - not transport mode. Xauth is required but not supported by peer.

VPN IKE Debug Warning 342 --- Standard Message Number

IKE Responder: Mode %d - nottunnel mode

VPN IKE User Activity Warning 249 535 Standard Message Number

IKE Responder: No match for proposed remote network address


IKE Responder: No matching Phase 1 ID found for proposed remote network


IKE Responder: Proposed local network is 0.0.0.0 but SA has no LAN Default Gateway


IKE Responder: Proposed remote network is 0.0.0.0 but not DHCP relay nor default route


IKE Responder: Received Aggressive Mode request (Phase 1)


IKE Responder: Received Main Mode request (Phase 1)



IKE Responder: Received Quick Mode Request (Phase 2)


IKE Responder: Tunnel terminates inside firewall but proposed local network is not inside firewall


IKE Responder: Tunnelterminates on DMZ but proposed local network is on LAN


IKE Responder: Tunnel terminates on LAN but pro-posed local network is on DMZ


IKE Responder: Tunnel terminates outside firewall but proposed local network is not NAT public address


IKE Responder: Tunnelterminates outside firewall but proposed remote network is not NAT public address


IKE SA lifetime expired.


Illegal IPSec SPI VPN IPSec User Activity Information 65 --- Standard Destination

Imported VPN SA is invalid - disabled

Firewall Event Maintenance Warning 348 --- Standard Note String

Inbound connection from RBL-listed SMTP server dropped

RBL --- Notice 798 --- Standard


Incoming call received for Remotely Triggered Dial-out session



Incompatible IPSec Security Association

VPN IPSec User Activity Information 69 --- Standard Destination

Incorrect authentication received for Remotely Triggered Dial-out



Ini Killer attack dropped

Intrusion Detec-tion


Interface %s Link Is Down

Firewall Event System Error Error 566 647 Simple Message String

Interface %s Link Is Up

Firewall Event System Error Warning 565 646 Simple Message String

Interface IP Assignment: Binding and initializing %s

Firewall Event Maintenance Information 568 --- Simple Message String

Interface IP Assignment changed: Shutting down %s


Interface statistics report

GMS --- Information 805 --- Simple Interface Status

Invalid VLAN packet dropped

Network --- Alert 836 --- Standard Note String

IP Header checksum error

Network Access TCP|UDP Notice 883 --- Standard

IP spoof detected on packet to Central Gateway, packet dropped

DHCP Relay Attack Error 229 533 Standard Note ENET

IP spoof dropped Intrusion Detection

Attack Alert 23 502 Standard Note ENET

IP type %s packet dropped

Network Access LAN UDP | LAN TCP

Notice 590 --- Standard Message String

IPS Detection Alert: %s

Intrusion Detection

Attack Alert 608 569 Standard IDP Message String

IPS Detection Alert: %s

Intrusion Detection



IPS Prevention Alert: %s

Intrusion Detection

Attack Alert 609 570 Standard IDP Message String

IPS Prevention Alert: %s

Intrusion Detection


IPSec (AH) packet dropped

VPN IPSec TCP | UDP | ICMP Notice 534 --- Standard Note String

IPSec (AH) packet dropped; waiting for pending IPSec connection

VPN IPSec Debug Debug 536 --- Standard

IPSec (ESP) packet dropped

VPN IPSec TCP | UDP | ICMP Notice 533 --- Standard Note String

IPSec (ESP) packet dropped; waiting for pending IPSec connection

VPN IPSec Debug Debug 535 --- Standard

IPSec Authentication Failed

VPN IPSec Attack Error 67 508 Standard Destination

IPSec connection interrupt

Network Access Debug Debug 43 --- Standard

IPSec Decryption Failed


IPSec packet dropped

Network Access TCP | UDP | ICMP Notice 40 --- Standard

IPSec packet dropped; waiting for pending IPSec connection


IPSec packet from an illegal host

VPN IPSec Maintenance Information 247 --- Standard Destination

IPSec packet from or to an illegal host


IPSEC Replay Detected

VPN IPSec Attack Alert 180 531 Standard Note String

IPSecTunnel status changed

VPN VPN Tunnel Status Information 427 801 Simple

ISDN Driver Firmware successfully updated


Issuer match failed VPN PKI User Activity Alert 278 --- Simple Destination

Java access denied Network Access Blocked Code Notice 19 --- Standard Note Blocked


L2TP Max Retransmission Exceeded


L2TP PPP Authenti-cation Failed


L2TP PPP Down L2TP Client Maintenance Information 211 --- Simple

L2TP PPP link down L2TP Client Maintenance Information 217 --- Simple

L2TP PPP Negotiation Started


L2TP PPP Session Up


L2TP Server: Deleting the L2TP active Session

L2TP Server Maintenance Information 337 --- Standard Destination

L2TP Server: Deleting the Tunnel


L2TP Server: L2TP Session Established.


L2TP Server: L2TP Tunnel Established.


L2TP Server: Retransmission Timeout, Deleting the Tunnel


L2TP Server: User Name authentication Failure locally.


L2TP Server: Local Authentication Failure


L2TP Server: Local Authentication Success.


L2TP Server: Radius Authentication Success


L2TP Server: Radius reports Authentication Failure



L2TP Server: Radius server not assigned IP address


L2TP Server: Call Disconnect from Remote.


L2TP Server: Tunnel Disconnect from Remote.


L2TP Session Disconnect from Remote


L2TP Session Established


L2TP Session Negotiation Started


L2TP Tunnel Disconnect from Remote


L2TP Tunnel Established


L2TP Tunnel Negotiation Started


LAN Subnet configurations were not upgraded.


Land attack dropped

IntrusionDetection


License exceeded: Connection dropped because too many IP addresses are in use on your LAN

Firewall Event System Error Error 58 608 Standard

License of HA pair doesn't match


Local user login allowed


User Activity Information 31 --- Standard String Service

Local user login denied due to bad credentials



Locked-out user logins allowed - lockout period expired


User Activity Information 438 --- Standard Note String


Locked-out user logins allowed by administrator



Log Cleared Firewall Logging Maintenance Information 5 --- Simple

Log Debug Firewall Event Debug Error 142 --- Simple String

Log successfully sent via email

Firewall Logging Maintenance Information 6 --- Simple

Login screen timed out



MAC address collides with Static ARP Entry with Bound MAC address; packet dropped

Network --- Notice 814 --- Standard Note ENET

Machine %s removed from SYN flood blacklist

Intrusion Detection

--- Alert 865 --- Simple Message String

Malformed or unhandled IP packet dropped

Network Access Debug Alert 522 554 Standard Destination

Maximum events per second threshold exceeded

Firewall Logging System Error Critical 654 --- Simple

Maximum sequential failed dial attempts (10) to a single dial-up number: %s

PPP Dial-Up Attack Error 591 566 Standard Message String

Maximum syslog data per second threshold exceeded

Firewall Logging System Error Critical 655 --- Simple

Multicast application %s not supported


Multicast packet dropped, Invalid src IP received on interface: %s

Multicast --- Alert 685 --- Standard Message String

Multicast packet dropped, wrong MAC address received on inter-face: %s

Multicast --- Alert 684 --- Standard Message String

Multicast TCP packet dropped



Multicast UDP packet dropped,no state entry


Multicast UDP packet dropped, RTCP stateful failed


Multicast UDP packet dropped, RTP stateful failed


NAT device may not support IPSec AH passthrough

VPN IPSec Maintenance Information 266 --- Simple

NAT Discovery: No NAT/NAPT device detected between IPSec Security gateways


NAT Discovery: Local IPSec Security Gateway behind a NAT/NAPT Device


NAT Discovery: Peer IPSec Security Gateway behind a NAT/NAPT Device


NAT Discovery: Peer IPSec Security Gateway doesn't support VPN NAT Traversal


NAT translated packet exceeds size limit, packet dropped

Network Debug Debug 339 --- Standard

Net Spy attack dropped

Intrusion Detection


NetBIOS settings were not upgraded. Use Network>IP Helper to configure NetBIOS support


NetBus attack dropped

Intrusion Detection



Network for interface %soverlaps with another interface.


Network Modem Mode Disabled: re-enabling NAT

PPP Dial-Up Maintenance Information 531 --- Simple

Network Modem Mode Enabled: turning off NAT


New URL List loaded


Newsgroup access allowed


Newsgroup access denied


No Certificate for VPN PKI User Activity Alert 280 --- Simple Destination

No new URL List available


No response from ISP Disconnecting PPPoE.


No response from PPTP server to call requests


No response from PPTP server to control connection requests


No response from server to Echo Requests, disconnecting PPTP Tunnel


No valid DNS server specified for RBL lookups

RBL --- Error 800 --- Simple

Not all configurations may have been completely upgraded


Not enough memory to hold the CRL

VPN PKI User Activity Warning 272 --- Simple Destination


Obtained Relay IP Table from Remote Gateway

DHCP Relay Maintenance Information 233 --- Standard

OCSP Failed to Resolve Domain Name.

VPN PKI User Activity Error 853 --- Standard Note String

OCSP Internal error handling received response.


OCSP received response error.


OCSP received response.

VPN PKI User Activity Information 850 --- Standard Note String

OCSP Resolved Domain Name.


OCSP send request message failed.


OCSP sending request.


Outbound connection toRBL-listed SMTP server dropped

RBL --- Notice 797 --- Standard

Out-of-order command packet dropped


Packet dropped by WLAN guest check

Wireless TCP | UDP | ICMP Warning 488 --- Standard Destination

Packet dropped by WLAN VPN traversal check

Wireless TCP | UDP | ICMP Warning 495 --- Standard Destination

Packet dropped. No firewall rule associated with VPN policy.

VPN System Error Alert 739 --- Standard Note String

Ping of death dropped



PKI Failure: CA certificates store exceeded. Cannot verify this Local Certificate

VPN PKI Maintenance Error 453 --- Simple

PKI Failure: Cannot alloc memory



PKI Failure: Certificate's ID does not match this SonicWALL


PKI Failure: Duplicate local certificate


PKI Failure: Duplicate local certificate name


PKI Failure: Import failed


PKI Failure: Improper file format. Please select PKCS#12 (*.p12) file


PKI Failure: Incorrect admin password


PKI Failure: Internal error


PKI Failure: Loaded but could not verify certificate


PKI Failure: Loaded the certificate but could not verify it's chain


PKI Failure: No CA certificates yet loaded


PKI Failure: Output buffer too small


PKI Failure: public-private key mismatch


PKI Failure: Reached the limit for local certs, cant load any more


PKI Failure: Temporary memory shortage, try again



PKI Failure: The certificate chain has no root


PKI Failure: The certificate chain is circular


PKI Failure: The certificate chain is incomplete


PKI Failure: The certificate or a cer-tificate in the chain has a bad signature


PKI Failure: The certificate or a certificate in the chain has a validity period in the future


PKI Failure: The certificate or a certificate in the chain has expired


PKI Failure: The certificate or a certificate in the chain is corrupt


Please connect interface %s to another network to function properly


Please manually check all system configurations for correctness of Upgrade


Port configured to receive IPSEC ONLY. Drop packet received in the clear.

Network Access TCP | UDP | ICMP Warning 347 --- Standard Destination

Possible port scan dropped

Intrusion Detection


Possible SYN flood attack detected

IntrusionDetection

Attack Warning 25 503 Standard


Possible SYN flood detected on WAN IF %s - switching to connection-proxy mode

Intrusion Detection


Possible SYN Flood on IF %s

Intrusion Detection


Possible SYN Flood on IF %s continues

Intrusion Detection


Possible SYN Flood on IF %s has ceased

Intrusion Detection


PPP Dial-Up: Connect request canceled

PPP Dial-Up User Activity Information 306 --- Simple

PPP Dial-Up: Connected at %s bps - starting PPP

PPP Dial-Up User Activity Information 286 --- Simple Message String

PPP Dial-Up: Connection disconnected as scheduled.

PPP Dial-Up --- Information 666 --- Standard

PPP Dial-Up: Dial initiated by %s

PPP Dial-Up Maintenance Information 324 --- Standard Message String

PPP Dial-Up: Dialed number did not answer


PPP Dial-Up: Dialed number is busy


PPP Dial-Up: Dialing not allowed by schedule. %s

PPP Dial-Up --- Information 665 --- Standard Message String

PPP Dial-Up: Dialing: %s


PPP Dial-Up: Idle time limit exceeded - disconnecting


PPP Dial-Up: Initialization: %s


PPP Dial-Up: Link carrier lost



PPP Dial-Up: Man-ual intervention needed. Check Pri-mary Profile or Pro-file details


PPP Dial-Up: Maximum connection time exceeded - disconnecting


PPP Dial-Up: No dialtone detected - check phone-line connection


PPP Dial-Up: No link carrier detected - check phone num-ber


PPP Dial-Up: No peer IP address from Dial-Up ISP, local and remote IPs will be the same


PPP Dial-Up: PPP link down


PPP Dial-Up: PPP link established


PPP Dial-Up: Previous session was connected for %s


PPP Dial-Up: Received new IP address

PPP Dial-Up User Activity Information 299 --- Standard

PPP Dial-Up: Shutting down link


PPP Dial-Up: The profile in use disabled VPN networking.


PPP Dial-Up: Trying to failover but Alternate Pro-file is manual

WAN Failover User Activity Information 434 --- Simple


PPP Dial-Up: Trying to failover but Primary Profile is manual


PPP Dial-Up: Unknown dialing failure


PPP Dial-Up: User requested connect


PPP Dial-Up: User requested disconnect


PPP Dial-Up: VPN networking restored.


PPP: Authentication successful

PPP User Activity Information 289 --- Simple

PPP: CHAP authentication failed - check username / password


PPP: MS-CHAP authentication failed - check username / password


PPP: PAP Authentication failed - check username / password


PPP: Starting CHAP authentication


PPP: Starting MS-CHAP authentication


PPP: Starting PAP authentication


PPPoE terminated


PPPoE discovery process complete


PPPoE enabled but not ready



PPPoE LCP Link Down


PPPoE LCP Link Up PPPPoE Maintenance Information 128 --- Simple

PPPoE Network Connected


PPPoE Network Disconnected


PPPoE starting CHAP Authentication


PPTP enabled but not ready


PPTP Connect Initiated by the User

PPTP Maintenance Information 390 --- Standard Destination

PPTP Control Connection Established


PPTP Control Connection Negotiation Started


PPTP decodefailure

PPTP Debug Debug 596 --- Standard

PPTP Disconnect Initiated by the User

PPTP Maintenance Information 388 --- Standard Destination

PPTP PAP Authentication success.


PPTP PPP Down PPTP Maintenance Information 385 --- Simple

PPTP PPP Link down


PPTP PPP Link Finished


PPTP PPP Link Up PPTP Maintenance Information 398 --- Simple

PPTP PPP Negotiation Started


PPTP PPP Session Up


PPTP Server is not responding, check if the server is UP and running.


PPTP server rejected control connection



PPTP server rejected the call request


PPTP Session Disconnect from Remote


PPTP Session Established


PPTP Session Negotiation Started


PPTP starting CHAP Authentication


PPTP starting PAP Authentication


PPTP Tunnel Disconnect from Remote


Primary firewall has transitioned to Active


Primary firewall has transitioned to Idle


Primary firewall preempting Backup


Primary missed heartbeats from Backup


Primary received error signal from Backup


Primary received reboot signal from Backup


Priority attack dropped



Probable port scan dropped



Probable TCP FIN scan dropped



Probable TCP NULL scan dropped



Probable TCP XMAS scan dropped




Probing failure on %s

WAN Failover System Error Alert 326 637 Standard Message String

Probing succeeded on %s


Problem loading the URL List; Appli-ance not registered.

Security Services System Error Error 183 623 Simple

Problem loading the URL List; check Filter settings

Security Services System Error Error 10 602 Standard Note Code

Problem loading the URL List; check your DNS server


Problem loading the URL List; Flash write failure.


Problem loading the URL List; Retrying later.

Security Services System Error Error 186 626 Standard

Problem loading the URL List; Subscription expired.

Security Services System Error Error 184 624 Standard

Problem loading the URL List; Try loading it again.


Problem sending log e-mail; check log settings

Firewall Logging System Error Warning 12 604 Simple

Real time clock battery failure Time values may be incorrect

Firewall Hardware

System Error Warning 539 644 Simple

Received a path MTU ICMP message from router/gateway

Network User Activity Information 182 --- Standard Note SPI

Received a path MTU ICMP message from router/gateway

Network User Activity Information 188 --- Standard Note MTU

Received AV Alert: %s

Security Services Maintenance Warning 125 524 Simple Message String


Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s


Received AV Alert: Your SonicWALL Network Anti-Virus subscription will expire in 7 days. %s


Received CFS Alert: Your SonicWALL Content Filtering subscription has expired.


Received CFS Alert: Your SonicWALL Content Filtering subscription will expire in 7 days.


Received DHCP offer packet has errors


Received E-Mail Filter Alert: Your SonicWALL E-Mail Filtering subscription has expired.


Received E-Mail Filter Alert: Your SonicWALL E-Mail Filtering subscription will expire in 7 days.


Received fragmented packet or fragmentation needed

Network Debug Debug 63 --- Standard

Received IKE SA delete request


Received IPS Alert: Your SonicWALL Intrusion Prevention (IDP) subscription has expired.


Received IPSEC SA delete request



Received ISAKMP packet destined to port %s

VPN IKE Debug | UDP Information 607 --- Standard Message String

Received LCP Echo Reply


Received LCP Echo Request


Received notify: INVALID_COOKIES


Received notify: INVALID_ID_INFO

VPN IPSec User Activity Warning 483 --- Standard

Received notify: INVALID_PAYLOAD

VPN IKE User Activity Error 661 --- Standard

Received notify: INVALID_SPI


Received notify: ISAKMP_AUTH_FAILED


Received notify: PAYLOAD_MALFORMED


Received notify: RESPONDER_LIFETIME


Received packet retransmission. Drop duplicate packet


Received PPPoE Active Discovery Offer


Received PPPoE Active Discovery Session_confirmation


Received response packet for DHCP request has errors


Received unencrypted packet while crypto active


Regulatory requirements pro-hibit %s from being re-dialed for 30 minutes

PPP Dial-Up Attack Error 592 567 Standard Message String


Remotely Triggered Dial-out session ended. Valid WAN bound data found. Normal dial-up sequence will commence



Remotely Triggered Dial-out session started. Requesting authentication



Request for Relay IP Table from Central Gateway


Requesting CRL from

VPN PKI User Activity Information 269 --- Simple Destination

Requesting Relay IP Table from Remote Gateway


Retransmitting DHCP DISCOVER.


Retransmitting DHCP REQUEST (Rebinding).


Retransmitting DHCP REQUEST (Rebooting).


Retransmitting DHCP REQUEST (Renewing).


Retransmitting DHCP REQUEST (Requesting).


Retransmitting DHCP REQUEST (Verifying).


RIP disabled on interface %s

RIP Maintenance Information 419 --- Simple Message String

Ripper attack dropped

Intrusion Detection


RIPv1 enabled on interface %s


RIPv2 compatibility (broadcast) mode enabled on interface %s



RIPv2 enabled on interface %s


Router IGMP General query received on interface %s


Router IGMP Membership query received on interface %s


Sending DHCP DISCOVER.


Sending DHCP RELEASE.


Sending DHCP REQUEST (Rebinding).


Sending DHCP REQUEST (Rebooting).


Sending DHCP REQUEST (Renewing).


Sending DHCP REQUEST (Verifying).


Sending DHCP REQUEST.


Sending LCP Echo Reply


Sending LCP Echo Request


Sending PPPoE Active Discovery Request


Senna Spy attack dropped

Intrusion Detection


Sent Relay IP Table to Central Gateway


SIP Register expiration exceeds configured Signaling inactivity time out

VoIP VoIP Warning 645 --- Standard Note String

SIP Request VoIP VoIP Debug 643 --- Standard Note String


SIP Response VoIP VoIP Debug 644 --- Standard Note String

SMTP POP-Before-SMTP authentication failed

Firewall Logging System Error Warning 656 --- Simple

SMTP server found on RBL blacklist

RBL --- Notice 799 --- Standard Note String

Smurf Amplification attack dropped

Intrusion Detection


SonicPoint Provision

SonicPoint SonicPoint Information 727 --- Simple Destination

SonicPoint statistics report

GMS --- Information 806 --- Simple SonicPoint Sta-tus

SonicPoint Status SonicPoint SonicPoint Information 667 --- Simple Destination

SonicWALL activated

Firewall Event Maintenance Alert 4 --- Simple

SonicWALL initializing


Source routed IP packet dropped

Intrusion |Detection

Debug Warning 428 --- Standard

Spank attack multicast packet dropped

Intrusion Detection


Starting IKE negotiation


Starting PPPoE discovery


Status GMS Maintenance Emergency 96 --- Simple GMS Status

Striker attack dropped

Intrusion Detection


Sub Seven attack dropped

Intrusion Detection


Success to reach Interface %s probe

High Availability System Error Information 674 --- Simple Message String

Successful authentication received for Remotely Triggered Dial-out



SYN Flood Blacklist on IF %s continues

Intrusion Detection



SYN Flood blacklisting dis-abled by user

Intrusion Detection

--- Warning 863 --- Standard

SYN Flood blacklisting enabled by user

IntrusionDetection


SYN flood ceased or flooding machines blacklisted - connection proxy disabled

Intrusion Detection

--- Alert 861 --- Standard

SYN Flood Mode changed by user to: Always proxy WAN connections

Intrusion Detection


SYN Flood Mode changed by user to: Watch and proxy WAN connections when under attack

Intrusion Detection


SYN Flood Mode changed by user to: Watch and report possible SYN floods

Intrusion Detection


Synchronizing pref-erences to HA Peer Firewall


SYN-Flooding machine %s blacklisted

Intrusion Detection


System clock manually updated

Firewall Logging --- Notice 881 --- Simple Note String

TCP checksum error

Network Access TCP Notice 884 --- Standard

TCP connection abort received; TCP connection dropped

Network Debug Debug 713 --- Standard Note String

TCP connection dropped

Network Access TCP Notice 36 --- Standard Policy

TCP connection from LAN denied

Network Access LAN TCP Notice 173 --- Standard Service

TCP connection reject received; TCP connection dropped


TCP FIN packet dropped



TCP handshake violation detected; TCP connection dropped

Network Access --- Notice 760 --- Standard Note String

TCP packet received on a closing connection; TCP packet dropped


TCP packet received on non-existent/closed connection; TCP packet dropped


TCP packet received with invalid ACK number; TCP packet dropped


TCP packet received with invalid header length; TCP packet dropped


TCP packet received with invalid MSS option length; TCP packet dropped


TCP packet received with invalid option length; TCP packet dropped


TCP packet received with invalid SACK option length; TCP packet dropped


TCP packet received with invalid SEQ number; TCP packet dropped


TCP packet received with invalid source port; TCP packet dropped



TCP packet received with invalid SYN Flood cookie; TCP packet dropped

Network Debug Information 897 --- Standard Note String

TCP packet received with SYN flag on an existing connection; TCP packet dropped

Network Debug Information 892 --- Standard Note String

TCP packet received without mandatory ACK flag; TCP packet dropped


TCP packet received without mandatory SYN flag; TCP packet dropped


TCP SYN received Intrusion Detec-tion

--- Debug 869 --- Standard

TCP Syn/Fin packet dropped

Network Access Attack Alert 580 558 Standard Note String

TCP Xmas Tree dropped



The cache is full; %u open connections; some will be dropped

Firewall Event System Error Error 53 607 Standard Message Number

The loaded content URL List has expired.


The network connection in use is %s

WAN Failover System Error Warning 307 639 Standard Message String

The preferences file is too large to be saved in available flash memory


Thermal Red Firewall Hard-ware

System Environ-ment


Thermal Red Timer Exceeded

Firewall Hard-ware

System Environ-ment


Thermal Yellow Firewall Hard-ware

System Environ-ment



Time of day settings for firewall policies were not upgraded.


UDP checksum error

Network Access UDP Notice 885 --- Standard

UDP packet dropped

Network Access UDP Notice 37 --- Standard Policy

UDP packet from LAN dropped

Network Access LAN UDP | LAN TCP

Notice 174 --- Standard Service

Unknown protocol dropped

Network Access Debug Notice 41 --- Standard Note String

Unknown reason VPN PKI User Activity Error 275 --- Simple Destination

User logged out Authentication Access


User logged out - inactivity timer expired



User logged out - max session time exceeded



User logged out - user disconnect detected (heartbeat timer expired)



User login denied - insufficient access on LDAP server

RADIUS User Activity Warning 750 --- Standard String Service

User login denied - invalid credentials on LDAP server


User login denied - LDAP authentica-tion failure

RADIUS User Activity Information 745 --- Standard String Service

User login denied - LDAP communica-tion problem


User login denied - LDAP directory mis-match


User login denied - LDAP schema mis-match


User login denied - LDAP server certifi-cate not valid



User login denied - LDAP server down or misconfigured


User login denied - LDAP server name resolution failed


User login denied - LDAP server time-out


User login denied - RADIUS authentica-tion failure


User login denied - RADIUS communi-cation problem


User login denied - RADIUS configura-tion error


User login denied - RADIUS server name resolution failed


User login denied - RADIUS server timeout


User login denied - TLS or local certifi-cate problem


User login denied - User has no privileges for login from that location


User login denied - User has no privileges for WLAN guest service


User Activity Information 486 --- Standard Destination

User login denied due to bad creden-tials



User login disabled from %s


Attack Error 583 559 Standard Message String

User login failed - Guest service limit reached




User login failure rate exceeded - logins from user IP address denied


Attack Error 329 561 Standard Destination

Virtual Access Point is disabled

SonicPoint 802.11b Management


Virtual Access Point is enabled

SonicPoint 802.11b Management


VoIP %s Endpoint added

VoIP VoIP Debug 637 --- Simple Message String

VoIP %s Endpoint not added - configured 'public' endpoint limit reached

VoIP VoIP Warning 639 --- Simple Message String

VoIP %s Endpoint removed

VoIP VoIP Debug 638 --- Simple Message String

VoIP Call Connected

VoIP VoIP Information 622 --- Standard Note String

VoIP Call Disconnected

VoIP VoIP Information 623 --- Standard Note String

Voltages Out of Tolerance

Firewall Hard-ware

System Environ-ment

Error 575 101 Simple

VPN Cleanup: Dynamic network settings change

VPN User Activity Information 471 --- Standard

VPN Client Policy Provisioning


VPN disabled by administrator


Maintenance Information 506 --- Simple

VPN enabled by administrator



VPN Log Debug VPN IKE Debug Information 172 --- Simple String

VPN policy count received exceeds the limit; %s

VPN System Error Error 719 --- Simple Message String

VPN zone administrator login allowed



VPN zone remote user login allowed



WAN Interface not setup


Wan IP Changed Firewall Event System Error Warning 138 636 Standard


WAN not ready Firewall Event Maintenance Information 502 --- Simple

WAN zone administrator login allowed



WAN zone remote user login allowed



WARNING: DHCP lease relayed from Central Gateway conflicts with IP in Static Devices list


Web access request dropped

Network Access TCP Notice 524 --- Standard Policy

Web management request allowed

Network Access User Activity Notice 526 --- Standard Service

Web site access allowed


Web site access denied

Network Access Blocked Sites Error 14 701 Standard Note Blocked

Wireless MAC Filter List disabled by administrator



Wireless MAC Filter List enabled by administrator



WLAN client null probing

WLAN IDS WLAN IDS Warning 615 904 Standard Destination

WLAN disabled by administrator



WLAN disabled by schedule



WLAN drop traffic to deny network

Network Access --- Information 724 --- Standard Note String

WLAN enabled by administrator



WLAN enabled by schedule



WLAN firmware image has been updated

Wireless Maintenance Information 487 --- Simple String

WLAN Guest Account Timeout



WLAN Guest Idle Timeout




WLAN Guest Session Timeout



WLAN max concurrent users reached already


WLAN not in AP mode, DHCP server will not provide lease to clients on WLAN

Wireless Maintenance Information 617 --- Simple

WLAN pass traffic to access allow network


WLAN recovery Wireless Maintenance Information 519 --- Simple String

WLAN sequence number out of order

WLAN IDS WLAN IDS Warning 547 902 Simple Destination

WLB Failback initiated by %s


WLB Failover in progress

WAN Failover System Error Alert 584 651 Standard

WLB Resource failed


WLB Resource is now available


WLB Spill-over started, configured threshold exceeded

WAN Failover Maintenance Warning 581 --- Simple

WLB Spill-over stopped

WAN Failover Maintenance Warning 582 --- Simple

WPA MIC Failure Wireless 802.11b Management

Warning 663 --- Simple Destination

WPA Radius Server Timeout

Wireless 802.11b Management


XAUTH Failed with VPN client, Authentication failure


XAUTH Failed with VPN client, Cannot Contact RADIUS Server


XAUTH Succeeded with VPN client

VPN Client User Activity Error 139 --- Standard Destination


Index of Syslog Tag Field DescriptionThis section provides an alphabetical listing of Syslog tags and the associated field description.

Tag Field Description

<ddd> Syslog message prefix The beginning of each syslog message has a string of the form <ddd> where ddd is a decimal number indicating facility and priority of the mes-sage. (See [1] Section 4.1.1)

arg URL Used to render a URL: arg represents the URL path name part.

bcastRx Interface statistics report Displays the broadcast packets received

bcastTx Interface statistics report Displays the broadcast packets transmitted

bytesRx Interface statistics report Displays the bytes received

bytesTx Interface statistics report Displays the bytes transmitted

c Message category (legacy only) Indicates the legacy category number (Note: We are not currently sending new category informa-tion.)

change Configuration change webpage Displays the basename of the firewall web page that performed the last configuration change

code Blocking code Indicates the CFS block code category

code ICMP type and code Indicates the ICMP code

conns Firewall status report Indicates the number of connections in use

cpuUtil Firewall status report Displays the CPU utilization (not in use)

dst Destination Destination IP address, and optionally, port, net-work interface, and resolved name.

dstname Destination URL Displays the URL of web site hit and other legacy destination strings

dstname URL Used to render a URL: dstname represents the URL host part

dyn Firewall status report Displays the HA and dialup connection state (ren-dered as “h.d” where “h” is “n” (not enabled), “b” (backup), or “p” (primary) and “d” is “1” (enabled) or “0” (disabled))

fw Firewall WAN IP Indicates the WAN IP Address

fwlan Firewall status report Indicates the LAN zone IP address

goodRxBytes SonicPoint statistics report Indicates the well formed bytes recevied

goodTxBytes SonicPoint statistics report Indicates the well formed bytes transmitted


i Firewall status report Displays the GMS message interval in seconds

id=firewall Webtrends prefix Syntactic sugar for WebTrends (and GMS by habit)

if Interface statistics report Displays the interface on which statistics are reported

ipscat IPS message Displays the IPS category

ipspri IPS message Displays the IPS priority

lic Firewall status report Indicates the number of licenses for firewalls with limited modes

m Message ID Provides the message ID number

mac MAC address Provides the MAC address

msg Static message Displays the event message (from spreadsheet)

msg Dynamically-defined message Displays a dynamically defined message string

msg Static message with dynamic string Displays a message using the predefined mes-sage string containing a “%s” and a dynamic string argument.

msg Static message with dynamic num-ber

Displays a message using the predefined string string containing a “%s” and a dynamic numeric argument.

msg IPS message Displays a message using the predefined mes-sage string containing a “%s” and a dynamic string argument.

msg Anti-Spyware message Displays the event message (from spreadsheet)

n Message count Indicates the number of times event occurs

op HTTP OP code Displays the HTTP operation (GET, POST, etc.) of web site hit

pri Message priority Displays the event priority level (0=emer-gency..7=debug)

proto IP protocol Indicates the IP protocol and detail information

proto Protocol and service Displays the protocol information (rendered as “proto/service”)

proto Protocol and service Displays the protocol information (rendered as “proto/service”)

pt Firewall status report Displays the HTTP/HTTPS management port (rendered as “hhh.sss”)

radio SonicPoint statistics report Displays the SonicPoint radio on which event occurred

ramUtil Firewall status report Displays the RAM utilization (not in use)


rcvd Bytes received Indicates the number of bytes received within connection

result HTTP Result code Displays the HTTP result code (200, 403, etc.) of web site hit

rule Rule ID Displays the Access Rule number causing packet drop

sent Bytes sent Displays the number of bytes sent within connec-tion

sid IPS message Provides the IPS signature ID

sid Anti-Spyware message Provides the AntiSpyware signature ID

sn Firewall serial number Indicates the device serial number

spycat Anti-Spyware message Displays the antiSpyware category

spypri Anti-Spyware message Displays the AntiSpyware priority

src Source Indicates the source IP address, and optionally, port, network interface, and resolved name.

station SonicPoint statistics report Displays the client (station) on which event occurred

time Time Reports the time of event

type ICMP type and code Indicates the ICMP type

ucastRx Interface statistics report Displays the unicast packets received

ucastTx Interface statistics report Displays the unicast packets transmitted

unsynched Firewall status report Reports the time since last local change in sec-onds

usesstandbysa Firewall status report Displays whether standby SA is in use (“1” or “0”) for GMS management

usr (or user) User Displays the user name (“user” is the tag used by WebTrends)

vpnpolicy VPN policy name Displays the VPN policy name of event



© 2002 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may bet rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.

T: 408.745.9600F: 408.745.9300

www.sonicwall.comSonicWALL,Inc.1143 Borregas AvenueSunnyvale,CA 94089-1306

P/ N 232-000827-00Rev B 10/05