Fortinet Messages PDF

FortiGate Log Message Reference
v5.0 Patch Release 10
FortiGate Log Message Reference - FortiOS 5.0.10

March 13, 2015
01-510-112804-20150313
Copyright 2015 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and
FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc.,in the U.S. and
other jurisdictions,andother Fortinet names herein may also be registered and/or common law
trademarks of Fortinet. All other product or company names may be trademarks of their
respectiveowners. Performance and other metrics contained herein were attained in internal
lab tests under ideal conditions, and actual performance and other results may vary.
Networkvariables, different network environments and other conditions may affect
performance results. Nothing herein represents any binding commitment by Fortinet, and
Fortinetdisclaims all warranties, whether express or implied, except to the extent Fortinet
enters a binding written contract, signed by Fortinets General Counsel, with a purchaser
thatexpressly warrants that the identified product will perform according to certain
expressly-identified performance metrics and, in such event, only the specific
performancemetrics expressly identified in such binding written contract shall be binding on
Fortinet. For absolute clarity, any such warranty will be limited to performance in the same
idealconditions as in Fortinets internal lab tests.In no event does Fortinet make any
commitment related to future deliverables, features or development, and circumstances may
change such that any forward-looking statements herein are not accurate.Fortinet disclaims in
full any covenants, representations, and guarantees pursuant hereto, whether express or
implied. Fortinetreserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable.
Technical Documentation
docs.fortinet.com
Knowledge Base
kb.fortinet.com
Customer Service & Support
support.fortinet.com
Training Services
training.fortinet.com
FortiGuard
fortiguard.com
Document Feedback
techdocs@fortinet.com
Change Log
Date
Change Description
2013-03-20
Initial Release.
2013-09-27
Patch 4 Release.
2014-04-01
Patch 6 Release. Added Variable Event Logs Addendum.
2015-01-16
Patch 9 Release. Complete corrections of all terminology.
2015-03-13
Patch 10 Release. Added new Variable Event Logs.
Page 3
Log Field Name Changes in FortiOS 5.0

4.3
app_cat
app_list
app_type
asset_id
asset_name
attack_id
attack_name
carrier_ep
cat_desc
class_desc
conn-mode
content_type
dec_spi
dir
dir_disp
dlp_sensor
dst
dst_country
dst_int
dst_port
enc_spi
end-date
esp_auth
esp_transform
filter_type
icmp_code
icmp_id
icmp_type
incident_serialno
lan_in
lan_out
loc_ip
loc_port
local_ip
log_id
malform_data
malform_desc
message
message_type
os_family
os_gen
os_vendor
out_intf
ovrd_id
ovrd_tbl
perip_drop
perip_name
5
appcat
applist
apptype
assetid
assetname
attackid
attackname
carrierep
catdesc
classdesc
connmode
contenttype
decspi
direction
dirdisp
dlpsensor
dstip
dstcountry
dstintf
dstport
encspi
enddate
espauth
esptransform
filtertype
icmpcode
icmpid
icmptype
incidentserialno
lanin
lanout
locip
locport
locip
logid
malformdata
malformdesc
msg
messagetype
osfamily
osgen
osvendor
outintf
ovrdid
ovrdtbl
shaperperipdropbyte
shaperperipname
4.3
pri
profile_group
profile_type
quota_exceeded
quota_max
quota_used
rcvd
rcvd_pkt
rem_ip
rem_port
remote_ip
req_type
request_name
rule_data
rule_type
sent
sent_pkt
shaper_drop_rcvd
shaper_drop_sent
shaper_rcvd_name
shaper_sent_name
src
src_country
src_int
src_port
start-date
tran_disp
tran_ip
tran_port
tran_sip
tran_sport
url_type
urlfilter_idx
urlfilter_list
voip_proto
vpn_tunnel
vpn_type
vuln_cat
vuln_cnt
vuln_id
vuln_ref
wan_in
wan_out
wanopt_app_type
xauth_group
xauth_user
Page 4
5
level
profilegroup
profiletype
quotaexceeded
quotamax
quotaused
rcvdbyte
rcvdpkt
remip
remport
remip
reqtype
requestname
ruledata
ruletype
sentbyte
sentpkt
shaperdroprcvdbyte
shaperdropsentbyte
shaperrcvdname
shapersentname
srcip
srccountry
srcintf
srcport
startdate
trandisp
tranip
tranport
transip
transport
urltype
urlfilteridx
urlfilterlist
voipproto
vpntunnel
vpntype
vulncat
vulncnt
vulnid
vulnref
wanin
wanout
wanoptapptype
xauthgroup
xauthuser
Log Subtype Name Changes in FortiOS 5.0
4.3 subtypes
traffic
allowed
webcache-traffic, wanopt-traffic, explicit-proxy-traffic
failed-conn, violation, other
5.0 subtypes
forward/local/multicast
forward
forward
event
ipsec, sslvpn-user, sslvpn-admin, sslvpn-session
vpn
ha, gtp, nac-quarantine, config, notification, perfhistorical, forticlient, mms-stats, amc-intf-bypass,

admin, ldb-monitor, pattern
system
dns, dhcp, l2tp/pptp/pppoe
router
auth, radius
wireless
wad
voip
user
wireless
wad
moved to voip logs section
virus
infected
filename
oversize
scanerror
---------
infected
filename
oversized
scanerror
analytics
switchproto
webfilter
content
urlfilter
ftgd_blk
ftgd_allow
ftgd_err
activexfilter
cookiefilter
appletfilter
ftgd_quota_counting
ftgd_quota
---------
content
urlfilter
ftgd_blk
ftgd_allow
ftgd_err
activexfilter
cookiefilter
appletfilter
ftgd_quota_counting
ftgd_quota
ftgd_quota_expired
webfilter_command_block
ips
signature
anomaly
emailfilter msn-hotmail
yahoo-mail
smtp
pop3
imap
carrier-endpoint-filter
mass-mms
---------
signature
anomaly
msn
yahoo
smtp
pop3
imap
endpointfilter
mms
google
mapi
Page 5
netscan
discovery
vulnerability
discovery
vulnerability
dlp
dlp
-----
dlp
dlp-docsource
app-ctrl
app-ctrl-all
app-ctrl-all
content
http
ftp
smtp
pop3
imap
https
im-all
nntp
voip
mm1
mm3
mm4
mm7
smtps
pop3s
imaps
http
ftp
smtp
pop3
imap
https
im-all
nntp
voip
mm1
mm3
mm4
mm7
smtps
pop3s
imaps
voip
-----
voip
Page 6
Page 7
Traffic
2
Message ID: 000002
Message Description: allowed message
Type (type): traffic
Subtype (subtype): forward
Level/Severity: notice
Log field
Meaning
type
traffic
subtype
forward
level
notice
date
The date at which the log was recorded.
time
The time at which the log was recorded.
status
The status of the traffic.
vd
The virtual domain in which the logging occurred. If VDOMs are not configured, this will display "root".
trandisp
Whether the packet is source NAT translated (snat) or destination NAT translated (dnat), both (snat+dnat) or neither
(noop).
srcip
The source IP.
srcname
The name of the source device, if it has one. Ex. "MACMINI-######", or "My PC".
srcport
The source port of the TCP or UDP traffic. The source port appears as zero for other types of traffic.
dstip
The destination IP.
dstname
The destination name. This can be a name or an IP address.
dstcountry
Destination country.
srccountry
Source country.
dstport
The destination port number of the TCP or UDP traffic. The destination port appears as zero for other types of traffic.
tranip
The translated IP in NAT mode. For Transparent mode, it is zero.
tranport
The translated port number in NAT mode. For Transparent mode, it is zero.
transip
The translated source IP in NAT mode. For Transparent mode, it is zero.
transport
The translated source port number in NAT mode. For Transparent mode, it is zero.
service
The service where the event or activity occurred.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that
identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
duration
Time value in seconds.
Page 8
policyid
The ID number of the firewall policy that applies to the session or packet.
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched.
This number is not globally unique, it is only locally unique within a given firewall policy.
sentbyte
The number of sent bytes related to the log message.
rcvdbyte
The number of received bytes related to the log message.
shaperdropsentbyte
Shaper dropped sent bytes.
shaperdroprcvdbyte
Shaper dropped received bytes.
shaperperipdropbyte PerIP dropped bytes.

shapersentname
The name of the traffic shaper sending the bytes.
shaperrcvdname
The name of the traffic shaper receiving the bytes.
shaperperipname
The perIP shaper name.
sentpkt
The number of sent packets related to the log message.
rcvdpkt
The number of received packets related to the log message.
vpn
The name of the VPN tunnel used by the traffic.
vpntype
The type of VPN tunnel that the traffic is flowing through. This field can be any one of the following: ipsec-static,
ipsec-dynamic, ipsec-ddns, sslvpn.
vpntunnel
The name of the VPN tunnel that was used. For example, ssl_vpn1.
srcintf
The source interface. For outgoing traffic originating from the firewall, it is unknown.
dstintf
The destination interface.
sessionid
Session ID.
appid
Application ID.
app
The name of the application that triggered the action within the control list. For example, SSL.
appcat
The application category that the application is associated with.
applist
The name of the application control list that was used to detect and take action.
appact
Application action.
user
User name.
group
The group name.
osname
Name of the device's OS.
osversion
Version number (if available) of the device's OS.
unauthuser
Unauthenticated user name.
unauthusersource
Method used to detect username.
crscore
Client Reputation score.
craction
Client Reputation action.
Page 9
3
Message ID: 000003
Message Description: violation message
Subtype (subtype): invalid
Level/Severity: warning
Log field
Meaning
type
traffic
subtype
invalid
level
warning
date
time
status
vd
srcip
The source IP.
srcname
srcport
dstip
The destination IP.
dstname
dstcountry
srccountry
Source country.
dstport
service
proto
duration
policyid
custom
Custom field.
indentidx
sentbyte
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte
Page 10
shapersentname
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
vpntunnel
srcintf
dstintf
sessionid
Session ID.
appid
Application ID.
app
appcat
applist
appact
Application action.
user
User name.
group
The group name.
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 11
4
Message ID: 000004
Message Description: other message
Log field
Meaning
type
traffic
subtype
invalid
level
notice
date
time
status
vd
srcip
The source IP.
srcname
srcport
dstip
The destination IP.
dstname
dstcountry
srccountry
Source country.
dstport
tranip
tranport
transip
transport
service
proto
duration
policyid
custom
Custom field.
indentidx
sentbyte
Page 12
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte

shapersentname
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
vpntunnel
srcintf
dstintf
sessionid
Session ID.
appid
Application ID.
app
appcat
applist
appact
Application action.
user
User name.
group
The group name.
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 13
5
Message ID: 000005
Message Description: allowed icmp message
Log field
Meaning
type
traffic
subtype
invalid
level
notice
date
time
status
vd
trandisp
(noop).
srcip
The source IP.
srcname
srcport
dstip
The destination IP.
dstname
dstcountry
srccountry
Source country.
dstport
tranip
tranport
transip
transport
service
proto
duration
policyid
custom
Custom field.
indentidx
Page 14
sentbyte
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte

shapersentname
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
vpntunnel
srcintf
dstintf
sessionid
Session ID.
appid
Application ID.
app
appcat
applist
appact
Application action.
user
User name.
group
The group name.
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 15
6
Message ID: 000006
Message Description: deny internal icmp message
Log field
Meaning
type
traffic
subtype
invalid
level
warning
date
time
status
vd
srcip
The source IP.
srcname
srcport
dstip
The destination IP.
dstname
dstcountry
srccountry
Source country.
dstport
service
proto
duration
policyid
custom
Custom field.
indentidx
sentbyte
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte
Page 16
shapersentname
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
vpntunnel
srcintf
dstintf
sessionid
Session ID.
appid
Application ID.
app
appcat
applist
appact
Application action.
user
User name.
group
The group name.
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 17
7
Message ID: 000007
Message Description: deny external icmp message
Log field
Meaning
type
traffic
subtype
invalid
level
warning
date
time
status
vd
srcip
The source IP.
srcname
srcport
dstip
The destination IP.
dstname
dstcountry
srccountry
Source country.
dstport
service
proto
duration
policyid
custom
Custom field.
indentidx
sentbyte
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte
Page 18
shapersentname
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
vpntunnel
srcintf
dstintf
sessionid
Session ID.
appid
Application ID.
app
appcat
applist
appact
Application action.
user
User name.
group
The group name.
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 19
8
Message ID: 000008
Message Description: WAN optimization traffic
Log field
Meaning
type
traffic
subtype
forward
level
notice
date
time
vd
srcip
The source IP.
srcname
srcport
dstip
The destination IP.
dstname
dstcountry
srccountry
Source country.
dstport
wanoptapptype
WANOpt app type. One of: web-cache, cifs, tcp, ftp, mapi, http, web-proxy, ftp-proxy.
duration
policyid
indentidx
identity-based policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This
number is not globally unique, it is only locally unique within a given firewall policy.
wanin
WAN in.
wanout
WAN out.
lanin
LAN in.
lanout
LAN out.
srcintf
dstintf
osname
osversion
unauthuser
Page 20
unauthusersource Method used to detect username.
Page 21
9
Message ID: 000009
Message Description: webcache traffic
Log field
Meaning
type
traffic
subtype
forward
level
notice
date
time
vd
srcip
The source IP.
srcname
srcport
dstip
The destination IP.
dstname
dstcountry
srccountry
Source country.
dstport
wanoptapptype
duration
policyid
indentidx
wanin
WAN in.
wanout
WAN out.
lanin
LAN in.
lanout
LAN out.
srcintf
dstintf
osname
osversion
unauthuser
Page 22
Page 23
10
Message ID: 000010
Message Description: explicit proxy traffic
Log field
Meaning
type
traffic
subtype
forward
level
notice
date
time
vd
srcip
The source IP.
srcname
srcport
dstip
The destination IP.
dstname
dstcountry
srccountry
Source country.
dstport
wanoptapptype
duration
policyid
indentidx
wanin
WAN in.
wanout
WAN out.
lanin
LAN in.
lanout
LAN out.
srcintf
dstintf
osname
osversion
unauthuser
Page 24
Page 25
11
Message ID: 000011
Message Description: failed connection attempts
Log field
Meaning
type
traffic
subtype
invalid
level
warning
date
time
vd
srcip
The source IP.
srcname
srcport
dstip
The destination IP.
dstname
dstport
duration
policyid
custom
Custom field.
srcintf
dstintf
sessionid Session ID.

user
User name.
group
The group name.
crscore
craction
Page 26
12
Message ID: 000012
Message Description: multicast allowed message
Subtype (subtype): multicast
Log field
Meaning
type
traffic
subtype
multicast
level
notice
date
time
status
vd
trandisp
(noop).
srcip
The source IP.
srcname
srcport
dstip
The destination IP.
dstname
dstcountry
srccountry
Source country.
dstport
tranip
tranport
transip
transport
service
proto
duration
policyid
custom
Custom field.
indentidx
Page 27
sentbyte
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte

shapersentname
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
vpntunnel
srcintf
dstintf
sessionid
Session ID.
appid
Application ID.
app
appcat
applist
appact
Application action.
user
User name.
group
The group name.
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 28
13
Message ID: 000013
Message Description: traffic forward message
Log field
Meaning
type
traffic
subtype
forward
level
notice
date
time
status
vd
trandisp
(noop).
srcip
The source IP.
srcname
srcport
dstip
The destination IP.
dstname
dstcountry
srccountry
Source country.
dstport
tranip
tranport
transip
transport
service
proto
duration
policyid
custom
Custom field.
indentidx
Page 29
sentbyte
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte

shapersentname
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
vpntunnel
srcintf
dstintf
sessionid
Session ID.
appid
Application ID.
app
appcat
applist
appact
Application action.
user
User name.
group
The group name.
osname
osversion
unauthuser
unauthusersource
utmaction
The UTM action taken by the system.
filename
The name of the file that was transferred.
virus
The name of the virus detected.
attack
ATTACK
hostname
The hostname information.
catdesc
The category description.
sender
SENDER
recipient
RECIPIENT
mailcount
MAILCOUNT
Page 30
spamcount
SPAMCOUNT
dlprule
DLP rule.
utmevent
The type of UTM event taking place.
utmseverity
UTM severity.
sha256
SHA256 hash.
analyticssubmit
Whether analytics were submitted or not. Can be false or true.
crscore
craction
Page 31
14
Message ID: 000014
Message Description: traffic local message
Subtype (subtype): local
Log field
Meaning
type
traffic
subtype
local
level
notice
date
time
status
vd
trandisp
(noop).
srcip
The source IP.
srcname
srcport
dstip
The destination IP.
dstname
dstcountry
srccountry
Source country.
dstport
tranip
tranport
transip
transport
service
proto
duration
policyid
custom
Custom field.
indentidx
Page 32
sentbyte
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte

shapersentname
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
vpntunnel
srcintf
dstintf
sessionid
Session ID.
appid
Application ID.
app
appcat
applist
appact
Application action.
user
User name.
group
The group name.
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 33
15
Message ID: 000015
Message Description: start forward message
Log field
Meaning
type
traffic
subtype
forward
level
notice
date
time
status
vd
trandisp
(noop).
srcip
The source IP.
srcname
srcport
dstip
The destination IP.
dstname
dstcountry
srccountry
Source country.
dstport
tranip
tranport
transip
transport
service
proto
duration
policyid
custom
Custom field.
indentidx
Page 34
sentbyte
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte

shapersentname
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
vpntunnel
srcintf
dstintf
sessionid
Session ID.
appid
Application ID.
app
appcat
applist
appact
Application action.
user
User name.
group
The group name.
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 35
16
Message ID: 000016
Message Description: start local message
Subtype (subtype): local
Log field
Meaning
type
traffic
subtype
local
level
notice
date
time
status
vd
srcip
The source IP.
srcname
srcport
dstip
The destination IP.
dstname
dstcountry
srccountry
Source country.
dstport
tranip
tranport
transip
transport
service
proto
duration
policyid
custom
Custom field.
indentidx
sentbyte
Page 36
rcvdbyte
shaperdropsentbyte
shaperdroprcvdbyte

shapersentname
shaperrcvdname
shaperperipname
sentpkt
rcvdpkt
vpn
vpntype
vpntunnel
srcintf
dstintf
sessionid
Session ID.
appid
Application ID.
app
appcat
applist
appact
Application action.
user
User name.
group
The group name.
osname
osversion
unauthuser
unauthusersource
crscore
craction
Page 37
Netscan
4096
Message ID: 004096
Message Description: Network scan performed
Type (type): utm
Subtype (subtype): netscan
Event Type (eventtype): vulnerability
Log field
Meaning
type
utm
subtype
netscan
eventtype vulnerability
level
notice
date
time
vd
action
The nature of the netscan event. Scan, vuln-detection, host-detection, os-scan, port-detection, service-detection, vuln-count.
start
GMT epoch time the scan started.
end
GMT epoch time the scan ended.
status
Scan status: start, stop, pause, resume, complete.
engine
Version of the netscan engine.
plugin
Version of the netscan plugin.
Page 38
4097
Message ID: 004097
Message Description: Network scan performed
Type (type): utm
Event Type (eventtype): discovery
Log field
Meaning
type
utm
subtype
netscan
eventtype discovery
level
notice
date
time
vd
action
start
GMT epoch time the scan started.
end
GMT epoch time the scan ended.
status
Scan status: start, stop, pause, resume, complete.
engine
Version of the netscan engine.
plugin
Version of the netscan plugin.
Page 39
4098
Message ID: 004098
Message Description: Netscan vulnerability detected
Type (type): utm
Log field
Meaning
type
utm
subtype
netscan
level
notice
date
time
vd
action
dstip
The destination IP.
vuln
Name of the detected vulnerability.
vulncat
Category of the detected vulnerability.
vulnid
ID of the detected vulnerability.
vulnref
Reference to the detected vulnerability in FortiGuard.
severity
The priority level of the attack log. Can be info, low, medium, high, or critical.
vulnscore NIST score of the detected vulnerability.

proto
Protocol. Either TCP or UDP.
dstport
Page 40
4099
Message ID: 004099
Message Description: Netscan OS detected
Type (type): utm
Log field
Meaning
type
utm
subtype
netscan
eventtype discovery
level
notice
date
time
vd
action
dstip
The destination IP.
os
Operating system name.
osfamily
OS family.
osgen
OS generation.
osvendor OS vendor.
Page 41
4100
Message ID: 004100
Message Description: Netscan service detected
Type (type): utm
Log field
Meaning
type
utm
subtype
netscan
eventtype discovery
level
notice
date
time
vd
action
dstip
The destination IP.
service
proto
dstport
Page 42
4101
Message ID: 004101
Message Description: Notification message
Type (type): utm
Log field
Meaning
type
utm
subtype
netscan
level
notice
date
time
vd
action
Page 43
4102
Message ID: 004102
Message Description: Notification message
Type (type): utm
Log field
Meaning
type
utm
subtype
netscan
eventtype discovery
level
notice
date
time
vd
action
Page 44
4103
Message ID: 004103
Message Description: Netscan number of vulnerabilities detected
Type (type): utm
Log field
Meaning
type
utm
subtype
netscan
level
notice
date
time
vd
action
dstip
The destination IP.
vulncnt
Vulnerability count.
Page 45
4104
Message ID: 004104
Message Description: Netscan host detected
Type (type): utm
Log field
Meaning
type
utm
subtype
netscan
eventtype
discovery
level
notice
date
time
vd
action
dstip
The destination IP.
method
The method information.
assetid
Asset ID for this host.
assetname Asset definition for this host.
Page 46
4105
Message ID: 004105
Message Description: Netscan port detected
Type (type): utm
Log field
Meaning
type
utm
subtype
netscan
eventtype discovery
level
notice
date
time
vd
action
dstip
The destination IP.
proto
dstport
Page 47
Virus
8192
Message ID: 008192
Message Description: virus infected block
Type (type): utm
Subtype (subtype): virus
Event Type (eventtype): infected
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
warning
date
time
vd
status
The status of the virus or packet: blocked, passthrough, monitored, analytics.
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
Message direction. One of: N/A, TX, or RX.
file
The name of the file.
checksum
The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same
checksum, the FortiGate unit assumes that they have the same content.
Page 48
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern
block), oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
virus
dtype
Dtype.
ref
URL of the FortiGuard IPS database entry for the attack.
url
The URL address.
profile
The name of the profile that was used to detect and take action.
profiletype
The type of profile responsible for the UTM action taken.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
Destination identifier.
sha256
SHA256 hash.
analyticssubmit
msg
"File is infected."
Page 49
8193
Message ID: 008193
Message Description: virus infected pass
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
checksum
quarskip
virus
dtype
Dtype.
Page 50
ref
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
sha256
SHA256 hash.
analyticssubmit
msg
"File is infected."
Page 51
8194
Message ID: 008194
Message Description: virus infected mime block
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
warning
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
checksum
quarskip
virus
dtype
Dtype.
Page 52
ref
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
sha256
SHA256 hash.
analyticssubmit
msg
"File is infected."
Page 53
8195
Message ID: 008195
Message Description: virus infected mime pass
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
checksum
quarskip
virus
dtype
Dtype.
Page 54
ref
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
sha256
SHA256 hash.
analyticssubmit
msg
"File submitted to FortiGuard Analytics."
Page 55
8196
Message ID: 008196
Message Description: virus infected worm block
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
warning
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based
policy; otherwise, it displays the number of the identity-based policy entry that the traffic matched. This number is not globally
unique, it is only locally unique within a given firewall policy.
sessionid
Session ID.
virus
dtype
Dtype.
url
The URL address.
profile
profiletype The type of profile responsible for the UTM action taken.
user
User name.
group
The group name.
Page 56
msg
"Worm detected."
Page 57
8197
Message ID: 008197
Message Description: virus infected worm monitor
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
virus
dtype
Dtype.
url
The URL address.
profile
user
User name.
group
The group name.
Page 58
msg
"Worm detected."
Page 59
8198
Message ID: 008198
Message Description: virus infected worm mime block
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
warning
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
virus
dtype
Dtype.
url
The URL address.
profile
user
User name.
group
The group name.
Page 60
from
Source identifier.
to
msg
"Worm detected."
Page 61
8199
Message ID: 008199
Message Description: virus infected worm mime monitor
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
virus
dtype
Dtype.
url
The URL address.
profile
user
User name.
group
The group name.
Page 62
from
Source identifier.
to
msg
"Worm detected."
Page 63
8448
Message ID: 008448
Message Description: virus blocked (warning)
Type (type): utm
Event Type (eventtype): filename
Log field
Meaning
type
utm
subtype
virus
eventtype
filename
level
warning
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
filefilter
The filter used to identify the affected file.
filetype
The filetype of the affected file.
file
checksum The checksum of the file that was scanned by the FortiGate unit. If two files have different names but the same checksum, the
FortiGate unit assumes that they have the same content.
quarskip
Quarantine skip explanation: notskip (file quarantined), filepattern (not quarantined due to HTTP GET file pattern block),
oversized (not quarantined due to no oversize rule), unknown (not quarantined for other reason).
Page 64
url
The URL address.
profile
user
User name.
group
The group name.
agent
Agent.
from
Source identifier.
to
msg
"File is blocked."
Page 65
8449
Message ID: 008449
Message Description: virus blocked (notice)
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
filename
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
filefilter
filetype
file
quarskip
Page 66
url
The URL address.
profile
user
User name.
group
The group name.
agent
Agent.
from
Source identifier.
to
msg
"File is blocked."
Page 67
8450
Message ID: 008450
Message Description: virus blocked mime (warning)
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
filename
level
warning
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
filefilter
filetype
file
quarskip
Page 68
url
The URL address.
profile
user
User name.
group
The group name.
agent
Agent.
from
Source identifier.
to
msg
"File is blocked."
Page 69
8451
Message ID: 008451
Message Description: virus blocked mime (notice)
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
filename
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
filefilter
filetype
file
quarskip
Page 70
url
The URL address.
profile
user
User name.
group
The group name.
agent
Agent.
from
Source identifier.
to
msg
"File is blocked."
Page 71
8452
Message ID: 008452
Message Description: virus blocked command
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
filename
level
warning
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
url
The URL address.
user
User name.
group
The group name.
command
Command information.
agent
Agent.
profile
Page 72
msg
"Command blocked."
Page 73
8453
Message ID: 008453
Message Description: virus intercepted
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
filename
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
filefilter
filetype
file
quarskip
Page 74
url
The URL address.
profile
user
User name.
group
The group name.
agent
Agent.
from
Source identifier.
to
msg
"File is intercepted."
Page 75
8454
Message ID: 008454
Message Description: virus intercepted mime
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
filename
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
filefilter
filetype
file
quarskip
Page 76
virus
dtype
Dtype.
url
The URL address.
profile
user
User name.
group
The group name.
agent
Agent.
from
Source identifier.
to
msg
"File is intercepted."
Page 77
8455
Message ID: 008455
Message Description: virus exempted
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
filename
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
filefilter
filetype
file
url
The URL address.
profile
Page 78
user
User name.
group
The group name.
agent
Agent.
from
Source identifier.
to
msg
"File has been exempted."
Page 79
8456
Message ID: 008456
Message Description: virus exempted mime
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
filename
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
filefilter
filetype
file
url
The URL address.
profile
Page 80
user
User name.
group
The group name.
agent
Agent.
from
Source identifier.
to
msg
"File has been exempted."
Page 81
8457
Message ID: 008457
Message Description: mms content checksum
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
warning
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
url
The URL address.
profile
user
User name.
Page 82
group
The group name.
agent
Agent.
from
Source identifier.
to
msg
"Blocked by MMS content checksum."
Page 83
8458
Message ID: 008458
Message Description: mms content checksum
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
infected
level
warning
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
url
The URL address.
profile
Page 84
user
User name.
group
The group name.
agent
Agent.
from
Source identifier.
to
msg
"Matched by MMS content checksum."
Page 85
8704
Message ID: 008704
Message Description: oversized block
Type (type): utm
Event Type (eventtype): oversize
Log field
Meaning
type
utm
subtype
virus
eventtype
oversize
level
warning
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
file
url
The URL address.
profile
user
User name.
group
The group name.
agent
Agent.
Page 86
from
Source identifier.
to
msg
"Size limit exceeded."
Page 87
8705
Message ID: 008705
Message Description: oversized pass
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
oversize
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
file
url
The URL address.
profile
user
User name.
group
The group name.
agent
Agent.
Page 88
from
Source identifier.
to
msg
Page 89
8706
Message ID: 008706
Message Description: oversized mime block
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
oversize
level
warning
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
file
url
The URL address.
profile
user
User name.
group
The group name.
from
Source identifier.
Page 90
to
msg
Page 91
8707
Message ID: 008707
Message Description: oversized mime pass
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
oversize
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
file
url
The URL address.
profile
user
User name.
group
The group name.
from
Source identifier.
Page 92
to
msg
Page 93
8720
Message ID: 008720
Message Description: switching protocols block
Type (type): utm
Event Type (eventtype): switchproto
Log field
Meaning
type
utm
subtype
virus
eventtype
switchproto
level
warning
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
from
Source identifier.
to
Page 94
agent
Agent.
switchproto Protocol change information.

msg
"Switching protocols request."
Page 95
8721
Message ID: 008721
Message Description: switching protocols bypass
Type (type): utm
Event Type (eventtype): switchproto
Log field
Meaning
type
utm
subtype
virus
eventtype
switchproto
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
from
Source identifier.
to
Page 96
agent
Agent.
switchproto Protocol change information.

msg
"Switching protocols request."
Page 97
8960
Message ID: 008960
Message Description: uncompressed nested limit reached
Type (type): utm
Event Type (eventtype): scanerror
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
checksum
quarskip
virus
dtype
Dtype.
Page 98
ref
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
sha256
SHA256 hash.
analyticssubmit
msg
"File reached uncompressed nested limit."
Page 99
8961
Message ID: 008961
Message Description: uncompressed size limit reached
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
checksum
quarskip
virus
dtype
Dtype.
Page 100
ref
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
sha256
SHA256 hash.
analyticssubmit
msg
"File reached uncompressed size limit."
Page 101
8962
Message ID: 008962
Message Description: archive is encrypted
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
warning
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
checksum
quarskip
virus
dtype
Dtype.
Page 102
ref
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
sha256
SHA256 hash.
analyticssubmit
msg
"Encrypted archive."
Page 103
8963
Message ID: 008963
Message Description: archive is encrypted
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
checksum
quarskip
virus
dtype
Dtype.
Page 104
ref
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
sha256
SHA256 hash.
analyticssubmit
msg
"Encrypted archive."
Page 105
8964
Message ID: 008964
Message Description: archive is corrupted
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
warning
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
checksum
quarskip
virus
dtype
Dtype.
Page 106
ref
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
sha256
SHA256 hash.
analyticssubmit
msg
"Corrupted archive."
Page 107
8965
Message ID: 008965
Message Description: archive is corrupted
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
checksum
quarskip
virus
dtype
Dtype.
Page 108
ref
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
sha256
SHA256 hash.
analyticssubmit
msg
"Corrupted archive."
Page 109
8966
Message ID: 008966
Message Description: multipart archive
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
warning
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
checksum
quarskip
virus
dtype
Dtype.
Page 110
ref
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
sha256
SHA256 hash.
analyticssubmit
msg
"Multipart archive."
Page 111
8967
Message ID: 008967
Message Description: multipart archive
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
checksum
quarskip
virus
dtype
Dtype.
Page 112
ref
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
sha256
SHA256 hash.
analyticssubmit
msg
"Multipart archive."
Page 113
8968
Message ID: 008968
Message Description: nested archive
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
warning
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
checksum
quarskip
virus
dtype
Dtype.
Page 114
ref
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
sha256
SHA256 hash.
analyticssubmit
msg
"Nested archive."
Page 115
8969
Message ID: 008969
Message Description: nested archive
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
checksum
quarskip
virus
dtype
Dtype.
Page 116
ref
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
sha256
SHA256 hash.
analyticssubmit
msg
"Nested archive."
Page 117
8970
Message ID: 008970
Message Description: archive is oversized
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
warning
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
checksum
quarskip
virus
dtype
Dtype.
Page 118
ref
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
sha256
SHA256 hash.
analyticssubmit
msg
"Oversized archive."
Page 119
8971
Message ID: 008971
Message Description: archive is oversized
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
checksum
quarskip
virus
dtype
Dtype.
Page 120
ref
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
sha256
SHA256 hash.
analyticssubmit
msg
"Oversized archive."
Page 121
8972
Message ID: 008972
Message Description: unhandled archive type
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
warning
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
checksum
quarskip
virus
dtype
Dtype.
Page 122
ref
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
sha256
SHA256 hash.
analyticssubmit
msg
"Unhandled archive."
Page 123
8973
Message ID: 008973
Message Description: unhandled archive type
Type (type): utm
Log field
Meaning
type
utm
subtype
virus
eventtype
scanerror
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
checksum
quarskip
virus
dtype
Dtype.
Page 124
ref
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
sha256
SHA256 hash.
analyticssubmit
msg
"Unhandled archive."
Page 125
9233
Message ID: 009233
Message Description: FortiGuard analytics
Type (type): utm
Event Type (eventtype): analytics
Log field
Meaning
type
utm
subtype
virus
eventtype
analytics
level
notice
date
time
vd
status
service
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
direction
file
checksum
quarskip
virus
dtype
Dtype.
Page 126
ref
url
The URL address.
profile
profiletype
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

agent
Agent.
from
Source identifier.
to
sha256
SHA256 hash.
analyticssubmit
msg
Page 127
Webfilter
12288
Message ID: 012288
Message Description: Web content banned word
Type (type): utm
Subtype (subtype): webfilter
Event Type (eventtype): content
Log field
Meaning
type
utm
subtype
webfilter
eventtype
content
level
warning
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
Page 128
dstip
The destination IP.
dstport
dstintf
service
hostname
profiletype
profile
reqtype
The request type, either direct or referral.
url
The URL address.
sentbyte
rcvdbyte
status
The status of the traffic: blocked, exempted, allowed, passthrough, filtered, DLP.
agent
Agent.
from
Source identifier.
to
banword
Banned word flagged in the message.
msg
"URL was blocked because it contained banned word(s)."
Page 129
12289
Message ID: 012289
Message Description: Web content MMS banned word
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
content
level
warning
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 130
hostname
profiletype
profile
reqtype
url
The URL address.
sentbyte
rcvdbyte
status
direction
agent
Agent.
from
Source identifier.
to
banword
msg
"Message was blocked because it contained banned word(s)."
Page 131
12290
Message ID: 012290
Message Description: Web content exempt word
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
content
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 132
hostname
profiletype
profile
reqtype
url
The URL address.
sentbyte
rcvdbyte
status
agent
Agent.
from
Source identifier.
to
banword
msg
"URL was exempted because it contained exempt word(s)."
Page 133
12291
Message ID: 012291
Message Description: Web content MMS exempt word
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
content
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 134
hostname
profiletype
profile
reqtype
url
The URL address.
sentbyte
rcvdbyte
status
direction
agent
Agent.
from
Source identifier.
to
banword
msg
"Message was exempted because it contained exempt word(s)."
Page 135
12292
Message ID: 012292
Message Description: Web search key word
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
content
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 136
hostname
profiletype
profile
reqtype
url
The URL address.
sentbyte
rcvdbyte
status
agent
Agent.
from
Source identifier.
to
keyword
Flagged or searched keyword.
msg
"Message contained a key word in the profile list."
Page 137
12293
Message ID: 012293
Message Description: Web search
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
content
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 138
hostname
profiletype
profile
reqtype
url
The URL address.
sentbyte
rcvdbyte
status
agent
Agent.
from
Source identifier.
to
keyword
Flagged or searched keyword.
msg
"Search phrase detected."
Page 139
12305
Message ID: 012305
Message Description: Web content MMS banned word
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
content
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 140
hostname
profiletype
profile
reqtype
url
The URL address.
sentbyte
rcvdbyte
status
direction
agent
Agent.
from
Source identifier.
to
banword
msg
"Message was logged because it contained a banned word."
Page 141
12544
Message ID: 012544
Message Description: URL filter block
Type (type): utm
Event Type (eventtype): urlfilter
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
warning
date
time
urlfilteridx
URL filter index.
urlfilterlist
URL filter list name.
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
Page 142
dstintf
service
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
msg
"URL was blocked because it is in the URL filter list."
Page 143
12545
Message ID: 012545
Message Description: URL filter exempt
Type (type): utm
Level/Severity: information
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
information
date
time
urlfilteridx
URL filter index.
urlfilterlist
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
Page 144
dstintf
service
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
msg
"URL was exempted because it is in the URL filter list."
Page 145
12546
Message ID: 012546
Message Description: URL filter allow
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
information
date
time
urlfilteridx
URL filter index.
urlfilterlist
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
Page 146
dstintf
service
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
msg
"URL was allowed because it is in the URL filter list."
Page 147
12547
Message ID: 012547
Message Description: URL filter invalid hostname (Block/HTTP)
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
hostname
status
reqtype
sentbyte
Page 148
rcvdbyte
msg
"The HTTP request contained an invalid domain name."
Page 149
12548
Message ID: 012548
Message Description: URL filter invalid hostname (Block/HTTPS)
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
hostname
status
reqtype
sentbyte
Page 150
rcvdbyte
msg
"The certificate for the HTTPS session contained an invalid domain name."
Page 151
12549
Message ID: 012549
Message Description: URL filter invalid hostname (Filter/HTTP)
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
information
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
hostname
status
reqtype
sentbyte
Page 152
rcvdbyte
msg
"The HTTP request contained an invalid domain name. The session has been filtered by IP only."
Page 153
12550
Message ID: 012550
Message Description: URL filter invalid hostname (Filter/HTTPS)
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
information
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
hostname
status
reqtype
sentbyte
Page 154
rcvdbyte
msg
"The certificate for this HTTPS session contained an invalid domain name. The session has been filtered by IP only."
Page 155
12553
Message ID: 012553
Message Description: Server certificate validation failed
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
sentbyte
rcvdbyte
msg
"The server certificate validation failed."
Page 156
12554
Message ID: 012554
Message Description: Unknown SSL session ID
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcip
The source IP.
srcport
dstip
The destination IP.
dstport
profile
service
status
sentbyte
rcvdbyte
msg
"The SSL session was blocked because the session ID was unknown."
Page 157
12555
Message ID: 012555
Message Description: SSL session blocked due to invalid/missing server certificate
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcip
The source IP.
srcport
dstip
The destination IP.
dstport
profile
service
status
sentbyte
rcvdbyte
msg
"The SSL session was blocked because the server certificate was missing or invalid."
Page 158
12556
Message ID: 012556
Message Description: SSL session ignored due to invalid/missing server certificate
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcip
The source IP.
srcport
dstip
The destination IP.
dstport
profile
service
status
sentbyte
rcvdbyte
msg
"The SSL session was ignored because the server certificate was missing or invalid."
Page 159
12557
Message ID: 012557
Message Description: FortiGuard service inactive
Type (type): utm
Level/Severity: critical
Log field
Meaning
type
utm
subtype
webfilter
eventtype urlfilter
level
critical
date
time
vd
msg
"FortiGuard is enabled in the protection profile but the FortiGuard service is not enabled."
Page 160
12558
Message ID: 012558
Message Description: Rating error occurs
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype urlfilter
level
information
date
time
vd
user
User name.
srcip
The source IP.
srcport
dstip
The destination IP.
dstport
urltype
URL type. One of: HTTP, HTTPS, FTP, Telnet, mail, phishing.
hostname The hostname information.

status
error
Error.
url
The URL address.
msg
"Policy allows URLs when a rating error occurs."
Page 161
12559
Message ID: 012559
Message Description: URL filter pass
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
information
date
time
urlfilteridx
URL filter index.
urlfilterlist
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
Page 162
dstintf
service
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
msg
"URL was passed because it is in the URL filter list."
Page 163
12800
Message ID: 012800
Message Description: FortiGuard webfilter error
Type (type): utm
Event Type (eventtype): ftgd_err
Level/Severity: error
Log field
Meaning
type
utm
subtype
webfilter
eventtype
ftgd_err
level
error
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 164
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
error
Error.
msg
"A rating error occurred."
Page 165
12801
Message ID: 012801
Message Description: FortiGuard webfilter error
Type (type): utm
Event Type (eventtype): ftgd_err
Log field
Meaning
type
utm
subtype
webfilter
eventtype
ftgd_err
level
warning
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 166
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
error
Error.
msg
"A rating error occurred."
Page 167
12802
Message ID: 012802
Message Description: Daily fortiguard quota status
Type (type): utm
Event Type (eventtype): ftgd_quota
Log field
Meaning
type
utm
subtype
webfilter
eventtype
ftgd_quota
level
information
date
time
vd
quotaexceeded Quota exceeded: yes or no.

quotatype
The quota type, either: time or traffic.
quotaused
Quota time used (in seconds).
quotamax
Maximum quota time allowed (in seconds).
catdesc
user
User name.
profile
Page 168
13056
Message ID: 013056
Message Description: FortiGuard webfilter category block
Type (type): utm
Event Type (eventtype): ftgd_blk
Log field
Meaning
type
utm
subtype
webfilter
eventtype
ftgd_blk
level
warning
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 169
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
method
class
The class.
classdesc
The class description.
cat
The category.
catdesc
msg
"URL belongs to a denied category in policy."
Page 170
13057
Message ID: 013057
Message Description: FortiGuard webfilter category block
Type (type): utm
Event Type (eventtype): ftgd_blk
Log field
Meaning
type
utm
subtype
webfilter
eventtype
ftgd_blk
level
warning
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 171
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
method
class
The class.
classdesc
cat
The category.
catdesc
msg
"URL belongs to a category with warnings enabled."
Page 172
13312
Message ID: 013312
Message Description: FortiGuard webfilter category allow
Type (type): utm
Event Type (eventtype): ftgd_allow
Log field
Meaning
type
utm
subtype
webfilter
eventtype
ftgd_allow
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 173
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
method
class
The class.
classdesc
cat
The category.
catdesc
msg
"URL belongs to a allowed category in policy."
Page 174
13313
Message ID: 013313
Message Description: FortiGuard webfilter allow
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
ftgd_allow
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 175
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
method
class
The class.
classdesc
cat
The category.
catdesc
mode
Mode.
ruletype
Rule type. One of: Directory, domain, rating, unhandled.
ruledata
Rule data.
ovrdtbl
Override table name.
ovrdid
Override ID.
msg
"URL belongs to an override rule."
Page 176
13314
Message ID: 013314
Message Description: FortiGuard webfilter allow
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
ftgd_allow
level
information
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 177
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
method
class
The class.
classdesc
cat
The category.
catdesc
mode
Mode.
ruletype
ruledata
Rule data.
ovrdtbl
Override table name.
ovrdid
Override ID.
msg
"URL belongs to an override rule."
Page 178
13315
Message ID: 013315
Message Description: FortiGuard webfilter category quota counting
Type (type): utm
Event Type (eventtype): ftgd_quota_counting
Log field
Meaning
type
utm
subtype
webfilter
eventtype
ftgd_quota_counting
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 179
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
method
class
The class.
classdesc
cat
The category.
catdesc
quotatype
quotaused
quotamax
msg
"Webfilter quota has begun counting."
Page 180
13316
Message ID: 013316
Message Description: FortiGuard webfilter category quota expired
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
warning
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 181
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
method
class
The class.
classdesc
cat
The category.
catdesc
quotatype
quotaused
quotamax
msg
"Webfilter quota for category has expired."
Page 182
13317
Message ID: 013317
Message Description: URL visited
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
urlfilter
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 183
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
method
class
The class.
classdesc
cat
The category.
catdesc
msg
"URL has been visited."
Page 184
13568
Message ID: 013568
Message Description: Web script filter ActiveX
Type (type): utm
Event Type (eventtype): activexfilter
Log field
Meaning
type
utm
subtype
webfilter
eventtype
activexfilter
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 185
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
count
Number of packets.
msg
"ActiveX script was removed."
Page 186
13573
Message ID: 013573
Message Description: Web script filter cookie
Type (type): utm
Event Type (eventtype): cookiefilter
Log field
Meaning
type
utm
subtype
webfilter
eventtype
cookiefilter
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 187
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
msg
"Cookie was removed."
Page 188
13584
Message ID: 013584
Message Description: Web script filter applet
Type (type): utm
Event Type (eventtype): appletfilter
Log field
Meaning
type
utm
subtype
webfilter
eventtype
appletfilter
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 189
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
count
Number of packets.
msg
"Java applet was removed."
Page 190
13601
Message ID: 013601
Message Description: Web cookie filter
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
cookiefilter
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 191
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
count
Number of packets.
filtertype
The script filter type. Can be: N/A, jscript, javascript, vbscript, or unknown.
msg
"Cookie was removed entirely."
Page 192
13602
Message ID: 013602
Message Description: Web referer filter
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
cookiefilter
level
notice
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 193
hostname
profiletype
profile
status
reqtype
url
The URL address.
sentbyte
rcvdbyte
count
Number of packets.
filtertype
The script filter type. Can be: N/A, jscript, javascript, vbscript, or unknown.
msg
"Referer was removed from request."
Page 194
13603
Message ID: 013603
Message Description: Command blocked
Type (type): utm
Event Type (eventtype): webfilter_command_block
Log field
Meaning
type
utm
subtype
webfilter
eventtype
webfilter_command_block
level
warning
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
profile
hostname
status
service
reqtype
Page 195
msg
"Command blocked."
Page 196
13616
Message ID: 013616
Message Description: Content type blocked
Type (type): utm
Log field
Meaning
type
utm
subtype
webfilter
eventtype
content
level
warning
date
time
vd
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
initiator
The initiator name.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
Page 197
hostname
profiletype
profile
reqtype
url
The URL address.
sentbyte
rcvdbyte
status
agent
Agent.
from
Source identifier.
to
contenttype
Content type.
msg
"Blocked by HTTP Header Content Type."
Page 198
IPS
16384
Message ID: 016384
Message Description: attack signature (tcp/udp)
Type (type): utm
Subtype (subtype): ips
Event Type (eventtype): signature
Level/Severity: alert
Log field
Meaning
type
utm
subtype
ips
eventtype
signature
level
alert
date
time
severity
srcip
The source IP.
dstip
The destination IP.
srcintf
dstintf
policyid
indentidx
custom
Custom field.
sessionid
Session ID.
status
The status of the packet that was flagged as part of an attack. Can be detected, dropped, or reset.
proto
service
vd
count
Number of packets.
attackname
Attack name.
srcport
Page 199
dstport
attackid
The identification number of the attack log message.
sensor
Sensor.
ref
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

incidentserialno
Incident serial number.
Page 200
16385
Message ID: 016385
Message Description: attack signature (icmp)
Type (type): utm
Log field
Meaning
type
utm
subtype
ips
eventtype
signature
level
alert
date
time
severity
srcip
The source IP.
dstip
The destination IP.
srcintf
dstintf
policyid
indentidx
custom
Custom field.
sessionid
Session ID.
status
proto
service
vd
count
Number of packets.
attackname
Attack name.
icmpid
The source port of the ICMP message.
icmptype
The type of ICMP message.
icmpcode
The destination port of the ICMP message.
attackid
Page 201
sensor
Sensor.
ref
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

incidentserialno
Page 202
16386
Message ID: 016386
Message Description: attack signature (others)
Type (type): utm
Log field
Meaning
type
utm
subtype
ips
eventtype
signature
level
alert
date
time
severity
srcip
The source IP.
dstip
The destination IP.
srcintf
dstintf
policyid
indentidx
custom
Custom field.
sessionid
Session ID.
status
proto
service
vd
count
Number of packets.
attackname
Attack name.
attackid
sensor
Sensor.
ref
user
User name.
Page 203
group
The group name.
srcname
osname
osversion
unauthuser

incidentserialno
Page 204
18432
Message ID: 018432
Message Description: attack anomaly (tcp/udp)
Type (type): utm
Event Type (eventtype): anomaly
Log field
Meaning
type
utm
subtype
ips
eventtype
anomaly
level
alert
date
time
severity
srcip
The source IP.
dstip
The destination IP.
srcintf
dstintf
policyid
indentidx
custom
Custom field.
sessionid
Session ID.
status
proto
service
vd
count
Number of packets.
attackname
Attack name.
srcport
dstport
attackid
sensor
Sensor.
Page 205
ref
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

incidentserialno
Page 206
18433
Message ID: 018433
Message Description: attack anomaly (icmp)
Type (type): utm
Log field
Meaning
type
utm
subtype
ips
eventtype
anomaly
level
alert
date
time
severity
srcip
The source IP.
dstip
The destination IP.
srcintf
dstintf
policyid
indentidx
custom
Custom field.
sessionid
Session ID.
status
proto
service
vd
count
Number of packets.
attackname
Attack name.
icmpid
The source port of the ICMP message.
icmptype
The type of ICMP message.
icmpcode
The destination port of the ICMP message.
attackid
Page 207
sensor
Sensor.
ref
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

incidentserialno
Page 208
18434
Message ID: 018434
Message Description: attack anomaly (others)
Type (type): utm
Log field
Meaning
type
utm
subtype
ips
eventtype
anomaly
level
alert
date
time
severity
srcip
The source IP.
dstip
The destination IP.
srcintf
dstintf
policyid
indentidx
custom
Custom field.
sessionid
Session ID.
status
proto
service
vd
count
Number of packets.
attackname
Attack name.
attackid
sensor
Sensor.
ref
user
User name.
Page 209
group
The group name.
srcname
osname
osversion
unauthuser

incidentserialno
Page 210
Spam
20480
Message ID: 020480
Message Description: antispam smtp (warning)
Type (type): utm
Subtype (subtype): spam
Event Type (eventtype): smtp
Log field
Meaning
type
utm
subtype
spam
eventtype
smtp
level
notice
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
Page 211
dstport
dstintf
service
profile
profiletype
status
The status of the email message. One of: exempted, blocked, or detected.
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
Page 212
20481
Message ID: 020481
Message Description: antispam smtp (warning)
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
smtp
level
notice
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 213
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
banword
subject
Subject.
Page 214
20482
Message ID: 020482
Message Description: antispam pop3 (warning)
Type (type): utm
Event Type (eventtype): pop3
Log field
Meaning
type
utm
subtype
spam
eventtype
pop3
level
notice
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 215
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
Page 216
20483
Message ID: 020483
Message Description: antispam pop3 (warning)
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
pop3
level
notice
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 217
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
banword
Page 218
20484
Message ID: 020484
Message Description: antispam imap (notice)
Type (type): utm
Event Type (eventtype): imap
Log field
Meaning
type
utm
subtype
spam
eventtype
imap
level
notice
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 219
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
Page 220
20485
Message ID: 020485
Message Description: antispam endpoint filter (warning)
Type (type): utm
Event Type (eventtype): endpointfilter
Log field
Meaning
type
utm
subtype
spam
eventtype
endpointfilter
level
warning
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 221
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
Page 222
20486
Message ID: 020486
Message Description: antispam endpoint filter (notice)
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
endpointfilter
level
notice
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 223
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
Page 224
20487
Message ID: 020487
Message Description: antispam endpoint filter (mm7 warning)
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
endpointfilter
level
warning
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 225
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
agent
Agent.
Page 226
20488
Message ID: 020488
Message Description: antispam endpoint filter (mm7 notice)
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
endpointfilter
level
notice
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 227
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
agent
Agent.
Page 228
20489
Message ID: 020489
Message Description: antispam endpoint filter (mm1 warning)
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
endpointfilter
level
warning
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 229
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
direction
The direction of the message. Either tx or rx.
agent
Agent.
Page 230
20490
Message ID: 020490
Message Description: antispam endpoint filter (mm1 notice)
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
endpointfilter
level
notice
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 231
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
direction
agent
Agent.
Page 232
20491
Message ID: 020491
Message Description: antispam imap banned-word (notice)
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
imap
level
notice
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 233
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
banword
subject
Subject.
Page 234
20492
Message ID: 020492
Message Description: antispam MM1 flood detection (warning)
Type (type): utm
Event Type (eventtype): mms
Log field
Meaning
type
utm
subtype
spam
eventtype
mms
level
warning
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 235
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
direction
agent
Agent.
Page 236
20493
Message ID: 020493
Message Description: antispam MM1 flood detection (notice)
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
mms
level
notice
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 237
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
direction
agent
Agent.
Page 238
20494
Message ID: 020494
Message Description: antispam MM4 flood detection (warning)
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
mms
level
warning
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 239
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
Page 240
20495
Message ID: 020495
Message Description: antispam MM4 flood detection (notice)
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
mms
level
notice
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 241
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
Page 242
20496
Message ID: 020496
Message Description: antispam MM1 duplicate detection (warning)
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
mms
level
warning
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 243
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
direction
The direction of the traffic: incoming, outgoing, or N/A.
agent
Agent.
Page 244
20497
Message ID: 020497
Message Description: antispam MM1 duplicate detection (notice)
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
mms
level
notice
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 245
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
direction
agent
Agent.
Page 246
20498
Message ID: 020498
Message Description: antispam MM4 duplicate detection (warning)
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
mms
level
warning
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 247
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
Page 248
20499
Message ID: 020499
Message Description: antispam MM4 duplicate detection (notice)
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
mms
level
notice
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 249
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
Page 250
20500
Message ID: 020500
Message Description: antispam msn hotmail (notice)
Type (type): utm
Event Type (eventtype): msn
Log field
Meaning
type
utm
subtype
spam
eventtype
msn
level
information
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 251
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
subject
Subject.
size
The size of the message/attachments.
cc
Alternate destination addresses.
attachment
Email attachment.
Page 252
20501
Message ID: 020501
Message Description: antispam yahoo mail (notice)
Type (type): utm
Event Type (eventtype): yahoo
Log field
Meaning
type
utm
subtype
spam
eventtype
yahoo
level
information
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 253
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
subject
Subject.
size
cc
attachment
Email attachment.
Page 254
20502
Message ID: 020502
Message Description: antispam gmail (notice)
Type (type): utm
Event Type (eventtype): google
Log field
Meaning
type
utm
subtype
spam
eventtype
google
level
information
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 255
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
subject
Subject.
size
cc
attachment
Email attachment.
Page 256
20503
Message ID: 020503
Message Description: antispam smtp general (info)
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
smtp
level
information
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 257
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
banword
subject
Subject.
size
cc
attachment
Email attachment.
Page 258
20504
Message ID: 020504
Message Description: antispam pop3 general (info)
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
pop3
level
information
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 259
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
banword
subject
Subject.
size
cc
attachment
Email attachment.
Page 260
20505
Message ID: 020505
Message Description: antispam imap general (info)
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
imap
level
information
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 261
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
banword
subject
Subject.
size
cc
attachment
Email attachment.
Page 262
20506
Message ID: 020506
Message Description: antispam mapi (warning)
Type (type): utm
Event Type (eventtype): mapi
Log field
Meaning
type
utm
subtype
spam
eventtype
mapi
level
information
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 263
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
subject
Subject.
size
Page 264
20507
Message ID: 020507
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
mapi
level
notice
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 265
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
banword
Page 266
20508
Message ID: 020508
Type (type): utm
Log field
Meaning
type
utm
subtype
spam
eventtype
mapi
level
notice
date
time
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

vd
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
profile
Page 267
profiletype
status
from
Source identifier.
to
tracker
Tracker ID.
sentbyte
rcvdbyte
subject
Subject.
size
Page 268
DLP
24576
Message ID: 024576
Message Description: DLP log (Warning)
Type (type): utm
Subtype (subtype): dlp
Event Type (eventtype): dlp
Log field
Meaning
type
utm
subtype
dlp
eventtype dlp
level
warning
date
time
filteridx
The filter index.
dlpextra
Extra DLP information.
filtertype
DLP filter type. One of the following: credit-card, ssn, regexp, file-size, file-type, watermark, encrypted, none.
vd
policyid
indentidx

epoch
Epoch.
eventid
Serial number.
user
User name.
group
The group name.
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
Page 269
dstintf
service
filetype
sentbyte
rcvdbyte

url
The URL address.
from
Source identifier.
to
subject
Subject.
file
action
Action taken by the FortiGate unit. One of the following: log-only, block, exempt, ban, ban sender, quarantine ip, quarantine
interface.
profile
Page 270
24577
Message ID: 024577
Message Description: DLP log (Notice)
Type (type): utm
Event Type (eventtype): dlp
Log field
Meaning
type
utm
subtype
dlp
eventtype dlp
level
notice
date
time
filteridx
The filter index.
dlpextra
filtertype
DLP filter type. One of the following: credit-card, ssn, regexp, file-size, file-type, watermark, encrypted, none.
vd
policyid
indentidx

epoch
Epoch.
eventid
Serial number.
user
User name.
group
The group name.
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
service
filetype
sentbyte
Page 271
rcvdbyte

url
The URL address.
from
Source identifier.
to
subject
Subject.
file
action
Action taken by the FortiGate unit. One of the following: log-only, block, exempt, ban, ban sender, quarantine ip, quarantine
interface.
profile
Page 272
24578
Message ID: 024578
Message Description: DLP fingerprint document source (Notice)
Type (type): utm
Event Type (eventtype): dlp-docsource
Log field
Meaning
type
utm
subtype
dlp
eventtype
dlp-docsource
level
notice
date
time
vd
sensitivity The sensitivity of the DLP sensor.

docsource The fingerprinted document's source.
dlpextra
Page 273
24579
Message ID: 024579
Message Description: DLP fingerprint document source (Error)
Type (type): utm
Event Type (eventtype): dlp-docsource
Log field
Meaning
type
utm
subtype
dlp
eventtype
dlp-docsource
level
warning
date
time
vd
sensitivity The sensitivity of the DLP sensor.

docsource The fingerprinted document's source.
dlpextra
Page 274
Application Control
28672
Message ID: 028672
Message Description: application control im-basic log
Type (type): utm
Subtype (subtype): app-ctrl
Event Type (eventtype): app-ctrl-all
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
information
date
time
vd
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

kind
The type of application traffic. Can be: login, chat, file, photo, audio, call, chat, regist, unregister, call-block, request,
response, video, ssh.
profiletype
profile
direction
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
Page 275
dstintf
srcuser
The source user.
dstuser
The destination user.
proto
service
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
applist
apptype
The type of application that triggered the action within the control list.
app
action
The app control action taken by the FortiGate. One of: pass, block, monitor, kickout, encrypt-kickout, reject, reset.
Page 276
28673
Message ID: 028673
Message Description: application control im log
Type (type): utm
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
notice
date
time
vd
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

kind
profiletype
profile
direction
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
srcuser
The source user.
dstuser
Page 277
proto
service
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
applist
apptype
app
action
status
The status of the traffic. One of: request, cancel, accept, fail, download, stop, start, end, timeout, blocked, succeeded,
failed, authentication-required, pass, block.
Page 278
28674
Message ID: 028674
Message Description: application control im(chat message count) log
Type (type): utm
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
information
date
time
vd
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

kind
profiletype
profile
direction
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
srcuser
The source user.
dstuser
Page 279
proto
service
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
applist
apptype
app
action
count
Number of packets.
Page 280
28675
Message ID: 028675
Message Description: application control im(file) log
Type (type): utm
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
information
date
time
vd
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

kind
profiletype
profile
direction
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
srcuser
The source user.
dstuser
Page 281
proto
service
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
applist
apptype
app
action
status
filename
filesize
File size.
immsg
IM message content.
Page 282
28676
Message ID: 028676
Message Description: application control im(chat) log
Type (type): utm
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
notice
date
time
vd
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

kind
profiletype
profile
direction
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
srcuser
The source user.
dstuser
Page 283
proto
service
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
applist
apptype
app
action
count
Number of packets.
content
Traffic content.
Page 284
28677
Message ID: 028677
Message Description: application control im(chat blocked) log
Type (type): utm
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
notice
date
time
vd
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

kind
profiletype
profile
direction
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
srcuser
The source user.
dstuser
Page 285
proto
service
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
applist
apptype
app
action
count
Number of packets.
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit,
long-header, unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
req
The request information.
Page 286
28678
Message ID: 028678
Message Description: application control im-block log
Type (type): utm
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
notice
date
time
vd
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

kind
profiletype
profile
direction
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
srcuser
The source user.
dstuser
Page 287
proto
service
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
applist
apptype
app
action
Page 288
28688
Message ID: 028688
Message Description: application control (voip basic) log
Type (type): utm
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
information
date
time
vd
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

kind
profiletype
profile
direction
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
srcuser
The source user.
dstuser
Page 289
proto
service
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
applist
apptype
app
action
status
Page 290
28689
Message ID: 028689
Message Description: application control (sccp call blocked) log
Type (type): utm
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
information
date
time
vd
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

kind
profiletype
profile
direction
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
srcuser
The source user.
dstuser
Page 291
proto
service
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
applist
apptype
app
action
status
phone
The phone information or number.
reason
Page 292
28690
Message ID: 028690
Message Description: application control (sip block) log
Type (type): utm
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
notice
date
time
vd
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

kind
profiletype
profile
direction
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
srcuser
The source user.
dstuser
Page 293
proto
service
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
applist
apptype
app
action
count
Number of packets.
reason
req
The request information.
Page 294
28704
Message ID: 028704
Message Description: application control ips log (pass)
Type (type): utm
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
information
date
time
vd
attackid
user
User name.
group
The group name.
srcname
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
srcname
dstname
profiletype
profile
proto
service
Page 295
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
applist
apptype
app
action
count
Number of packets.
hostname
url
The URL address.
message
Log message information.
Page 296
28705
Message ID: 028705
Message Description: application control ips log (block)
Type (type): utm
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
warning
date
time
vd
attackid
user
User name.
group
The group name.
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
srcname
dstname
profiletype
profile
proto
service
policyid
Page 297
custom
Custom field.
indentidx
sessionid
Session ID.
applist
apptype
app
action
count
Number of packets.
hostname
url
The URL address.
message
Page 298
28706
Message ID: 028706
Message Description: application control ips log (reset)
Type (type): utm
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
warning
date
time
vd
attackid
user
User name.
group
The group name.
osname
osversion
unauthuser

srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
srcname
dstname
profiletype
profile
proto
service
policyid
Page 299
custom
Custom field.
indentidx
sessionid
Session ID.
applist
apptype
app
action
count
Number of packets.
hostname
url
The URL address.
message
Page 300
28720
Message ID: 028720
Message Description: application control ssh filter
Type (type): utm
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
notice
date
time
vd
user
User name.
group
The group name.
osname
osversion
unauthuser

kind
profiletype
profile
direction
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
srcuser
The source user.
dstuser
proto
Page 301
service
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
applist
apptype
app
action
Page 302
28721
Message ID: 028721
Message Description: application control ssh filter block
Type (type): utm
Log field
Meaning
type
utm
subtype
app-ctrl
eventtype
app-ctrl-all
level
warning
date
time
vd
user
User name.
group
The group name.
osname
osversion
unauthuser

kind
profiletype
profile
direction
srcip
The source IP.
srcport
srcintf
dstip
The destination IP.
dstport
dstintf
srcuser
The source user.
dstuser
proto
Page 303
service
policyid
custom
Custom field.
indentidx
sessionid
Session ID.
applist
apptype
app
action
Page 304
Event
20099
Message ID: 020099
Message Description: interface statistics change
Type (type): event
Subtype (subtype): system
Log field Meaning
type
event
subtype
system
level
information
date
time
vd
action
The action that was taken by the system.
status
Status. Either UP or DOWN.
msg
"Interface (interface name) was turned (up / down)."
Page 305
32001
Message ID: 032001
Message Description: successful admin login attempt
Type (type): event
Log
field
Meaning
type
event
subtype system
level
information
date
time
vd
user
User name.
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a setting.
For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B (IP address
is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
action
status
Authentication status. One of: success, failure, timed_out, locked_out.
reason
The reason for the blocking. One of the following: meter-overload-drop, meter-overload-refuse, rate-limit, dialog-limit, long-header,
unrecognized-form, unknown, block-request, invalid-ip, or exceed-rate.
profile
msg
"Administrator (name) logged in successfully from (source)."
Page 306
32003
Message ID: 032003
Message Description: successful admin logout attempt
Type (type): event
Log
field
Meaning
type
event
subtype system
level
information
date
time
vd
user
User name.
ui
action
status
Status. Either success or error.
reason
profile
msg
"Administrator (name) logged out successfully from (source)." "Administrator (name) timed out on (source)."
Page 307
32142
Message ID: 032142
Message Description: automatic config backup
Type (type): event
Log
field
Meaning
type
event
subtype system
level
notice
date
time
vd
user
User name.
ui
action
status
reason
profile
msg
"Automatic configuration backup to Management Station succeeded."
Page 308
37120
Message ID: 037120
Message Description: negotiate IPsec phase 1 notif
Type (type): event
Subtype (subtype): vpn
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down,
tunnel-stats, phase2-up, phase2-down, auto-ipsec.
remip
The remote IP address.
locip
The local IP address.
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser
The name of the XAuth user.
xauthgroup The name of the Xauthentication group.

vpntunnel
status
Status. One of: success, failure, negotiate_error, esp_error, dpd_failure, route-not-found, route-conflict,
preshared-key-mismatch, client-config-installed, tunnel-up, tunnel-down.
xauthresult XAuth result. Either XAUTH authentication successful, or XAUTH authentication failed.
msg
"negotiate IPsec phase 1."
Page 309
37121
Message ID: 037121
Message Description: negotiate IPsec phase 1 error
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser

vpntunnel
status
xauthresult XAuth result. Either XAUTH authentication successful, or XAUTH authentication failed.
msg
Page 310
37122
Message ID: 037122
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser
xauthgroup
The name of the Xauthentication group.
vpntunnel
status
role
Role - either responder or initiator.
esptransform ESP transform information. One of: ESP_NULL, ESP_DES, ESP_3DES, ESP_AES.
espauth
ESP authentication information. One of: no authentication, HMAC_SHA1, HMAC_MD5, HMAC_SHA256.
msg
Page 311
37123
Message ID: 037123
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser
xauthgroup
vpntunnel
status
role
espauth
msg
Page 312
37124
Message ID: 037124
Message Description: IPsec phase 1 error
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser

vpntunnel
status
errorreason Error reason. One of the following: invalid certificate, invalid SA payload, probable preshared key mismatch, peer SA proposal
not match local policy, peer notification, not enough key material for tunnel, encapsulation mode mismatch, no matching
gateway for new request, aggressive vs main mode mismatch for new request
Page 313
peernotif
Peer notification information. One of the following: NOT-APPLICABLE, INVALID-PAYLOAD-TYPE, DOI-NOT-SUPPORTED,

SITUATION-NOT-SUPPORTED, INVALID-COOKIE, INVALID-MAJOR-VERSION, INVALID-MINOR-VERSION,
INVALID-EXCHANGE-TYPE, INVALID-FLAGS, INVALID-MESSAGE-ID, INVALID-PROTOCOL-ID, INVALID-SPI,
INVALID-TRANSFORM-ID, ATTRIBUTES-NOT-SUPPORTED, NO-PROPOSAL-CHOSEN, BAD-PROPOSAL-SYNTAX,
PAYLOAD-MALFORMED, INVALID-KEY-INFORMATION, INVALID-ID-INFORMATION, INVALID-CERT-ENCODING,
INVALID-CERTIFICATE, BAD-CERT-REQUEST-SYNTAX, INVALID-CERT-AUTHORITY, INVALID-HASH-INFORMATION,
AUTHENTICATION-FAILED, INVALID-SIGNATURE, ADDRESS-NOTIFICATION, NOTIFY-SA-LIFETIME,
CERTIFICATE-UNAVAILABLE, UNSUPPORTED-EXCHANGE-TYPE, UNEQUAL-PAYLOAD-LENGTHS, CONNECTED,
RESPONDER-LIFETIME, REPLAY-STATUS, INITIAL-CONTACT, R-U-THERE, R-U-THERE-ACK, HEARTBEAT,
RETRY-LIMIT-REACHED
msg
"IPsec phase 1 error."
Page 314
37125
Message ID: 037125
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser

vpntunnel
status
msg
Page 315
37126
Message ID: 037126
Message Description: IPsec no state error
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser

vpntunnel
status
msg
"IPsec no state error."
Page 316
37127
Message ID: 037127
Message Description: progress IPsec phase 1 notif
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser

vpntunnel
status
init
Initiator: either local or remote.
mode
Mode. One of: aggressive, main, quick, xauth, xauth_client.
direction
Direction, either outbound or inbound.
stage
Stage number.
role
result
Result. One of: ERROR, OK, DONE, PENDING.
msg
"progress IPsec phase 1."
Page 317
37128
Message ID: 037128
Message Description: progress IPsec phase 1 error
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser

vpntunnel
status
init
mode
direction
stage
Stage number.
role
result
msg
Page 318
37129
Message ID: 037129
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser

vpntunnel
status
init
mode
direction
stage
Stage number.
role
result
msg
Page 319
37130
Message ID: 037130
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser

vpntunnel
status
init
mode
direction
stage
Stage number.
role
result
msg
Page 320
37131
Message ID: 037131
Message Description: IPsec ESP notif
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser

vpntunnel
status
errornum
ESP error information. One of the following: Invalid ESP packet detected (HMAC validation failed)., Invalid ESP packet
detected (invalid padding)., Invalid ESP packet detected (invalid padding length)., Invalid ESP packet detected (replayed
packet)., Invalid ESP packet detected (payload not aligned)., Invalid ESP packet detected (wrong cipher key size)., Invalid
ESP packet detected (no space)., Invalid ESP packet detected (invalid padding)., Invalid ESP packet detected (ASIC error).,
Invalid ESP packet detected (unsupported protocol)., Invalid ESP packet detected (truncated header)., Received ESP packet
with unknown SPI.
spi
IPsec Security Parameter Index.
seq
Sequence number.
msg
"IPsec ESP."
Page 321
37132
Message ID: 037132
Message Description: IPsec ESP error
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
critical
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser

vpntunnel
status
errornum
ESP error information. One of the following: Invalid ESP packet detected (HMAC validation failed)., Invalid ESP packet
detected (invalid padding)., Invalid ESP packet detected (invalid padding length)., Invalid ESP packet detected (replayed
packet)., Invalid ESP packet detected (payload not aligned)., Invalid ESP packet detected (wrong cipher key size)., Invalid
ESP packet detected (no space)., Invalid ESP packet detected (invalid padding)., Invalid ESP packet detected (ASIC error).,
Invalid ESP packet detected (unsupported protocol)., Invalid ESP packet detected (truncated header)., Received ESP packet
with unknown SPI.
spi
seq
Sequence number.
msg
"IPsec ESP."
Page 322
37133
Message ID: 037133
Message Description: install IPsec SA
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser

vpntunnel
role
inspi
In SPI.
outspi
Out SPI.
msg
"install IPsec SA."
Page 323
37134
Message ID: 037134
Message Description: delete IPsec phase 1 SA
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser

vpntunnel
msg
"delete IPsec phase 1 SA."
Page 324
37135
Message ID: 037135
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser

vpntunnel
encspi
Enc SPI.
decspi
Dec SPI.
msg
Page 325
37136
Message ID: 037136
Message Description: IPsec DPD failure
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser

vpntunnel
status
msg
"IPsec DPD failure."
Page 326
37137
Message ID: 037137
Message Description: IPsec connection failure
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser

vpntunnel
status
msg
"IPsec connection failure."
Page 327
37138
Message ID: 037138
Message Description: IPsec connection status change
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser

vpntunnel
tunnelip
The tunnel IP address.
tunnelid
The tunnel ID.
tunneltype
"ipsec"
duration
sentbyte
rcvdbyte
nextstat
Next stat number.
tunnel
Tunnel name.
msg
"IPsec connection status change."
Page 328
37139
Message ID: 037139
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser
xauthgroup
vpntunnel
phase2name Phase 2 name.

msg
"IPsec phase 2 status change."
Page 329
37140
Message ID: 037140
Message Description: auto-IPsec status
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser

vpntunnel
status
reason
msg
"auto-IPsec status."
Page 330
37141
Message ID: 037141
Message Description: IPsec tunnel statistics
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
xauthuser

vpntunnel
tunnelip
tunnelid
The tunnel ID.
tunneltype
"ipsec"
duration
sentbyte
rcvdbyte
nextstat
Next stat number.
tunnel
Tunnel name.
msg
"IPsec tunnel statistics."
Page 331
37184
Message ID: 037184
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
Action taken. One of: negotiate, error, install_sa, delete_phase1_sa, delete_ipsec_sa, dpd, tunnel-up, tunnel-down, tunnel-stats,
phase2-up, phase2-down, auto-ipsec.
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
vpntunnel The name of the VPN tunnel that was used. For example, ssl_vpn1.
status
peernotif

RETRY-LIMIT-REACHED
msg
Page 332
37185
Message ID: 037185
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
status
peernotif

RETRY-LIMIT-REACHED
msg
Page 333
37186
Message ID: 037186
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
vpntunnel
status
role
espauth
msg
Page 334
37187
Message ID: 037187
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
vpntunnel
status
role
espauth
msg
Page 335
37188
Message ID: 037188
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
vpntunnel
status
msg
Page 336
37189
Message ID: 037189
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
vpntunnel
status
msg
Page 337
37190
Message ID: 037190
Message Description: IPsec not state error
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
vpntunnel
status
msg
"IPsec no state error."
Page 338
37191
Message ID: 037191
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
status
init
exch
Exchange. One of: SA_INIT, AUTH, CREATE_CHILD.
direction
role
result
version
"IKEv2"
msg
Page 339
37192
Message ID: 037192
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
status
init
exch
direction
role
result
version
"IKEv2"
msg
Page 340
37193
Message ID: 037193
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
status
init
exch
direction
role
result
version
"IKEv2"
msg
Page 341
37194
Message ID: 037194
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
status
init
exch
direction
role
result
version
"IKEv2"
msg
Page 342
37195
Message ID: 037195
Message Description: IPsec ESP notif
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
status
errornum
ESP error information. One of the following: Invalid ESP packet detected (HMAC validation failed)., Invalid ESP packet detected
(invalid padding)., Invalid ESP packet detected (invalid padding length)., Invalid ESP packet detected (replayed packet)., Invalid
ESP packet detected (payload not aligned)., Invalid ESP packet detected (wrong cipher key size)., Invalid ESP packet detected
(no space)., Invalid ESP packet detected (invalid padding)., Invalid ESP packet detected (ASIC error)., Invalid ESP packet
detected (unsupported protocol)., Invalid ESP packet detected (truncated header)., Received ESP packet with unknown SPI.
spi
seq
Sequence number.
msg
"IPsec ESP."
Page 343
37196
Message ID: 037196
Message Description: IPsec ESP error
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
critical
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
status
errornum
ESP error information. One of the following: Invalid ESP packet detected (HMAC validation failed)., Invalid ESP packet detected
(invalid padding)., Invalid ESP packet detected (invalid padding length)., Invalid ESP packet detected (replayed packet)., Invalid
ESP packet detected (payload not aligned)., Invalid ESP packet detected (wrong cipher key size)., Invalid ESP packet detected
(no space)., Invalid ESP packet detected (invalid padding)., Invalid ESP packet detected (ASIC error)., Invalid ESP packet
detected (unsupported protocol)., Invalid ESP packet detected (truncated header)., Received ESP packet with unknown SPI.
spi
seq
Sequence number.
msg
"IPsec ESP."
Page 344
37197
Message ID: 037197
Message Description: install IPsec SA
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
role
inspi
In SPI.
outspi
Out SPI.
msg
"install IPsec SA."
Page 345
37198
Message ID: 037198
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
msg
Page 346
37199
Message ID: 037199
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
encspi
Enc SPI.
decspi
Dec SPI.
msg
Page 347
37200
Message ID: 037200
Message Description: IPsec DPD failure
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
status
msg
"IPsec DPD failure."
Page 348
37201
Message ID: 037201
Message Description: IPsec connection failure
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
status
msg
"IPsec connection failure."
Page 349
37202
Message ID: 037202
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
vpntunnel
tunnelip
tunnelid
The tunnel ID.
tunneltype "ipsec"
duration
sentbyte
rcvdbyte
nextstat
Next stat number.
tunnel
Tunnel name.
msg
"IPsec connection status change."
Page 350
37203
Message ID: 037203
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
vpntunnel
phase2name Phase 2 name.

msg
"IPsec phase 2 status change."
Page 351
37204
Message ID: 037204
Message Description: IPsec tunnel statistics
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
notice
date
time
vd
action
remip
locip
remport
Remote port.
locport
Local port.
outintf
Outward interface.
cookies
Cookies.
user
User name.
group
The group name.
vpntunnel
tunnelip
tunnelid
The tunnel ID.
tunneltype "ipsec"
duration
sentbyte
rcvdbyte
nextstat
Next stat number.
tunnel
Tunnel name.
msg
"IPsec tunnel statistics."
Page 352
37888
Message ID: 037888
Message Description: HA group delete
Type (type): event
Log field Meaning
type
event
subtype
system
level
notice
date
time
vd
hagroup HA group.
msg
"HA group is deleted."
Page 353
37889
Message ID: 037889
Message Description: Virtual cluster delete
Type (type): event
Log field Meaning
type
event
subtype
system
level
notice
date
time
vd
vcluster
Virtual cluster.
msg
"Virtual cluster is deleted."
Page 354
37890
Message ID: 037890
Message Description: Virtual cluster move vdom
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
fromvcluster Source virtual cluster.

tovcluster
Destination virtual cluster.
vdname
VDOM name.
msg
"Virtual cluster's vdom is removed."
Page 355
37891
Message ID: 037891
Message Description: Virtual cluster add vdom
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
tovcluster Destination virtual cluster.

vdname
VDOM name.
msg
"Virtual cluster's vdom is added."
Page 356
37892
Message ID: 037892
Message Description: Virtual cluster move member state
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
harole
HA role: either master or slave.
vcluster
Virtual cluster.
vclusterstate
Virtual cluster state. One of: init, helo, work, standby.
vclustermember Virtual cluster member.

hostname
sn
Serial number.
msg
"Virtual cluster's member state moved."
Page 357
37893
Message ID: 037893
Message Description: Virtual cluster detect member dead
Type (type): event
Log field Meaning
type
event
subtype
system
level
notice
date
time
vd
hagroup HA group.
vcluster
Virtual cluster.
msg
"Virtual cluster detected member dead."
Page 358
37894
Message ID: 037894
Message Description: Virtual cluster detect member join
Type (type): event
Log field Meaning
type
event
subtype
system
level
notice
date
time
vd
hagroup HA group.
vcluster
Virtual cluster.
msg
"Virtual cluster detected member join."
Page 359
37895
Message ID: 037895
Message Description: Virtual cluster add HA device (interface)
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
vcluster
Virtual cluster.
devintfname The name of the device's interface.

msg
"Virtual cluster add HA device."
Page 360
37896
Message ID: 037896
Message Description: Virtual cluster delete HA device (interface)
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
vcluster
Virtual cluster.

msg
"Virtual cluster delete HA device (interface)."
Page 361
37897
Message ID: 037897
Message Description: HA device (interface) ready
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
harole

msg
"HA device (interface) ready."
Page 362
37898
Message ID: 037898
Message Description: HA device (interface) fail
Type (type): event
Log field
Meaning
type
event
subtype
system
level
warning
date
time
vd
harole

msg
"HA device (interface) fail."
Page 363
37899
Message ID: 037899
Message Description: HA device (interface) peerinfo
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
harole

msg
"HA device (interface) peerinfo."
Page 364
37900
Message ID: 037900
Message Description: Heartbeat device (interface) delete
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd

msg
"Heartbeat device (interface) delete."
Page 365
37901
Message ID: 037901
Message Description: Heartbeat device (interface) down
Type (type): event
Log field
Meaning
type
event
subtype
system
level
critical
date
time
vd
harole
hbdnreason Heartbeat down reason: either linkfail or neighbor-info-lost.

msg
"Heartbeat device (interface) down."
Page 366
37902
Message ID: 037902
Message Description: Heartbeat device (interface) up
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
harole

msg
"Heartbeat device (interface) up."
Page 367
37903
Message ID: 037903
Message Description: The sync status with the master
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
synctype
Sync type. Either configurations or external-files.
syncstatus Sync status. Either out-of-sync or in-sync.

msg
"The sync status with the master."
Page 368
37904
Message ID: 037904
Message Description: HA activity report
Type (type): event
Log field Meaning
type
event
subtype
system
level
notice
date
time
vd
ip
HA IP.
haprio
HA priority.
activity
HA activity message.
msg
"HA activity report."
Page 369
38031
Message ID: 038031
Message Description: Authentication message
Type (type): event
Subtype (subtype): user
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
user
User name.
src
The source IP of the traffic.
server
The name or IP address of the server.
action
FSSO-polling-logon
status
success
reason
Reason.
msg
"FSSO-polling-logon event from <device>: user <username> logged on <ip address>."
Page 370
38032
Message ID: 038032
Type (type): event
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
user
User name.
src
server
action
FSSO-polling-logoff
status
success
reason
Reason.
msg
"FSSO-polling-logoff event from <device>: user <username> logged on <ip address>."
Page 371
38033
Message ID: 038033
Type (type): event
Log field Meaning
type
event
subtype
user
level
notice
date
time
user
User name.
server
action
FSSO-polling-AD-server
msg
"FSSO-polling-AD-server status changes: <description>."
Page 372
38400
Message ID: 038400
Message Description: The system successfully sent a notification message
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
user
User name.
from
Source identifier.
to
service
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the
next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
dst
The destination IP of the traffic.
dport
nftype
Notification type. One of: bword, file_block, carrier_ep_bwl, flood, dupe, alert, mms_checksum, virus.
virus
profile
count
Number of packets.
duration
msg
"Successfully sent a notification message."
Page 373
38401
Message ID: 038401
Message Description: The system was unable to send a notification message
Type (type): event
Log field
Meaning
type
event
subtype
system
level
warning
date
time
vd
user
User name.
from
Source identifier.
to
service
proto
dst
dport
nftype
Notification type. One of: bword, file_block, carrier_ep_bwl, flood, dupe, alert, mms_checksum, virus.
virus
profile
count
Number of packets.
duration
msg
"Unable to send a notification message."
Page 374
38402
Message ID: 038402
Message Description: The system was unable to resolve an MMSC hostname
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
hostname
service
profile
profilevd
Profile VDOM.
msg
"Unable to resolve hostname."
Page 375
38656
Message ID: 038656
Message Description: RADIUS protocol error report
Type (type): event
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
count
Number of packets.
duration Time value in seconds.

msg
Message.
Page 376
38657
Message ID: 038657
Message Description: RADIUS profile error report
Type (type): event
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
count
Number of packets.

msg
Message.
Page 377
38658
Message ID: 038658
Message Description: RADIUS context error report
Type (type): event
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
count
Number of packets.

msg
Message.
Page 378
38659
Message ID: 038659
Message Description: RADIUS missing stop packet report
Type (type): event
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
count
Number of packets.

msg
Message.
Page 379
38660
Message ID: 038660
Message Description: RADIUS accounting event report
Type (type): event
Log field Meaning
type
event
subtype
user
level
information
date
time
vd
count
Number of packets.

msg
Message.
Page 380
38661
Message ID: 038661
Message Description: RADIUS other dynamic profile report
Type (type): event
Log field Meaning
type
event
subtype
user
level
information
date
time
vd
count
Number of packets.

msg
Message.
Page 381
38662
Message ID: 038662
Message Description: RADIUS protocol errors occurred
Type (type): event
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
carrierep The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message.
This field will always display N/A in the FortiOS interface.
ip
IP address.
rssokey
RSSO key.
msg
Message.
acctstat
Accounting state. One of: Start, Stop, Interim-Update, Accounting-On, Accounting-Off.
reason
Reason.
Page 382
38663
Message ID: 038663
Message Description: RADIUS start or interim-update packet received with missing or invalid profile
specified
Type (type): event
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
ip
IP address.
rssokey
RSSO key.
msg
Message.
acctstat
reason
Reason.
Page 383
38664
Message ID: 038664
Message Description: RADIUS no context found for user
Type (type): event
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
ip
IP address.
rssokey
RSSO key.
msg
Message.
Page 384
38665
Message ID: 038665
Message Description: RADIUS stop packet was missed
Type (type): event
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
ip
IP address.
rssokey
RSSO key.
msg
Message.
acctstat
reason
Reason.
Page 385
38666
Message ID: 038666
Message Description: RADIUS accounting event
Type (type): event
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
ip
IP address.
rssokey
RSSO key.
msg
Message.
acctstat
reason
Reason.
Page 386
38667
Message ID: 038667
Message Description: RADIUS other dynamic profile event
Type (type): event
Log field Meaning
type
event
subtype
user
level
information
date
time
vd
ip
IP address.
rssokey
RSSO key.
msg
Message.
acctstat
reason
Reason.
count
Number of packets.
Page 387
39424
Message ID: 039424
Message Description: SSL tunnel established
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
action
"tunnel-up"
tunneltype "ssl-web"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
reason
msg
"SSL tunnel established."
Page 388
39425
Message ID: 039425
Message Description: SSL tunnel shutdown
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
action
"tunnel-down"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
reason
duration
sentbyte
rcvdbyte
msg
Page 389
39426
Message ID: 039426
Message Description: SSL user failed to log in
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
action
"ssl-login-fail"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
reason
msg
"SSL user failed to log in."
Page 390
39936
Message ID: 039936
Message Description: SSL web tunnel statistics
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
action
"tunnel-stats"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
nextstats
Next statistics.
duration
sentbyte
rcvdbyte
reason
msg
"SSL web tunnel statistics."
Page 391
39937
Message ID: 039937
Message Description: SSL web application blocked
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
warning
date
time
vd
action
"ssl-web-deny"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
apptype
msg
"SSL web application blocked."
Page 392
39938
Message ID: 039938
Message Description: SSL web application activated
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
action
"ssl-web-pass"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
apptype
msg
"SSL web application activated."
Page 393
39939
Message ID: 039939
Message Description: SSL web application timeout
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
action
"ssl-web-timeout"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
apptype
msg
"SSL web application timeout."
Page 394
39940
Message ID: 039940
Message Description: SSL web application closed
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
action
"ssl-web-close"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
apptype
msg
"SSL web application closed."
Page 395
39941
Message ID: 039941
Message Description: SSL system busy
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
action
"ssl-sys-busy"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
reason
msg
"SSL system busy."
Page 396
39942
Message ID: 039942
Message Description: SSL new SSL certification verification success
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
action
"ssl-cert"
tunneltype "ssl"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
reason
msg
"SSL new SSL certification verification success."
Page 397
39943
Message ID: 039943
Message Description: SSL new connection
Type (type): event
Level/Severity: debug
Log field
Meaning
type
event
subtype
vpn
level
debug
date
time
vd
action
"ssl-new-con"
tunneltype "ssl"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
reason
msg
"SSL new connection."
Page 398
39944
Message ID: 039944
Message Description: SSL alerts
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
"ssl-alert"
tunneltype "ssl"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
alert
Alert information.
desc
Description.
msg
"SSL alerts."
Page 399
39945
Message ID: 039945
Message Description: SSL exit fail
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
"ssl-exit-fail"
tunneltype "ssl"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
reason
msg
"SSL exit fail."
Page 400
39946
Message ID: 039946
Message Description: SSL exit error
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
"ssl-exit-error"
tunneltype "ssl"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
reason
msg
"SSL exit error."
Page 401
39947
Message ID: 039947
Message Description: SSL tunnel established
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
action
"tunnel-up"
tunneltype "ssl-tunnel"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
reason
msg
Page 402
39948
Message ID: 039948
Message Description: SSL tunnel shutdown
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
action
"tunnel-down"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
duration
sentbyte
rcvdbyte
reason
msg
Page 403
39949
Message ID: 039949
Message Description: SSL tunnel statistics
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
action
"tunnel-stats"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
nextstats
Next statistics.
duration
sentbyte
rcvdbyte
reason
msg
"SSL tunnel statistics."
Page 404
39950
Message ID: 039950
Message Description: SSL tunnel unknown tag
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
information
date
time
vd
action
"ssl-tunnel-unknown-tag"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
reason
msg
"SSL tunnel unknown tag."
Page 405
39951
Message ID: 039951
Message Description: SSL tunnel error
Type (type): event
Log field
Meaning
type
event
subtype
vpn
level
error
date
time
vd
action
"ssl-tunnel-error"
tunnelid
The tunnel ID.
remip
tunnelip
user
User name.
group
The group name.
dsthost
Destination host.
reason
msg
"SSL tunnel error."
Page 406
40704
Message ID: 040704
Message Description: System performance
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
action
"perf-stats"
cpu
CPU usage.
mem
Memory usage.
totalsession Total IP sessions.

msg
"Performance statistics."
Page 407
40960
Message ID: 040960
Message Description: web proxy forward server error
Type (type): event
Subtype (subtype): wad
Log field
Meaning
type
event
subtype
wad
level
notice
date
time
vd
fwservername Forward server name.

addrtype
Address type, either IP or FQDN.
ip
IP address.
fqdn
Domain name.
port
Port number.
msg
Message. Either "Failed to connect to forward server" or "Successfully connected to forward server".
Page 408
41216
Message ID: 041216
Message Description: GTP forward
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
profile
status
GTP status. One of: forwarded, prohibited, rate-limited, state-invalid, tunnel-limited, traffic-count, user-data,
prohibited-monitor, rate-limited-monitor, state-invalid-monitor, tunnel-limited-monitor.
version
Version.
msgtype
Message type.
from
Source identifier.
to
srcport
dstport
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
msisdn
The MSISDN information.
apn
APN.
selection
Selection: apns-vrf, ms-apn-no-vrf, net-apn-no-vrf.
cgsn
CGSN.
ugsn
UGSN.
nsapi
NSAPI.
linkednsapi
Linked NSAPI.
imeisv
IMEISV.
rattype
Rat type. One of: utran, geran, wlan, gan, hspa, eutran, virtual.
rai
RAI.
uli
ULI.
Page 409
endusraddress End user address.

headerteid
Header TEID.
Page 410
41217
Message ID: 041217
Message Description: GTP Deny
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
profile
status
version
Version.
msgtype
Message type.
from
Source identifier.
to
denycause
Denial cause. One of: packet-sanity, invalid-reserved-field, reserved-msg, out-state-msg, reserved-ie, out-state-ie,
invalid-msg-length, invalid-ie-length, miss-mandatory-ie, ip-policy, non-ip-policy, sgsn-not-authorized, sgsn-no-handover,
ggsn-not-authorized, invalid-seq-num, msg-filter, apn-filter, imsi-filter, adv-policy-filter, unknown-gtp-version
ietype
IE type.
dtlexp
Detailed explanation. One of the following:

none, ie-is-missing, invalid-ie-length, no-tunnel-exists, hteid-is-zero, response-hteid-doesnt-match-request,
payload-teid-is-zero, invalid-tid, header-seq-num-is-missing, expired-echo-response, expired-create-response,
expired-update-response, expired-delete-response,invalid-mcc-mnc, neither-hteid-nor-cteid-exists,
cant-have-both-hteid-and-cteid, malformed-extension-header, expired-create-session-response,
expired-create-bearer-response,expired-create-indirect-tunnel-response, expired-modified-bearer-response,
expired-update-bearer-response, expired-delete-session-response, expired-delete-beaerer-response,
expired-delete-indirect-tunnel-response, expired-release-access-bearer-response, cause-value-should-be-isr-deactivation,
imsi-shouldnt-exist, fteid-shouldnt-exist, cant-have-both-ebi-and-lbi, invalid-eps-bearer-id, malformed-piggybacked-msg,
malformed-p-flag, malformed-t-flag
srcport
dstport
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
Page 411
msisdn
apn
APN.
selection
cgsn
CGSN.
ugsn
UGSN.
nsapi
NSAPI.
linkednsapi
Linked NSAPI.
imeisv
IMEISV.
rattype
rai
RAI.
uli
ULI.

headerteid
Header TEID.
Page 412
41218
Message ID: 041218
Message Description: GTP Rate Limit
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
profile
status
version
Version.
msgtype
Message type.
from
Source identifier.
to
srcport
dstport
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
msisdn
apn
APN.
selection
cgsn
CGSN.
ugsn
UGSN.
nsapi
NSAPI.
linkednsapi
Linked NSAPI.
imeisv
IMEISV.
rattype
rai
RAI.
uli
ULI.
Page 413

headerteid
Header TEID.
Page 414
41219
Message ID: 041219
Message Description: GTP State Invalid
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
profile
status
version
Version.
msgtype
Message type.
from
Source identifier.
to
dtlexp

srcport
dstport
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
msisdn
apn
APN.
selection
cgsn
CGSN.
Page 415
ugsn
UGSN.
nsapi
NSAPI.
linkednsapi
Linked NSAPI.
imeisv
IMEISV.
rattype
rai
RAI.
uli
ULI.

headerteid
Header TEID.
Page 416
41220
Message ID: 041220
Message Description: GTP Tunnel Limit
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
profile
status
version
Version.
msgtype
Message type.
from
Source identifier.
to
srcport
dstport
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
msisdn
apn
APN.
selection
cgsn
CGSN.
ugsn
UGSN.
nsapi
NSAPI.
linkednsapi
Linked NSAPI.
imeisv
IMEISV.
rattype
rai
RAI.
uli
ULI.
Page 417

headerteid
Header TEID.
Page 418
41221
Message ID: 041221
Message Description: GTP Traffic Account
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
profile
status
version
Version.
csgsn
CSGSN.
cggsn
CGGSN.
usgsn
USGSN.
uggsn
UGGSN.
csgsnteid
CSGSN TEID.
cggsnteid
CSGSN TEID.
usgsnteid
USGSN TEID.
uggsnteid
UGGSN TEID.
tunnelidx
Tunnel index.
duration
cpkts
C-packets.
cbytes
C-bytes.
upkts
U-packets.
ubytes
U-bytes.
tunnelidx
Tunnel index.
imsi
IMSI.
msisdn
apn
APN.
selection
Page 419
cgsn
CGSN.
ugsn
UGSN.
nsapi
NSAPI.
linkednsapi
Linked NSAPI.
imeisv
IMEISV.
rattype
rai
RAI.
uli
ULI.
Page 420
41222
Message ID: 041222
Message Description: GTP User Data
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
profile
status
version
Version.
tunnelidx
Tunnel index.
from
Source identifier.
to

imsi
IMSI.
msisdn
apn
APN.
userdata
User data.
Page 421
41223
Message ID: 041223
Message Description: GTPv2 Forward
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
profile
status
version
Version.
msgtype
Message type.
from
Source identifier.
to
srcport
dstport
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
msisdn
imeisv
IMEISV.
snetwork
Serving network.
rattype
selection
apn
APN.

headerteid
Header TEID.
cpaddr
Sender IP address for control plane.
cpteid
Sender TEID for control plane.
Page 422
41224
Message ID: 041224
Message Description: GTPv2 Deny
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
profile
status
version
Version.
msgtype
Message type.
from
Source identifier.
to
denycause
Denial cause. One of: packet-sanity, invalid-reserved-field, reserved-msg, out-state-msg, reserved-ie, out-state-ie,
invalid-msg-length, invalid-ie-length, miss-mandatory-ie, ip-policy, non-ip-policy, sgsn-not-authorized, sgsn-no-handover,
ggsn-not-authorized, invalid-seq-num, msg-filter, apn-filter, imsi-filter, adv-policy-filter, unknown-gtp-version
ietype
IE type.
dtlexp

srcport
dstport
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
Page 423
msisdn
imeisv
IMEISV.
snetwork
Serving network.
rattype
selection
apn
APN.

headerteid
Header TEID.
cpaddr
cpteid
Page 424
41225
Message ID: 041225
Message Description: GTPv2 Rate Limit
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
profile
status
version
Version.
msgtype
Message type.
from
Source identifier.
to
srcport
dstport
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
msisdn
imeisv
IMEISV.
snetwork
Serving network.
rattype
selection
apn
APN.

headerteid
Header TEID.
cpaddr
cpteid
Page 425
41226
Message ID: 041226
Message Description: GTPv2 State Invalid
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
profile
status
version
Version.
msgtype
Message type.
from
Source identifier.
to
dtlexp

srcport
dstport
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
msisdn
imeisv
IMEISV.
snetwork
Serving network.
rattype
Page 426
selection
apn
APN.

headerteid
Header TEID.
cpaddr
cpteid
Page 427
41227
Message ID: 041227
Message Description: GTPv2 Tunnel Limit
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
profile
status
version
Version.
msgtype
Message type.
from
Source identifier.
to
srcport
dstport
seqnum
Sequence number.
tunnelidx
Tunnel index.
imsi
IMSI.
msisdn
imeisv
IMEISV.
snetwork
Serving network.
rattype
selection
apn
APN.

headerteid
Header TEID.
cpaddr
cpteid
Page 428
41228
Message ID: 041228
Message Description: GTP Traffic Account
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
profile
status
version
Version.
cpdladdr
Down-link IP address for control plane.
cpdlisraddr
Secondary down-link IP address for control plane, for ISR cases.
cpuladdr
Up-link IP address for control plane.
cpdlteid
Down-link TEID for control plane.
cpdlisrteid
Secondary down-link TEID for control plane, for ISR cases.
cpulteid
Up-link TEID for control plane.
tunnelidx
Tunnel index.
duration
cpkts
C-packets.
cbytes
C-bytes.
upkts
U-packets.
ubytes
U-bytes.
imsi
IMSI.
msisdn
apn
APN.
selection
imeisv
IMEISV.
rattype
Page 429
snetwork
Serving network.
Page 430
41984
Message ID: 041984
Message Description: Certificate Load
Type (type): event
Log
field
Meaning
type
event
subtype vpn
level
information
date
time
vd
action
"info"
user
User name.
ui
certtype Certificate type. One of: CA, CRL, Local, Remote.

msg
"A certificate is loaded."
Page 431
41985
Message ID: 041985
Message Description: Certificate Removal
Type (type): event
Log
field
Meaning
type
event
subtype vpn
level
information
date
time
vd
action
"info"
user
User name.
ui

msg
"A certificate is removed."
Page 432
41986
Message ID: 041986
Message Description: Certificate Regenerated
Type (type): event
Log
field
Meaning
type
event
subtype vpn
level
information
date
time
vd
action
"info"
status
"success"
user
User name.
ui

msg
"A certificate is regenerated."
Page 433
41987
Message ID: 041987
Message Description: Certificate Updated
Type (type): event
Log field Meaning
type
event
subtype
vpn
level
information
date
time
vd
action
"info"
status
"success"
name
Certificate name.
method
certtype
Certificate type. One of: CA, CRL, Local, Remote.
msg
"A certificate is updated."
Page 434
41988
Message ID: 041988
Message Description: SSL Setting Updated
Type (type): event
Log
field
Meaning
type
event
subtype vpn
level
information
date
time
vd
action
"info"
user
User name.
ui
msg
"User changed SSL setting."
Page 435
41989
Message ID: 041989
Message Description: Certificate Error
Type (type): event
Log
field
Meaning
type
event
subtype vpn
level
information
date
time
vd
action
"info"
user
User name.
ui

msg
"Certificate is invalid."
Page 436
43008
Message ID: 043008
Message Description: Authentication succeeded
Type (type): event
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
srcip
The source IP.
dstip
The destination IP.
policyid The ID number of the firewall policy that applies to the session or packet.
user
User name.
group
The group name.
ui
action
Action. One of the following: authentication, FSSO-auth, FSSO-logon, FSSO-logoff, NTLM-auth.
status
reason
Reason.
msg
Message.
Page 437
43009
Message ID: 043009
Message Description: Authentication failed
Type (type): event
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
srcip
The source IP.
dstip
The destination IP.
user
User name.
group
The group name.
ui
action
status
reason
Reason.
msg
Message.
Page 438
43010
Message ID: 043010
Message Description: Authentication locked out
Type (type): event
Log
field
Meaning
type
event
subtype user
level
warning
date
time
vd
srcip
The source IP.
dstip
The destination IP.
user
User name.
group
The group name.
ui
action
status
reason
Reason.
msg
Message.
Page 439
43011
Message ID: 043011
Message Description: Authentication timed out
Type (type): event
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
srcip
The source IP.
dstip
The destination IP.
user
User name.
group
The group name.
ui
action
status
reason
Reason.
msg
Message.
Page 440
43012
Message ID: 043012
Message Description: FSSO authentication succeeded
Type (type): event
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
srcip
The source IP.
dstip
The destination IP.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next
level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
policyid
user
User name.
adgroup The name of the AD group.

ui
action
status
reason
Reason.
msg
Message.
Page 441
43013
Message ID: 043013
Message Description: FSSO authentication failed
Type (type): event
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
srcip
The source IP.
dstip
The destination IP.
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next
level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
policyid
user
User name.

ui
action
status
reason
Reason.
msg
Message.
Page 442
43014
Message ID: 043014
Message Description: FSSO log on
Type (type): event
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
srcip
The source IP.
user
User name.
server
action
msg
Message.
Page 443
43015
Message ID: 043015
Message Description: FSSO log off
Type (type): event
Log field Meaning
type
event
subtype
user
level
notice
date
time
vd
srcip
The source IP.
user
User name.
server
action
msg
Message.
Page 444
43016
Message ID: 043016
Message Description: NTLM authentication succeeded
Type (type): event
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
srcip
The source IP.
dstip
The destination IP.
policyid
user
User name.

group
The group name.
ui
action
status
reason
Reason.
msg
Message.
Page 445
43017
Message ID: 043017
Message Description: NTLM authentication failed
Type (type): event
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
srcip
The source IP.
dstip
The destination IP.
policyid
user
User name.

group
The group name.
ui
action
status
reason
Reason.
msg
Message.
Page 446
43018
Message ID: 043018
Message Description: FortiGuard override failed
Type (type): event
Log field Meaning
type
event
subtype
user
level
warning
date
time
vd
srcip
The source IP.
dstip
The destination IP.
initiator
The initiator name.
status
reason
Reason.
msg
Message.
Page 447
43019
Message ID: 043019
Type (type): event
Log field Meaning
type
event
subtype
user
level
warning
date
time
vd
srcip
The source IP.
dstip
The destination IP.
initiator
The initiator name.
status
reason
Reason.
msg
Message.
Page 448
43020
Message ID: 043020
Message Description: FortiGuard override succeeded
Type (type): event
Log field
Meaning
type
event
subtype
user
level
notice
date
time
vd
srcip
The source IP.
dstip
The destination IP.
initiator
The initiator name.
status
reason
Reason.
scope
Scope information. One of: user, user_group, ip, profile, unhandled.
scopedata Scope data.

ruletype
ruledata
Rule data.
offsite
Offsite allowed, either yes or no.
expiry
Expiry information.
oldwprof
Old Webfilter profile name.
newwprof
New Webfilter profile name.
msg
Message.
Page 449
43021
Message ID: 043021
Message Description: Endpoint checking event
Type (type): event
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
dstip
The destination IP.
ui
msg
Message.
Page 450
43022
Message ID: 043022
Message Description: Endpoint license distribution
Type (type): event
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
dstip
The destination IP.
ui
msg
Message.
Page 451
43023
Message ID: 043023
Message Description: Endpoint detection
Type (type): event
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
dstip
The destination IP.
ui
msg
Message.
Page 452
43024
Message ID: 043024
Message Description: Endpoint detection
Type (type): event
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
dstip
The destination IP.
ui
msg
Message.
Page 453
43025
Message ID: 043025
Message Description: Authentication succeeded
Type (type): event
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
srcip
The source IP.
dstip
The destination IP.
user
User name.
group
The group name.
ui
action
status
reason
Reason.
msg
Message.
Page 454
43026
Message ID: 043026
Type (type): event
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
srcip
The source IP.
dstip
The destination IP.
user
User name.
group
The group name.
ui
action
status
reason
Reason.
msg
Message.
Page 455
43027
Message ID: 043027
Message Description: Authentication timed out
Type (type): event
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
srcip
The source IP.
dstip
The destination IP.
user
User name.
group
The group name.
ui
action
status
reason
Reason.
msg
Message.
Page 456
43028
Message ID: 043028
Type (type): event
Log
field
Meaning
type
event
subtype user
level
notice
date
time
vd
srcip
The source IP.
dstip
The destination IP.
user
User name.
group
The group name.
ui
action
status
reason
Reason.
msg
Message.
Page 457
43029
Message ID: 043029
Message Description: FortiGuard override succeeded
Type (type): event
Log field
Meaning
type
event
subtype
user
level
notice
date
time
vd
srcip
The source IP.
dstip
The destination IP.
initiator
The initiator name.
status
reason
Reason.
scope
Scope information. One of: user, user_group, ip, profile, unhandled.
scopedata Scope data.

ruletype
ruledata
Rule data.
offsite
Offsite allowed, either yes or no.
expiry
Expiry information.
oldwprof
Old Webfilter profile name.
newwprof
New Webfilter profile name.
msg
Message.
Page 458
43030
Message ID: 043030
Type (type): event
Log field Meaning
type
event
subtype
user
level
warning
date
time
vd
srcip
The source IP.
dstip
The destination IP.
initiator
The initiator name.
status
reason
Reason.
msg
Message.
Page 459
43264
Message ID: 043264
Message Description: MMS Statistics
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
proto
MMS protocol: MM1, MM3, MM4, or MM7.
infected
Number of infected messages.
suspicious Number of suspicious messages.

scanned
Number of scanned messages.
intercepted Number of intercepted messages.

blocked
Number of blocked messages.
checksum
Number of content checksum blocked messages.
duration
Page 460
43520
Message ID: 043520
Message Description: wireless system activity
Type (type): event
Subtype (subtype): wireless
Log field Meaning
type
event
subtype
wireless
level
notice
date
time
vd
action
msg
Message.
Page 461
43521
Message ID: 043521
Message Description: wireless rogue AP activity
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
onwire
Will display NO or 0.
ssid
The service set identifier.
bssid
The basic service set identifier.
aptype
AP type.
rate
The data rate number.
radioband
Radio band.
channel
The channel number.
action
manuf
Manufacturer.
securitymode
Security mode.
rssi
RSSI.
Noise
Noise.
live
Live.
age
Age.
detectionmethod Method of detection: N/A, sta, mac adjacency, sta and mac adjacency.
stamac
Station MAC.
apscan
WTP that scanned the station.
sndetected
Serial number of physical AP which detected the rogue AP.
radioiddetected
ID of the radio on physical AP which detected the rogue AP.
stacount
STA count.
snclosest
Serial number of physical AP which is closest to the rogue AP.
radioiddetected
ID of the radio on physical AP which is closest to the rogue AP.
Page 462
msg
Message.
Page 463
43522
Message ID: 043522
Message Description: physical AP activity
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
sn
Serial number.
ap
Physical AP name.
approfile
AP profile.
ip
IP address.
meshmode
Mesh mode: non-mesh, mesh ap, mesh root ap, mesh branch/leaf ap.
snmeshparent Serial number of physical AP which is the mesh parent of this mesh branch/leaf AP.
action
reason
Reason.
msg
Message.
Page 464
43524
Message ID: 043524
Message Description: wireless client activity
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
sn
Serial number.
ap
Physical AP name.
vap
Virtual AP name.
ssid
user
User name.
group
The group name.
mac
Client MAC address.
ip
IP address.
channel
The channel number.
radioband Radio band.

security
Security type: open, wep64, wep128, wpa-psk, wpa-radius, wpa, wpa2, wpa2-auto.
action
reason
Reason.
msg
Message.
Page 465
43525
Message ID: 043525
Message Description: wireless rogue AP activity (on-wire)
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
warning
date
time
vd
onwire
Will display YES or 1.
ssid
bssid
aptype
AP type.
rate
The data rate number.
onwire
On wire: either yes or no.
radioband
Radio band.
channel
The channel number.
action
manuf
Manufacturer.
securitymode
Security mode.
rssi
RSSI.
Noise
Noise.
live
Live.
age
Age.
detectionmethod Method of detection: N/A, sta, mac adjacency, sta and mac adjacency.
stamac
Station MAC.
apscan
WTP that scanned the station.
sndetected
radioiddetected
ID of the radio on physical AP which detected the rogue AP.
stacount
STA count.
snclosest
Serial number of physical AP which is closest to the rogue AP.
Page 466
radioiddetected
ID of the radio on physical AP which is closest to the rogue AP.
msg
Message.
Page 467
43526
Message ID: 043526
Message Description: physical AP radio activity
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
sn
Serial number.
ap
Physical AP name.
ip
IP address.
radioid
Radio ID.
configcountry Config country.

opercountry
Operating country.
cfgtxpower
Config TX power.
opertxpower
Operating TX power.
radioband
Radio band.
action
msg
Message.
Page 468
43527
Message ID: 043527
Message Description: wireless rogue AP status config
Type (type): event
Log field Meaning
type
event
subtype
wireless
level
notice
date
time
vd
action
ssid
bssid
apstatus AP status.
msg
Message.
Page 469
43528
Message ID: 043528
Message Description: physical AP radio activity
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
error
date
time
vd
sn
Serial number.
ap
Physical AP name.
ip
IP address.
radioid
Radio ID.
configcountry Config country.

opercountry
Operating country.
cfgtxpower
Config TX power.
opertxpower
Operating TX power.
radioband
Radio band.
action
msg
Message.
Page 470
43529
Message ID: 043529
Message Description: wireless client load balancing
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
sn
Serial number.
ap
Physical AP name.
vap
Virtual AP name.
ssid
mac
Client MAC address.
radioband Radio band.

stacount
STA count.
action
reason
Reason.
msg
Message.
Page 471
43530
Message ID: 043530
Message Description: wl-bridge-detect
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
action
threattype
WIDS threat type.
live
Live.
age
Age.
channel
The channel number.
rssi
RSSI.
frametype
Frame type.
ds
Distribution system directory.
bssid
seq
Sequence number.
encrypt
Encryption status of the packet.
tamac
Transmitter MAC address. Shows "Receiver" if none.
manuf
Manufacturer.
sndetected
radioiddetected ID of the radio on physical AP which detected the rogue AP.

msg
Message.
Page 472
43531
Message ID: 043531
Message Description: bc-deauth-detect
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
action
threattype
WIDS threat type.
live
Live.
age
Age.
channel
The channel number.
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected

msg
Message.
Page 473
43532
Message ID: 043532
Message Description: null-pbresp-detect
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
action
threattype
WIDS threat type.
live
Live.
age
Age.
channel
The channel number.
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected

msg
Message.
Page 474
43533
Message ID: 043533
Message Description: invalid-OUI-detect
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
action
threattype
WIDS threat type.
live
Live.
age
Age.
channel
The channel number.
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected

invalidmac
The MAC address with invalid OUI.
msg
Message.
Page 475
43534
Message ID: 043534
Message Description: long-dur-detect
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
action
threattype
WIDS threat type.
live
Live.
age
Age.
channel
The channel number.
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected

dur
Duration of the last threatening packed captured from TA.
msg
Message.
Page 476
43535
Message ID: 043535
Message Description: weak-wepiv-detect
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
action
threattype
WIDS threat type.
live
Live.
age
Age.
channel
The channel number.
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected

weakwepiv
Weak WEP IV.
msg
Message.
Page 477
43536
Message ID: 043536
Message Description: wl-bridge-detect
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
error
date
time
vd
action
threattype
WIDS threat type.
live
Live.
age
Age.
channel
The channel number.
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected

msg
Message.
Page 478
43537
Message ID: 043537
Message Description: bc-deauth-detect
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
error
date
time
vd
action
threattype
WIDS threat type.
live
Live.
age
Age.
channel
The channel number.
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected

msg
Message.
Page 479
43538
Message ID: 043538
Message Description: null-pbresp-detect
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
error
date
time
vd
action
threattype
WIDS threat type.
live
Live.
age
Age.
channel
The channel number.
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected

msg
Message.
Page 480
43539
Message ID: 043539
Message Description: invalid-OUI-detect
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
error
date
time
vd
action
threattype
WIDS threat type.
live
Live.
age
Age.
channel
The channel number.
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected

invalidmac
The MAC address with invalid OUI.
msg
Message.
Page 481
43540
Message ID: 043540
Message Description: long-dur-detect
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
error
date
time
vd
action
threattype
WIDS threat type.
live
Live.
age
Age.
channel
The channel number.
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected

dur
Duration of the last threatening packed captured from TA.
msg
Message.
Page 482
43541
Message ID: 043541
Message Description: weak-wepiv-detect
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
error
date
time
vd
action
threattype
WIDS threat type.
live
Live.
age
Age.
channel
The channel number.
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected

weakwepiv
Weak WEP IV.
msg
Message.
Page 483
43542
Message ID: 043542
Message Description: eapol-packet-flood
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
action
threattype
WIDS threat type.
live
Live.
tamac
manuf
Manufacturer.
sndetected

eapoltype
EAPOL packet type: eapol-start, eapol-logoff, eapol-succ, eapol-fail, eapol-pre-succ, eapol-pre-fail.
eapolcnt
EAPOL packet count.
msg
Message.
Page 484
43543
Message ID: 043543
Message Description: eapol-packet-flood
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
action
threattype
WIDS threat type.
live
Live.
tamac
manuf
Manufacturer.
sndetected

eapoltype
EAPOL packet type: eapol-start, eapol-logoff, eapol-succ, eapol-fail, eapol-pre-succ, eapol-pre-fail.
eapolcnt
EAPOL packet count.
msg
Message.
Page 485
43544
Message ID: 043544
Message Description: mgmt-flood-detect
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
action
threattype
WIDS threat type.
live
Live.
age
Age.
channel
The channel number.
rssi
RSSI.
frametype
Frame type.
ds
bssid
tamac
manuf
Manufacturer.
sndetected

mgmtcnt
The count of unauthorized client flooding mgmt frames.
msg
Message.
Page 486
43545
Message ID: 043545
Message Description: mgmt-flood-detect
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
error
date
time
vd
action
threattype
WIDS threat type.
live
Live.
age
Age.
channel
The channel number.
rssi
RSSI.
frametype
Frame type.
ds
bssid
tamac
manuf
Manufacturer.
sndetected

mgmtcnt
The count of unauthorized client flooding mgmt frames.
msg
Message.
Page 487
43546
Message ID: 043546
Message Description: spoofed-deauth-detect
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
action
threattype
WIDS threat type.
live
Live.
age
Age.
channel
The channel number.
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected

msg
Message.
Page 488
43548
Message ID: 043548
Message Description: asleep-attack-detect
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
notice
date
time
vd
action
threattype
WIDS threat type.
live
Live.
age
Age.
channel
The channel number.
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected

msg
Message.
Page 489
43549
Message ID: 043549
Message Description: asleep-attack-detect
Type (type): event
Log field
Meaning
type
event
subtype
wireless
level
error
date
time
vd
action
threattype
WIDS threat type.
live
Live.
age
Age.
channel
The channel number.
rssi
RSSI.
frametype
Frame type.
ds
bssid
seq
Sequence number.
encrypt
tamac
manuf
Manufacturer.
sndetected

msg
Message.
Page 490
43776
Message ID: 043776
Message Description: NAC quarantine event log
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
srcip
The source IP.
dstip
The destination IP.
srcintf
dstintf
srcport
dstport
proto
service
action
Action. One of: ban-ip, ban-interface, ban-src-dst-ip.
user
User name.
group
The group name.
policyid
bannedsrc
Banned source: IPS, DOS, SLP, or AV.
bannedrule Banned rule/reason.

sensor
Sensor.
Page 491
44288
Message ID: 044288
Message Description: dns response
Type (type): event
Subtype (subtype): router
Log field Meaning
type
event
subtype
router
level
information
date
time
vd
policyid
srcip
The source IP.
dstip
The destination IP.
srcintf
dstintf
user
User name.
group
The group name.
dnsname DNS name.

dnsip
DNS IP address(es).
Page 492
44544
Message ID: 044544
Message Description: config path msg
Type (type): event
Log
field
Meaning
type
event
subtype system
level
information
date
time
vd
user
User name.
ui
action
Action. One of: add, edit, delete, clear, move, rename, clone, abort.
cfgtid
Config transaction ID.
cfgpath
Config path.
msg
Config message.
Page 493
44545
Message ID: 044545
Message Description: config obj msg
Type (type): event
Log
field
Meaning
type
event
subtype system
level
information
date
time
vd
user
User name.
ui
action
cfgtid
cfgpath
Config path.
cfgobj
Config object.
msg
Config message.
Page 494
44546
Message ID: 044546
Message Description: config attr msg
Type (type): event
Log
field
Meaning
type
event
subtype system
level
information
date
time
vd
user
User name.
ui
action
cfgtid
cfgpath
Config path.
cfgattr
Config attributes.
msg
Config message.
Page 495
44547
Message ID: 044547
Message Description: config obj attr msg
Type (type): event
Log
field
Meaning
type
event
subtype system
level
information
date
time
vd
user
User name.
ui
action
cfgtid
cfgpath
Config path.
cfgobj
Config object.
cfgattr
Config attributes.
msg
Config message.
Page 496
45056
Message ID: 045056
Message Description: forticlient license exceed msg
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
action
Action. One of: add, close, upgrade.
status
licenselimit Maximum FortiClient license number.

reason
Reason.
repeat
Repeat times of the action.
msg
"FortiClient license maximum has been reached."
Page 497
45057
Message ID: 045057
Message Description: add forticlient connection msg
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
action
status
licenselimit
Maximum FortiClient license number.
licenseused
Current FortiClient connection number.
usedfortype
Connection for the type.
connectiontype Type of connection. One of: ipsec, sslvpn, nac, wanopt, test.
count
Number of connections affected by the action.
user
User name.
ip
Source IP address.
name
Name of connection.
forticlientid
Unique FortiClient ID.
msg
"Add a FortiClient connection."
Page 498
45058
Message ID: 045058
Message Description: close forticlient connection msg
Type (type): event
Log field
Meaning
type
event
subtype
system
level
information
date
time
vd
action
status
licenselimit
Maximum FortiClient license number.
licenseused
Current FortiClient connection number.
usedfortype
Connection for the type.
connectiontype Type of connection. One of: ipsec, sslvpn, nac, wanopt, test.
count
Number of connections affected by the action.
user
User name.
ip
Source IP address.
name
Name of connection.
forticlientid
Unique FortiClient ID.
msg
"Close a FortiClient connection."
Page 499
45059
Message ID: 045059
Message Description: upgrade forticlient license msg
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
action
status
ui
The location of the point-of-entry the user used to access the FortiGate unit so that they could change, add, or remove a
setting. For example, the user admin_123 accesses the web-based manager to change their password on the FortiGate-51B
(IP address is 10.10.20.5). This field shows their point-of- entry in this field, GUI(10.10.20.5).
user
User name.
licenselimit Maximum FortiClient license number.

msg
"FortiClient license has been upgraded."
Page 500
45060
Message ID: 045060
Message Description: upgrade forticlient license failed msg
Type (type): event
Log
field
Meaning
type
event
subtype system
level
error
date
time
vd
action
status
ui
user
User name.
reason
Reason.
msg
"Failed to upgrade FortiClient license."
Page 501
45100
Message ID: 045100
Message Description: FortiClient registration fail msg
Type (type): event
Log field
Meaning
type
event
subtype
system
level
warning
date
time
vd
user
User name.
hostname
ip
HA IP.
forticlientid Unique FortiClient ID.

interface
Interface information.
msg
"FortiClient registration failed."
Page 502
45101
Message ID: 045101
Message Description: FortiClient registration succeed msg
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
user
User name.
hostname
ip
HA IP.

interface
msg
"FortiClient registration succeeded."
Page 503
45102
Message ID: 045102
Message Description: FortiClient registration renew msg
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
user
User name.
hostname
ip
HA IP.

interface
msg
"FortiClient registration renewed."
Page 504
45103
Message ID: 045103
Message Description: FortiClient registration block msg
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd

msg
"FortiClient registration blocked."
Page 505
45104
Message ID: 045104
Message Description: FortiClient registration unblock msg
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd

msg
"FortiClient registration unblocked."
Page 506
45105
Message ID: 045105
Message Description: FortiClient registration de-register msg
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd

msg
"FortiClient registration de-registered."
Page 507
45106
Message ID: 045106
Message Description: FortiClient registration license upgrade msg
Type (type): event
Log field Meaning
type
event
subtype
system
level
notice
date
time
vd
msg
"FortiClient registration license upgraded."
Page 508
45107
Message ID: 045107
Message Description: FortiClient configuration distribute msg
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
user
User name.
hostname
ip
HA IP.

interface
msg
"FortiClient configuration distributed."
Page 509
45108
Message ID: 045108
Message Description: FortiClient unregister msg
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
user
User name.
hostname
ip
HA IP.

interface
msg
"FortiClient unregistered."
Page 510
45109
Message ID: 045109
Message Description: FortiClient logoff msg
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
user
User name.
hostname
ip
HA IP.

interface
msg
"FortiClient logged off."
Page 511
45110
Message ID: 045110
Message Description: FortiClient disable SYNC_WITH_FGT msg
Type (type): event
Log field
Meaning
type
event
subtype
system
level
notice
date
time
vd
user
User name.
hostname
ip
HA IP.

interface
msg
"FortiClient SYNC_WITH_FGT disabled."
Page 512
48009
Message ID: 048009
Message Description: SSL decryption failure
Type (type): event
Log field
Meaning
type
event
subtype
wad
level
error
date
time
vd
action
'close'.

policyid
src
srcport
dst
dstport
reason
Reason.
msg
'SSL decryption failure'.
Page 513
48023
Message ID: 048023
Message Description: SSL Alert received
Type (type): event
Log field
Meaning
type
event
subtype
wad
level
error
date
time
vd
action
'receive'

policyid
src
srcport
dst
dstport
alert
Alert information.
desc
Description.
msg
'SSL Alert received'.
Page 514
Content
32768
Message ID: 032768
Message Description: content http log
Type (type): utm
Subtype (subtype): contentlog
Event Type (eventtype): HTTP
Log field
Meaning
type
utm
subtype
contentlog
eventtype
HTTP
level
information
date
time
vd
clogver
Content log version.
epoch
Epoch.
eventid
Serial number.
cstatus
The status of a content log. One of the following: Clean, infected, heuristic, banned_word, blocked, exempt, oversize,
carrier_endpoint_filter, mass_mms, dlp, fragmented, spam, im_summary, im_message, im_file_request, im_file_accept,
im_file_cancel, im_voice, im_video, im_photo_share_request, im_photo_share_accept, im_photo_share_cancel,
im_photo_share_stop, im_photo_xfer, voip, error.
infection
Infection type. One of the following: Carrier end point filter, mms flood, mms duplicate, virus, virusrm (virus removed), heuristic,
html script, script filter, banned word, exempt word, oversize, worm, fragmented, ip blacklist, dnsbl, FortiGuard AntiSpam IP
blacklist, helo, emailblacklist, mimeheader, dns, FortiGuard AntiSpam ase block, ipwhitelist, emailwhitelist, fewhitelist,
headerwhitelist, wordwhitelist, dlp, pass, mms content checksum.
virus
sessionid
Session ID.
user
User name.
group
The group name.
profile
client
The internal IP address of the FortiGate unit.
server
Page 515
rcvdbyte
sentbyte
dlpsensor
DLP sensor name.
method
hostname
url
The URL address.
cat
The category.
catdesc
Page 516
32769
Message ID: 032769
Message Description: content https log
Type (type): utm
Event Type (eventtype): HTTPS
Log field
Meaning
type
utm
subtype
contentlog
eventtype
HTTPS
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
infection
virus
sessionid
Session ID.
user
User name.
group
The group name.
profile
client
server
rcvdbyte
sentbyte
dlpsensor
DLP sensor name.
Page 517
method
hostname
url
The URL address.
cat
The category.
catdesc
Page 518
32770
Message ID: 032770
Message Description: content smtp log
Type (type): utm
Event Type (eventtype): SMTP
Log field
Meaning
type
utm
subtype
contentlog
eventtype
SMTP
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
infection
virus
sessionid
Session ID.
user
User name.
group
The group name.
profile
client
server
rcvdbyte
sentbyte
dlpsensor
DLP sensor name.
Page 519
to
from
Source identifier.
subject
Subject.
attachment Email attachment.
Page 520
32771
Message ID: 032771
Message Description: content smtps log
Type (type): utm
Event Type (eventtype): SMTPS
Log field
Meaning
type
utm
subtype
contentlog
eventtype
SMTPS
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
infection
virus
sessionid
Session ID.
user
User name.
group
The group name.
profile
client
server
rcvdbyte
sentbyte
dlpsensor
DLP sensor name.
Page 521
to
from
Source identifier.
subject
Subject.
Page 522
32772
Message ID: 032772
Message Description: content pop3 log
Type (type): utm
Event Type (eventtype): POP3
Log field
Meaning
type
utm
subtype
contentlog
eventtype
POP3
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
infection
virus
sessionid
Session ID.
user
User name.
group
The group name.
profile
client
server
rcvdbyte
sentbyte
dlpsensor
DLP sensor name.
Page 523
to
from
Source identifier.
subject
Subject.
Page 524
32773
Message ID: 032773
Message Description: content pop3s log
Type (type): utm
Event Type (eventtype): POP3S
Log field
Meaning
type
utm
subtype
contentlog
eventtype
POP3S
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
infection
virus
sessionid
Session ID.
user
User name.
group
The group name.
profile
client
server
rcvdbyte
sentbyte
dlpsensor
DLP sensor name.
Page 525
to
from
Source identifier.
subject
Subject.
Page 526
32774
Message ID: 032774
Message Description: content imap log
Type (type): utm
Event Type (eventtype): IMAP
Log field
Meaning
type
utm
subtype
contentlog
eventtype
IMAP
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
infection
virus
sessionid
Session ID.
user
User name.
group
The group name.
profile
client
server
rcvdbyte
sentbyte
dlpsensor
DLP sensor name.
Page 527
to
from
Source identifier.
subject
Subject.
Page 528
32775
Message ID: 032775
Message Description: content imaps log
Type (type): utm
Event Type (eventtype): IMAPS
Log field
Meaning
type
utm
subtype
contentlog
eventtype
IMAPS
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
infection
virus
sessionid
Session ID.
user
User name.
group
The group name.
profile
client
server
rcvdbyte
sentbyte
dlpsensor
DLP sensor name.
Page 529
to
from
Source identifier.
subject
Subject.
Page 530
32776
Message ID: 032776
Message Description: content ftp log
Type (type): utm
Event Type (eventtype): FTP
Log field
Meaning
type
utm
subtype
contentlog
eventtype
FTP
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
infection
virus
sessionid
Session ID.
user
User name.
group
The group name.
profile
client
server
rcvdbyte
sentbyte
dlpsensor
DLP sensor name.
Page 531
ftpcmd
The related FTP command: NONE, USER, PASS, ACCT, STOR, RETR, QUIT.
file
Page 532
32777
Message ID: 032777
Message Description: content nntp log
Type (type): utm
Event Type (eventtype): NNTP
Log field
Meaning
type
utm
subtype
contentlog
eventtype
NNTP
level
information
date
time
dlpsensor
DLP sensor name.
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
infection
virus
sessionid
Session ID.
user
User name.
group
The group name.
profile
client
server
rcvdbyte
sentbyte
Page 533
32778
Message ID: 032778
Message Description: content mm1 log
Type (type): utm
Event Type (eventtype): MM1
Log field
Meaning
type
utm
subtype
contentlog
eventtype
MM1
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
infection
virus
sessionid
Session ID.
user
User name.
group
The group name.
profile
client
server
rcvdbyte
sentbyte
to
Page 534
from
Source identifier.
subject
Subject.
direction
Page 535
32779
Message ID: 032779
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
MM3
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
infection
virus
sessionid
Session ID.
user
User name.
group
The group name.
profile
client
server
rcvdbyte
sentbyte
dlpsensor
DLP sensor name.
Page 536
to
from
Source identifier.
subject
Subject.
Page 537
32780
Message ID: 032780
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
MM4
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
infection
virus
sessionid
Session ID.
user
User name.
group
The group name.
profile
client
server
rcvdbyte
sentbyte
dlpsensor
DLP sensor name.
Page 538
to
from
Source identifier.
subject
Subject.
Page 539
32781
Message ID: 032781
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
MM7
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
infection
virus
sessionid
Session ID.
user
User name.
group
The group name.
profile
client
server
rcvdbyte
sentbyte
to
Page 540
from
Source identifier.
subject
Subject.
Page 541
32782
Message ID: 032782
Message Description: IM chat summary
Type (type): utm
Event Type (eventtype): im-all
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
policyid
indentidx
proto
kind
The kind of content traffic. One of the following: Summary, chat, file, photo, photo-xfer, audio, video, oversize, fileblock,
fileexempt, virus, dlp, call-block, call-info, call, register, unregister.
laddr
raddr
local
The local user.
Page 542
remote
The remote user.
messages
Message number.
startdate
Local start date.
enddate
Local end date.
Page 543
32783
Message ID: 032783
Message Description: IM chat message
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
policyid
indentidx
proto
kind
laddr
raddr
local
The local user.
Page 544
remote
The remote user.
action
Action taken by the system: permit, block, monitor, kickout, encrypt-kickout, cm-reject, ban, ban-user, log-only.
direction
messages
Message number.
content
Traffic content.
Page 545
32784
Message ID: 032784
Message Description: IM file transfer
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
policyid
indentidx
proto
kind
laddr
raddr
local
The local user.
Page 546
remote
The remote user.
action
direction
status
filename
filesize
File size.
msg
Message.
Page 547
32785
Message ID: 032785
Message Description: IM photo sharing
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
policyid
indentidx
proto
kind
laddr
raddr
local
The local user.
Page 548
remote
The remote user.
action
direction
status
Page 549
32786
Message ID: 032786
Message Description: IM photo transfer
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
policyid
indentidx
proto
kind
laddr
raddr
local
The local user.
Page 550
remote
The remote user.
direction
connmode Connection mode.
Page 551
32787
Message ID: 032787
Message Description: IM voice chat
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
policyid
indentidx
proto
kind
laddr
raddr
local
The local user.
Page 552
remote
The remote user.
action
direction
status
Page 553
32788
Message ID: 032788
Message Description: IM virus
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
policyid
indentidx
proto
kind
laddr
raddr
local
The local user.
Page 554
remote
The remote user.
action
direction
filename
virus
heuristic
Heuristic information.
Page 555
32789
Message ID: 032789
Message Description: IM file oversize
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
policyid
indentidx
proto
kind
laddr
raddr
local
The local user.
Page 556
remote
The remote user.
action
direction
filename
Page 557
32790
Message ID: 032790
Message Description: IM file block
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
policyid
indentidx
proto
kind
laddr
raddr
local
The local user.
Page 558
remote
The remote user.
action
direction
filename
Page 559
32791
Message ID: 032791
Message Description: IM file exempt
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
policyid
indentidx
proto
kind
laddr
raddr
local
The local user.
Page 560
remote
The remote user.
action
direction
filename
Page 561
32792
Message ID: 032792
Message Description: IM DLP (information)
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
policyid
indentidx
proto
kind
laddr
raddr
local
The local user.
Page 562
remote
The remote user.
action
direction
filename
filesize
File size.
Page 563
32793
Message ID: 032793
Message Description: IM DLP (warning)
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
warning
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
policyid
indentidx
proto
kind
laddr
raddr
local
The local user.
Page 564
remote
The remote user.
action
direction
filename
filesize
File size.
Page 565
32794
Message ID: 032794
Message Description: VOIP SIP log
Type (type): utm
Event Type (eventtype): VOIP
Log field
Meaning
type
utm
subtype
contentlog
eventtype
VOIP
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
policyid
indentidx
proto
kind
action
status
srcip
The source IP.
Page 566
dstip
The destination IP.
srcport
dstport
direction
duration
from
Source identifier.
to
Page 567
32795
Message ID: 032795
Message Description: SCCP register
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
VOIP
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
policyid
indentidx
proto
kind
action
status
phone
Page 568
srcip
The source IP.
from
Source identifier.
to
Page 569
32796
Message ID: 032796
Message Description: SCCP unregister
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
VOIP
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
policyid
indentidx
proto
kind
action
status
phone
Page 570
srcip
The source IP.
reason
Page 571
32797
Message ID: 032797
Message Description: SCCP call block
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
VOIP
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
policyid
indentidx
proto
kind
action
status
phone
Page 572
srcip
The source IP.
reason
from
Source identifier.
to
Page 573
32798
Message ID: 032798
Message Description: SCCP call information
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
VOIP
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
policyid
indentidx
proto
kind
action
status
phone
Page 574
srcip
The source IP.
dstip
The destination IP.
srcport
dstport
duration
from
Source identifier.
to
Page 575
32800
Message ID: 032800
Message Description: VOIP SIP fuzzing log
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
VOIP
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
profiletype
policyid
indentidx
proto
The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies
the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).
kind
action
status
srcip
The source IP.
Page 576
dstip
The destination IP.
srcport
dstport
direction
duration
messagetype Message type: either request or response.

requestname Request name.
malformdesc Malform description, which explains the issue with the VOIP traffic.
malformdata
Malform data.
line
Content line.
column
Content column.
from
Source identifier.
to
Page 577
32801
Message ID: 032801
Message Description: IM video chat
Type (type): utm
Log field
Meaning
type
utm
subtype
contentlog
eventtype
im-all
level
information
date
time
vd
clogver
epoch
Epoch.
eventid
Serial number.
cstatus
sessionid
Session ID.
user
User name.
group
The group name.
profile
policyid
indentidx
proto
kind
laddr
raddr
local
The local user.
Page 578
remote
The remote user.
action
direction
status
Page 579
VoIP
44032
Message ID: 044032
Message Description: SIP log
Type (type): utm
Subtype (subtype): voip
Event Type (eventtype): voip
Log field
Meaning
type
utm
subtype
voip
eventtype
voip
level
information
date
time
vd
sessionid
Session ID.
epoch
Epoch.
eventid
Serial number.
srcip
The source IP.
dstip
The destination IP.
srcport
dstport
proto
srcintf
dstintf
policyid
user
User name.
group
The group name.
profile
voipproto
VOIP application protocol. Can be either sip or sccp.
Page 580
kind
Kind of message: register, unregister, call, call-info, call-block.
action
status
Status: start, end, timeout, blocked, succeeded, failed, authentication-required.
duration
direction
callid
Call ID.
from
Source identifier.
to
Page 581
44033
Message ID: 044033
Message Description: SIP block log
Type (type): utm
Log field
Meaning
type
utm
subtype
voip
eventtype
voip
level
notice
date
time
vd
sessionid
Session ID.
epoch
Epoch.
eventid
Serial number.
srcip
The source IP.
dstip
The destination IP.
srcport
dstport
proto
srcintf
dstintf
policyid
user
User name.
group
The group name.
profile
profiletype
voipproto
kind
action
status
Page 582
reason
Reason: rate-limit, dialog-limit, long-header, unrecognized-form, unknown, block-request, phone, session-close,

new-register, invalid-ip, exceed-rate.
duration
direction

callid
Call ID.
count
Number of packets.
from
Source identifier.
to
Page 583
44034
Message ID: 044034
Message Description: SIP fuzzing log
Type (type): utm
Log field
Meaning
type
utm
subtype
voip
eventtype
voip
level
information
date
time
vd
sessionid
Session ID.
epoch
Epoch.
eventid
Serial number.
srcip
The source IP.
dstip
The destination IP.
srcport
dstport
proto
srcintf
dstintf
policyid
user
User name.
group
The group name.
profile
profiletype
voipproto
kind
action
reason
Reason: rate-limit, dialog-limit, long-header, unrecognized-form, unknown, block-request, phone, session-close,

new-register, invalid-ip, exceed-rate.
Page 584
duration
direction

malformdesc Malform description, which explains the issue with the VOIP traffic.
malformdata
Malform data.
line
Content line.
column
Content column.
Page 585
44035
Message ID: 044035
Message Description: SCCP register
Type (type): utm
Log field
Meaning
type
utm
subtype
voip
eventtype
voip
level
information
date
time
vd
sessionid
Session ID.
epoch
Epoch.
eventid
Serial number.
srcip
The source IP.
dstip
The destination IP.
srcport
dstport
proto
srcintf
dstintf
policyid
user
User name.
group
The group name.
profile
voipproto
kind
action
status
phone
Page 586
Page 587
44036
Message ID: 044036
Message Description: SCCP unregister
Type (type): utm
Log field
Meaning
type
utm
subtype
voip
eventtype
voip
level
information
date
time
vd
sessionid
Session ID.
epoch
Epoch.
eventid
Serial number.
srcip
The source IP.
dstip
The destination IP.
srcport
dstport
proto
srcintf
dstintf
policyid
user
User name.
group
The group name.
profile
voipproto
kind
action
status
Page 588
reason
Reason: rate-limit, dialog-limit, long-header, unrecognized-form, unknown, block-request, phone, session-close, new-register,
invalid-ip, exceed-rate.
phone
Page 589
44037
Message ID: 044037
Message Description: SCCP call block
Type (type): utm
Log field
Meaning
type
utm
subtype
voip
eventtype
voip
level
information
date
time
vd
sessionid
Session ID.
epoch
Epoch.
eventid
Serial number.
srcip
The source IP.
dstip
The destination IP.
srcport
dstport
proto
srcintf
dstintf
policyid
user
User name.
group
The group name.
profile
voipproto
kind
action
status
Page 590
reason
Reason: rate-limit, dialog-limit, long-header, unrecognized-form, unknown, block-request, phone, session-close, new-register,
invalid-ip, exceed-rate.
phone
Page 591
44038
Message ID: 044038
Message Description: SCCP call info
Type (type): utm
Log field
Meaning
type
utm
subtype
voip
eventtype
voip
level
information
date
time
vd
sessionid
Session ID.
epoch
Epoch.
eventid
Serial number.
srcip
The source IP.
dstip
The destination IP.
srcport
dstport
proto
srcintf
dstintf
policyid
user
User name.
group
The group name.
profile
voipproto
kind
action
status
duration
Page 592
phone
Page 593
Addendum: Variable Event Logs

All logs below are in the category: Event.
These log messages were not documented in the previous versions of the 5.0 Log Message
Reference due to their variable structure not fitting the format. They will be documented here
instead. This issue is specific to 5.0, and future versions of the LMR will not require an
addendum.
The Format column lists the log fields present in that log message. [s] represents a string of text
or characters. [n] represents a number or value.
ID
Severity
Subtype Macro
Format
Description
20001 information system
LOG_ID_CLIENT_
DISASSOCIATED
client [s] is disassociated
paed log
20002 notice
system
LOG_ID_DOMAIN_
UNRESOLVABLE
user=system ui=system
action=[s] status=failure
msg="Can't resolve the IP
address of [s]"
The domain name in alert

e-mail.s sender is not
resolvable
20003 notice
system
LOG_ID_MAIL_SENT_FAIL
action=alert-email
status=failure count=[n]
msg="Failed to send alert
email from [s] to ([s])"
The alert e-mail send failed
20004 unknown
system
LOG_ID_POLICY_TOO_BIG
Policy is too big

user="[s]" ui=[s]
status=failure msg="Policy
[n] is too big for system, it's
installed partially."
LOG_ID_PPP_LINK_UP
msg="modem: PPP link is

up"
modemd log
LOG_ID_PPP_LINK_DOWN
msg="modem: PPP link is

down"
modemd log
20007 critical
20007
service=kernel
status=failure proto=[n]
src=[n].[n].[n].[n] src_
port=[n] nat=[n].[n].[n].[n]
dst=[n].[n].[n].[n] dst_
port=[n] msg="NAT port is
exhausted."
Socket is exhausted
LOG_ID_CLIENT_NEW_
ASSOCIATION
Accepted association from

[s]
paed log
LOG_ID_CLIENT_WPA_1X
Client [s] does 1X
paed log
LOG_ID_CLIENT_WPA_SSN
Client [s] does WPA
paed log
system
Page 594
ID
Severity
Subtype Macro
Format
Description
system
LOG_ID_TEST
user="admin"
action="login"
status="success"
msg="user admin logged
into the fw - [n]"
test
LOG_ID_IEEE802_NEW_
STATION
action=authentication
status=start msg="Client
does 801.1x"
wpad log
LOG_ID_MODEM_EXCEED_
REDIAL_COUNT
msg="modem: Redial limit

exceeded... giving up"
modemd log
LOG_ID_MODEM_FAIL_TO_
OPEN
msg="modem: unable to
open modem device check hardware"
modemd log
20018 critical
system
LOG_ID_GW_GRP_STATE_
CHANGED
Gateway group state is

interface="[s]" gw_
changed
group=[n] status=[s] gw_
status=[s] msg="The status
of [s] for gateway group [n]
is [s]"
20019 critical
system
LOG_ID_ROUTE_INFO_
CHANGED
interface="[s]" status=[s]
msg="[s]"
Routing information is changed

because the gateway is
up/down
LOG_ID_MAIL_RESENT
action=alert-email
status=success count=[n]
msg="Resending alert
e-mail with [n] pending
alert(s) from [s] to ([s])"
The alert e-mail resend
20025 notice
system
LOG_ID_REPORTD_
REPORT_SUCCESS
msg="Report generation
succeeded for layout:[s]."
file="[s]" filesize=[n]
datarange="[s]"
reporttype="[s]"
processtime=[n]
Reporting Complete
20026 error
system
LOG_ID_REPORTD_
REPORT_FAILURE
msg="[s]"
Reporting Failure
20027 warning
system
LOG_ID_REPORT_DEL_OLD_ msg="Delete old report db

REC
records" datarange="[s]"
Delete old report db records
20031 critical
system
LOG_ID_RAD_OUT_OF_MEM msg="Interface [s] Out of

memory in [s]:[s]:[n]"
ravdv_iface_set_config() finds a
pointer pointing to a wrong
address
20032 critical
system
LOG_ID_RAD_NOT_FOUND
msg="Interface [s] not

found in [s]:[s]:[n]"
ravdv_iface_same_config()
cannot find the corresponding
interface by name
LOG_ID_RAD_MOBILE_IPV6
msg="using Mobile IPv6

extensions"
An interface uses Mobile IPv6

extensions
20014 warning
Page 595
ID
Severity
Subtype Macro
Format
20034 critical
system
LOG_ID_RAD_IPV6_OUT_
OF_RANGE
msg="MinRtrAdvInterval for MinRtrAdvInterval using Mobile

[s] must be between [n] and Ipv6 extension is out of range
[n]"
20035 critical
system
LOG_ID_RAD_MIN_OUT_OF_ msg="MinRtrAdvInterval
MinRtrAdvInterval is out of
RANGE
must be between [n] and [n] range
for [s]"
20036 critical
system
LOG_ID_RAD_MAX_OUT_
OF_RANGE
msg="MaxRtrAdvInterval
for [s] must be between [n]
and [n]"
20037 critical
system
LOG_ID_RAD_MAX_ADV_
OUT_OF_RANGE
msg="MaxRtrAdvInterval
MaxRtrAdvInterval is out of
must be between [n] and [n] range
for [s]"
20038 critical
system
LOG_ID_RAD_MTU_OUT_
OF_RANGE
msg="AdvLinkMTU must
be zero or between [n] and
[n] for [s]"
AdvLinkMTU is out of range
20039 critical
system
LOG_ID_RAD_MTU_TOO_
SMALL
msg="AdvLinkMTU must
be zero or greater than [n]
for [s]"
AdvLinkMTU is too small
20040 critical
system
LOG_ID_RAD_TIME_TOO_
SMALL
msg="AdvReachableTime AdvReachableTimeis too small

must be less than [n] for [s]"
20041 critical
system
LOG_ID_RAD_HOP_OUT_
OF_RANGE
msg="AdvCurHopLimit
AdvCurHopLimit in Router
must not be greater than [n] Advertisement packet is too
for [s]"
big
20042 critical
system
LOG_ID_RAD_DFT_HOP_
OUT_OF_RANGE
msg="AdvDefaultLifetime
for [s] must be zero or
between [n] and [n]"
20043 critical
system
LOG_ID_RAD_AGENT_OUT_
OF_RANGE
msg="HomeAgentLifetime HomeAgentLifetime in Router

must be between [n] and [n] Advertisement packet is out of
for [s]"
range
20044 critical
system
LOG_ID_RAD_AGENT_FLAG_ msg="AdvHomeAgentFlag
NOT_SET
must be set with
HomeAgentInfo"
AdvHomeAgentFlag
HomeAgentLifetime in Router
Advertisement packet must be
set with HomeAgentInfo
20045 critical
system
LOG_ID_RAD_PREFIX_TOO_
LONG
msg="invalid prefix length

for [s]"
prefix length is too long
20046 critical
system
LOG_ID_RAD_PREF_TIME_
TOO_SMALL
msg="AdvValidLifetime
must be greater than
AdvPreferredLifetime for
[s]"
AdvValidLifetime is less than

AdvPreferredLifetime
20047 critical
system
LOG_ID_RAD_FAIL_IPV6_
SOCKET
msg="can't create
socket(AF_INET6): [s]"
IPv6 router advertisement

daemon (radvd) failed to create
an IPv6 socket
20048 critical
system
LOG_ID_RAD_FAIL_OPT_
IPV6_PKTINFO
msg="setsockopt(IPV6_
PKTINFO): [s]"
Radvd failed to set IPV6_

PKTINFO option
Page 596
Description
MaxRtrAdvInterval using
Mobile Ipv6 extension is out of
range
AdvCurHopLimit in Router
Advertisement packet is out of
range
ID
Severity
Subtype Macro
Format
Description
20049 critical
system
IPV6_CHECKSUM
CHECKSUM): [s]"

CHECKSUM option
20050 critical
system
IPV6_UNICAST_HOPS
UNICAST_HOPS): [s]"

UNICAST_HOPS option
20051 critical
system
IPV6_MULTICAST_HOPS
MULTICAST_HOPS): [s]"

MULTICAST_HOPS option
20052 critical
system
IPV6_HOPLIMIT
HOPLIMIT): [s]"

HOPLIMIT option
20053 critical
system
IPPROTO_ICMPV6
msg="setsockopt(ICMPV6_ Radvd failed to set ICMPV6_

FILTER): [s]"
FILTER option
LOG_ID_RAD_EXIT_BY_
SIGNAL
msg="radvd receive
signal=[n]"
20055 critical
system
LOG_ID_RAD_FAIL_CMDB_
QUERY
msg="Can not create query Radvd cannot create query to

to interface at [s]:[s]:[n]!"
interface by using cmf_query_
create()
20056 critical
system
LOG_ID_RAD_FAIL_CMDB_
FOR_EACH
msg="Internal error in cmf_ Radvd occurs an internal error

query_for_each()!"
when it uses cmf_query_for_
each()
20057 critical
system
LOG_ID_RAD_FAIL_FIND_
VIRT_INTF
msg="Interface [s]:[n] not

found in the list!"
radvd has received a signal,

and is going to exit
Radvd failed to find a virtual

interface by interface index
LOG_ID_RAD_UNLOAD_INTF msg="Interface [s]:[n]

unloaded!"
20059 warning
system
LOG_ID_RAD_NO_PKT_INFO msg="received packet with Radvd received a packet with

no pkt_info!"
no pkt_info
20060 warning
system
LOG_ID_RAD_INV_ICMPV6_
LEN
msg="received icmpv6
packet with invalid length:
[n]"
Radvd received an icmpv6

packet with invalid length
20061 critical
system
TYPE
msg="icmpv6 filter failed"
Radvd received an unwanted

type of icmpv6 packet
20062 warning
system
RA_LEN
msg="received icmpv6 RA
[n]"
Radvd received icmpv6 RA

20063 warning
system
LOG_ID_RAD_ICMPV6_NO_
SRC_ADDR
msg="received icmpv6 RA
packet with non-linklocal
source address"
Radvd received icmpv6 RA

packet with non-linklocal
source address
20064 warning
system
RS_LEN
msg="received icmpv6 RS
[n]"
Radvd received icmpv6 RS

20065 warning
system
CODE
msg="received icmpv6
RS/RA packet with invalid
code: [n]"
Radvd received icmpv6 RS/RA

packet with invalid code
Page 597
Radvd reloads a specific

interface
ID
Severity
Subtype Macro
Format
20066 warning
system
HOP
msg="received RS or RA
Radvd received icmpv6 RS/RA
with invalid hoplimit [n] from packet with wrong hoplimit
[s]"
20067 warning
system
LOG_ID_RAD_MISMATCH_
HOP
msg="our AdvCurHopLimit AdvCurHopLimit on our

on [s] doesn't agree with
interface does not agree with a
[s]"
remote site
20068 warning
system
MGR_FLAG
msg="our
AdvManagedFlag on [s]
doesn't agree with [s]"
AdvManagedFlag on our
remote site
20069 warning
system
OTH_FLAG
msg="our
AdvOtherConfigFlag on [s]
AdvOtherConfigFlag on our
remote site
20070 warning
system
TIME
msg="our
AdvReachableTime on [s]
AdvReachableTime on our
remote site
20071 warning
system
TIMER
msg="our AdvRetransTimer AdvRetransTimer on our

on [s] doesn't agree with
[s]"
remote site
20072 critical
system
LOG_ID_RAD_EXTRA_DATA
msg="trailing garbage in
RA on [s] from [s]"
20073 critical
system
LOG_ID_RAD_NO_OPT_DATA msg="zero length option in Radvd finds a RA packet with

RA on [s] from [s]"
no option data
20074 critical
system
LOG_ID_RAD_INV_OPT_LEN
msg="option length greater option length is greater than

than total length in RA on
total length in RA packet
[s] from [s]"
20075 warning
system
MTU
msg="our AdvLinkMTU on
[s] doesn't agree with [s]"
20077 warning
system
PREF_TIME
AdvPreferredLifetime on our
msg="our
AdvPreferredLifetime on [s] interface does not agree with a
remote site
for [s] doesn't agree with
[s]"
20078 critical
system
LOG_ID_RAD_INV_OPT
msg="invalid option [n] in

RA on [s] from [s]"
Radvd finds an invalid option in

RA packet from a remote site
LOG_ID_RAD_READY
msg="radvd started"
Radvd daemon is ready to

serve
20080 critical
system
LOG_ID_RAD_FAIL_TO_RCV
msg="recvmsg: [s]"
Recvmsg() in radvd failed
20081 critical
system
LOG_ID_RAD_INV_HOP
msg="received a bogus
IPV6_HOPLIMIT from the
kernel! len=[n], data=[n]"
Radvd received a packet with a

wrong IPV6_HOPLIMIT
20082 critical
system
LOG_ID_RAD_INV_PKTINFO
msg="received a bogus
IPV6_PKTINFO from the
kernel! len=[n], index=[n]"
Radvd received a packet with a

wrong IPV6_PKTINFO
Page 598
Description
Radvd finds extra data in RA

packet
AdvLinkMTU on our interface

does not agree with a remote
site
ID
Severity
Subtype Macro
Format
Description
20083 warning
system
LOG_ID_RAD_FAIL_TO_
CHECK
msg="problem checking
all-routers membership on
[s]"
Radvd failed to check whether

we've joined the all-routers
multicast group
20084 warning
system
LOG_ID_RAD_FAIL_TO_
SEND
msg="sendmsg: [s]"
sendmsg () in radvd failed
20085
status="clash" proto=[n]
msg="session clash"[s]
session clash
20086 unknown
20086
msg="==[s] xh0(sp_[n],
fmc[n]) crashed, master is
fmc[n]=="
xh0 crashed
20090 notice |
system
information
LOG_ID_INTF_LINK_STA_
CHG
intf=[s] status=[s]
msg="interface [s] link
status is [s]"
Interface link status changed
20101 warning
system
LOG_ID_WEB_LIC_EXPIRE
msg="FortiGuard web
FortiGuard web filtering license
filtering license will expire in expiring
[n] day(s)"
20102 warning
system
LOG_ID_SPAM_LIC_EXPIRE
msg="FortiGuard
anti-spam license will
expire in [n] day(s)"
20103 warning
system
LOG_ID_AV_LIC_EXPIRE
msg="FortiGuard AV
FortiGuard AV update license
update license will expire in expiring
[n] day(s)"
20104 warning
system
LOG_ID_IPS_LIC_EXPIRE
msg="FortiGuard IPS
FortiGuard IPS update license
update license will expire in expiring
[n] day(s)"
20105 warning
system
LOG_ID_LOG_UPLOAD_SKIP ui=[s] action=upload

error="Daily volume
exceeded" msg="Log
upload to FortiCloud
skipped (Daily volume
exceeded)."
Log uploading
20107 warning
system
LOG_ID_LOG_UPLOAD_ERR
action=upload error="[s]"
user="[s]" server=[s]
port=[n] msg="Log upload
to [s] error on vdom [s]"
uploading error
20108 notice
system
LOG_ID_LOG_UPLOAD_
DONE
action=upload
status=completed
user="[s]" server=[s]
port=[n] msg="Log upload
to [s] completed on vdom
[s]"
upload status
20110 notice
system
LOG_ID_HPAPI_ESPD_
START
msg="hp_api: Connection
to ESPd has been
initialized"
hp_api log
20111 warning
system
LOG_ID_HPAPI_ESPD_
RESET
msg="hp_api: Connection
to ESPd has been reset,
exiting"
hp_api log
system
Page 599
FortiGuard anti-spam license

expiring
ID
Severity
Subtype Macro
Format
Description
20113 error
system
LOG_ID_IPSA_DOWNLOAD_
FAIL
msg="Fail to download
IPSA DB!"
IPSA error
20114 error
system
LOG_ID_IPSA_SELFTEST_
FAIL
msg="IPSA self test failed,

disable IPSA!"
IPSA error
20115 error
system
LOG_ID_IPSA_STATUSUPD_
FAIL
msg="Fail to update IPSA

driver status!"
IPSA error
20200 notice
system
LOG_ID_FIPS_SELF_TEST
user="[s]" ui=[s]
action=self-test
msg="Administrator [s]
initiates the [s] self-test
from [s]"
running self-test
20201 notice
system
LOG_ID_FIPS_SELF_ALL_
TEST
user="[s]" ui=[s]
action=self-test
initiates all self-tests from
[s]"
running self-test
20202 warning
system
LOG_ID_DISK_FORMAT_
ERROR
msg="Partitioning or
formatting error ([s], [s])
partition=[n] format=[n]
label=[s]"
Error in partitioning or
formatting
LOG_ID_DAEMON_
SHUTDOWN
action=daemon-shutdown
daemon=[s] pid=[n]
msg="[s] shut down"
daemon shutdown
LOG_ID_DAEMON_START
action=daemon-startup
daemon=[s] pid=[n]
msg="[s] has started"
daemon started
20205 critical
system
format disk
LOG_ID_DISK_FORMAT_REQ user="[s]" ui=[s]
action=format-disk
msg="User [s] requested to
format [s] disk from [s]"
20206 warning
system
LOG_ID_DISK_SCAN_REQ
20300 unknown
system
LOG_ID_BGP_NB_STAT_CHG msg="BGP:
%%BGP-5-ADJCHANGE:
neighbor [s] [s] [s]"
bgp neighbor status change
22000 warning
system
LOG_ID_INV_PKT_LEN
msg="Packet length does

not match that specified in
the request header."
Packet length does not match

that specified in the request
header.
22001 warning
system
LOG_ID_UNSUPPORTED_
PROT_VER
msg="Protocol version-[n]
is not supported"
Unsupported protocol version
22002 warning
system
LOG_ID_INV_REQ_TYPE
msg="Request type [n] is

not supported."
Other request than http, https,

ftp, mail and av is not
supported
scan disk
user="[s]" ui=[s]
action=scan-disk
scan [s] disk from [s]"
Page 600
ID
Severity
Subtype Macro
Format
Description
22003 warning
system
LOG_ID_FAIL_SET_SIG_
HANDLER
sigaction([n])failed: [s]
failed to set up a signal handler
22004 warning
system
LOG_ID_FAIL_CREATE_
SOCKET
Socket() failed: [s]
failed to create a socket
22005 warning
system
LOG_ID_FAIL_CREATE_
SOCKET_RETRY
failed to create a [s]/udp

socket to receive URL
request: [s]
failed to create a udp socket to

receive URL request
22006 warning
system
LOG_ID_FAIL_REG_CMDB_
EVENT
msg="Failed to register for

cmdb events."
Failed to register for cmdb

events
22009 warning
system
LOG_ID_FAIL_FIND_AV_
PROFILE
name=[s] status=failure
msg="failed to find its AV
protection profile"
failed to find av profile by ID
22010 error
system
LOG_ID_SENDTO_FAIL
process="[s]" reason="[s]" safe_sendto() failed

msg="failed to send urlfilter
packet"
22011 unknown
system
22011
service=kernel
conserve=on free="[n]
pages" red="[n] pages"
msg="Kernel enters
conserve mode"
Kernel enters conserve mode
22012 unknown
system
22012
service=kernel
conserve=exit free="[n]
pages" green="[n] pages"
msg="Kernel leaves
conserve mode"
Kernel leaves conserve mode
22013 alert
system
22013
action=pba-block-exhaust
saddr=[n].[n].[n].[n]
poolname="[s]" msg="Pba
ippool port-block has been
exhausted"
Alert ippool pba block exhaust
22014 alert |
notice
system
22014
action=pba-natip-exhaust
poolname="[s]" msg="Pba
ippool natip has been
exhausted"
Alert ippool pba natip exhaust
22015 notice
system
LOG_ID_EXCEED_VD_RES_
LIMIT
service=kernel msg="[s]
vdom([n]) limit. count=[n]
limit=[n]"
Exceed vdom resource limit
22016 notice
system
22016
action=pba-close
nat=[n].[n].[n].[n]
portbegin=[n] portend=[n]
poolname="[s]"
duration=[n] msg="Pba
ippool close"
Deallocate ippool pba
22020 warning
system
LOG_ID_FAIL_CREATE_HA_
SOCKET
msg="Socket() failed: [s]"
Failed to create a ha_socket
Page 601
ID
Severity
Subtype Macro
Format
Description
22021 warning
system
LOG_ID_FAIL_CREATE_HA_
SOCKET_RETRY
msg="Failed to create a
udp socket to relay URL
requests: [s]"
Failed to create a udp socket

to relay URL requests
22100 warning
system
LOG_ID_QUAR_DROP_
TRAN_JOB
count=[n] duration=[n]
limit=[n] used=[n] fams_
pause=[n] action=transfer
status=drop reason=[s]
msg="In the past [n]
seconds, [n] files were
dropped by quard."
Quarantine dropped transfer

jobs
22101 warning
system
LOG_ID_QUAR_DROP_TLL_
JOB
Quarantine dropped transfer

count=[n] action=transfer
jobs
status=drop
reason=poor-network-cond
ition msg="[n] files were
dropped by quard to [s]: [n]
reached max retries, [n]
reached TTL."
22102 critical
system
LOG_ID_LOG_DISK_FAILURE msg="Log disk failure is

imminent, logs should be
backed up"
22104 critical
system
22104
action=power-supply-monit Power supply restore

or status=restore unit=[s]
msg="Power supply [s]
restore"
22105 critical
system
LOG_ID_POWER_FAILURE
action=power-supply-monit Power supply failure

or status=failure unit=[s]
msg="Power supply [s] [s]"
22106 warning |
system
information
LOG_ID_POWER_
OPTIONAL_NOT_DETECTED
action=ipmc-sensor-monito IPMC sensor failure

r status=failure msg="[s]"
22107 warning
system
LOG_ID_VOLT_ANOM

22108 warning
system
LOG_ID_FAN_ANOM

22110 critical
system
LOG_ID_SPARE_BLOCK_
LOW
msg="Available spare
Available spare blocks is low
blocks of boot device are
getting low (remaining [n])."
22200 warning
system
LOG_ID_AUTO_UPT_CERT
user=system
action=certificate-update
status=warning cert=[s]
msg="CA certificate [s] will
auto-update in [n] days."
22201 warning
system
LOG_ID_AUTO_GEN_CERT
user=system
Certificate will be
action=certificate-regenerat auto-regenerate
e status=warning cert=[s]
msg="Local certificate [s]
will auto-regenerate in [n]
days."
Page 602
Erroneous SMART status
Certificate will be auto-update
ID
Severity
Subtype Macro
Format
Description
22202 error
system
LOG_ID_AUTO_UPT_CERT_
FAIL
user=system
action=certificate-update
status=failure cert=[s]
msg="[s]"
Certificate failed to
auto-update
22203 error
system
LOG_ID_AUTO_GEN_CERT_
FAIL
Certificate failed to
user=system
action=certificate-regenerat auto-regenerate
e status=failure cert=[s]
msg="[s]"
22700 critical
system
LOG_ID_IPS_FAIL_OPEN
msg="IPS session scan

resumed, exit fail open
mode."
IPS fail open
22800 critical
system
LOG_ID_SCAN_SERV_FAIL
service=[s] mode=[s]
msg="The system has [s]
session fail mode"
Scan services session fail

mode
22801 critical
system
LOG_ID_SCAN_LEAVE_
CONSERVE_MODE
service=[s] conserve=exit
total=[n] free=[n]
entermargin=[n]
exitmargin=[n] msg="The
system exited conserve
mode"
Scan services exited conserve

mode
22802 critical
system
LOG_ID_SYS_ENTER_
CONSERVE_MODE
service=[s] sysconserve=on System services entered

conserve mode
total=[n] free=[n]
entermargin=[n]
system has entered system
conserve mode"
22803 critical
system
LOG_ID_SYS_LEAVE_
CONSERVE_MODE
service=[s]
sysconserve=exit total=[n]
free=[n] entermargin=[n]
system exited system
conserve mode"
System exited conserve mode
22804 critical
system
LOG_ID_LIC_STATUS_CHG
service=license status=[s]
msg="License status
changed to [s]"
License Status Change
22805 warning
system
License Status Warning

LOG_ID_FAIL_TO_VALIDATE_ service=license
LIC
status=warning
msg="License could not be
validated for over 4 hours"
22806 warning
system
LOG_ID_DUP_LIC
service=license
status=warning
msg="Detected duplicate
license in use"
License Status Duplicate

Warning
22810 critical
system
LOG_ID_SCAN_ENTER_
CONSERVE_MODE
service=[s] conserve=on
total=[n] free=[n]
entermargin=[n]
system has entered
conserve mode"
Scan services entered

conserve mode
Page 603
ID
Severity
Subtype Macro
Format
Description
22900 notice
system
LOG_ID_CAPUTP_SESSION
msg="[s]" action=[s]
src=[n].[n].[n].[n]
caputp-session
22901 notice
system
LOG_ID_FAZ_CON
action=connect
status=success
msg="Connected to
FortiAnalyzer [s]"
FortiAnalyzer Connection
22902 notice
system
LOG_ID_FAZ_DISCON
action=disconnect
status=success
reason="[s]"
msg="Disconnected from
FortiAnalyzer [s]"
FortiAnalyzer Disconnection
22903 critical
system
LOG_ID_FAZ_CON_ERR
action=connect
status=failure reason="[s]"
msg="Failed to connect
FortiAnalyzer [s]"
FortiAnalyzer Connection
22910 notice
system
LOG_ID_EVENT_SLA_
PROBE_PING
[s]="[n]" [s]="[s]" [s]="ping" SLA Probe information

[s]="[s]" msg="SLA Probe
event: change state from [s]
to [s]"
22911 notice
system
LOG_ID_EVENT_SLA_
PROBE_HTTPGET
SLA Probe information

[s]="[n]" [s]="[s]" [s]="[s]"
[s]="http-get" [s]="[s]"
msg="SLA Probe event:
change state from [s] to [s]"
22916 notice
system
LOG_ID_FDS_STATUS
status=[s] msg="FortiGuard FortiGuard Message Service

Message Service server is status
[s]"
22917 notice
system
LOG_ID_FDS_SMS_QUOTA
user=system msg="SMS
quota is used up."
23101 unknown
vpn
LOG_ID_IPSEC_TUNNEL_UP action=[s] tunnel_id=[n]

[s]tunneltype=[s] remote_
ip=[s] tunnel_ip=[s]
user="[s]" group="[s]"
[s][s][s][s]msg="[s] [s]"
VPN event log message
23102 unknown
vpn
LOG_ID_IPSEC_TUNNEL_
DOWN
action=[s] tunnel_id=[n]
[s][s][s][s]msg="[s] [s]"
23103 unknown
vpn
LOG_ID_IPSEC_TUNNEL_
STAT
[s][s][s][s]msg="[s] [s]"
LOG_ID_DHCP_MSG
interface="[s]" dhcp_
msg="[s]" dir=[s]
mac=[s]:[s]:[s]:[s]:[s]:[s]
ip=[n].[n].[n].[n] lease=[n]
hostname="[s]" msg="[s]"
DHCP request and response

log
26001 information router

| unknown
Page 604
SMS quota used up
ID
Severity
Subtype Macro
Format
Description
router
LOG_ID_DHCP_NO_SHARE_
NET
interface="[s]" No shared
network for network [s] ([s])
No shared network found
LOG_ID_DHCP_STAT
interface="[s]" total=[n]
used=[n] msg="[s]"
DHCP Statistics
26004 error
router
LOG_ID_DHCP_MULT_SUB_
NET
interface="[s]" Address
range [s] to [s], netmask [s]
spans [s]!
Address range spans multiple

subnets
26005 error
router
LOG_ID_DHCP_INV_ADDR_
RANGE
interface="[s]" Address
range [s] to [s] not on net
[s]/[s]!
Address range doesn't belong

to the net
29001 unknown
router
LOG_ID_PPPD_MSG
user="[s]"
local=[n].[n].[n].[n]
remote=[n].[n].[n].[n]
assigned=[n].[n].[n].[n]
stat="[s]" msg="[s]"
Pppd log message
29002 notice |
debug
router
LOG_ID_PPPD_AUTH_SUC
PPPD authentication success

user="[s]"
log message
action=auth_success
msg="User '[s]' using [s]
with authentication protocol
[s], [s]"
29003 notice
router
LOG_ID_PPPD_AUTH_FAIL
PPPD authentication failure log

message
action=auth_failed msg="[s]
is trying to connect using [s]
with authentication protocol
[s], failed"
29009 notice
router
LOG_ID_PPPOE_STATUS_
REPORT
gateway=[n].[n].[n].[n]
PPPoE status report
msg="PPPoE status report"
29011 error
router
LOG_ID_PPPD_FAIL_TO_
EXEC
Can't execute [s]: [s]
pppd cannot execute a

program
29012 unknown
router
LOG_ID_PPP_OPT_ERR
[s]
ppp has received wrong

options
29013 notice
router
LOG_ID_PPPD_START
msg="pppd is started"
pppd is started
LOG_ID_PPPD_EXIT
msg="pppd is exiting"
pppd is exiting
29015 error
router
LOG_ID_PPP_RCV_BAD_
PEER_IP
Peer IP is the same as an

interface IP[s].
IP([n].[n].[n].[n])
ppp has received bad options
29016 error
router
LOG_ID_PPP_RCV_BAD_
LOCAL_IP
Local IP is the same as an

interface IP[s].
IP([n].[n].[n].[n])
ppp has received bad options
26002 error
Page 605
ID
Severity
Subtype Macro
Format
Description
29017 unknown
router
LOG_ID_PPP_OPT_NOTIF
[s]
ppp has received wrong

options
29020 notice
router
LOG_ID_WIRELESS_SET_
FAIL
wireless set command [s] [s]

failed
Admin logged in successfully
user="[s]" ui=[s]
action=login
status=success
reason=none profile="[s]"
logged in successfully from
[s]"
LOG_ID_ADMIN_LOGIN_
SUCC
32002 alert
LOG_ID_ADMIN_LOGIN_FAIL user=test ui=cli

action=login status=failed
reason=test msg="Alarm
testing"
Failed admin login attempt
LOG_ID_ADMIN_LOGOUT
user="[s]" ui=[s]
action=logout
status=success
duration=[n] [s]reason=[s]
msg="Administrator [s] [s]
[s]"
Admin logged out
32004 emergency system
LOG_ID_ALARM_TEST_FAIL
action=error-mode
reason=self-test
msg="Alarm testing"
alarm testing
32005
user="[s]"
action=vdom-override
status=success
reason=none
vdom overridden to [s]"
Admin overrided vdom

successfully
LOG_ID_ADMIN_ENTER_
VDOM
A super admin has entered to

user="[s]" ui=[s]
this vdom
action=vdom-switch
reason=none msg="User [s]
has entered the virtual
domain [s]"
A super admin has left the

LOG_ID_ADMIN_LEFT_VDOM user="[s]" ui=[s]
current vdom
action=vdom-switch
reason=none msg="User [s]
has left the virtual domain
[s]"
32008 warning
system
LOG_ID_VIEW_LOG_FAIL
user="[s]" ui=[s] msg="User Failed to view log

[s] failed to access the [s]
logs from [s]"
LOG_ID_SYSTEM_START
msg="Fortigate started[s]"
System started

|
information
| unknown
LOG_ID_DISK_LOG_FULL
msg="[s] is [n]%
full.System will stop [s]
logging."
Log full
system
Page 606
ID
Severity
Subtype Macro
Format
Description
system
LOG_ID_LOG_ROLL
action=roll-log
reason=file-size log=[s]
msg="Disk log has rolled."
Log rotation
LOG_ID_FIPS_LEAVE_ERR_
MOD
action=exit-error-mode
CC exiting error mode
msg="System exiting out of
error mode."
32014 warning
system
LOG_ID_CS_LIC_EXPIRE
msg="FortiGuard customer FortiGuard customer support

support license will expire
license expiring
in [n] day(s)"
32015 warning
system
LOG_ID_DISK_LOG_USAGE
msg="Log disk is [n]% full" Log full
LOG_ID_FIPS_ENTER_ERR_
MOD
action=error-mode
reason=[s] msg="System
enters error-mode due to
[s]"
FIPS error mode
32020 warning
system
LOG_ID_SSH_CORRPUT_
MAC
ui=https msg="Corrupted
MAC packet detected"
Corrupted MAC detected
32021 alert
system
LOG_ID_ADMIN_LOGIN_
DISABLE
ui=[s] action=login
status=failed
reason=exceed_limit
msg="Login disabled from
IP [s] for [n] seconds
because of [n] bad
attempts"
Admin login disabled
32022 notice
system
LOG_ID_VDOM_ENABLED
user="[s]" ui=[s] msg="User vdom enabled

[s] enabled virtual domain
[s] from [s]"
32023 warning |
system
information
LOG_ID_MEM_LOG_FULL
msg="Memory log is [n]%

full"
Log full
32024 notice
system
LOG_ID_ADMIN_PASSWD_
EXPIRE
user="[s]"
action=admin-password
status=expired
msg="Password of
administrator [s] has
expired."
Admin password expiry
32026 critical
system
LOG_ID_STORE_CONF_FAIL
Cannot store config due to

first line error: require first
line in file [s] from process
[n]
Cannot store config due to first

line error
32027 notice
system
LOG_ID_VIEW_LOG_SUCC
user="[s]" ui=[s] log=[s]

msg="User [s] has viewed
the disk logs from [s]"
User displayed disk logs
LOG_ID_LOG_DEL_DIR
msg="System deleted
directory [s]."
Log full
LOG_ID_LOG_DEL_FILE
action=delete
msg="System deleted log
file [s]"
Log deleted
32011 notice
Page 607
ID
Severity
Subtype Macro
Format
32030 notice
system
LOG_ID_SEND_FDS_STAT
send fds stats

user="[s]" ui=[s]
action=send-fds-stats
send FDS statistics from
[s]"
32035 notice
system
LOG_ID_VDOM_DISABLED
user="[s]" ui=[s] msg="User vdom disabled

[s] disabled virtual domain
[s] from [s]"
32045 warning
system
LOG_ID_MGR_LIC_EXPIRE
msg="FortiGuard
management service
license will expire in [n]
day(s)"
32048 warning
system
LOG_ID_SCHEDULE_EXPIRE msg="onetime schedule [s] onetime schedule expiring

will expire in [n] day(s)"
32051 notice
system
LOG_ID_LOG_UPLOAD
ui=[s] action=upload
status=start msg="Start
uploading disk logs to [s]
from vdom [s]."
Log uploading
32086 warning
system
LOG_ID_ENTER_
TRANSPARENT
user=[s] ui=lcd action=[s]

status=success
msg="System has been
changed to transparent
mode LCD via LCD"
System has been changed to

transparent mode LCD via LCD
32087 warning
system
LOG_ID_ENTER_NAT
System has been changed to

user=[s] ui=lcd action=[s]
NAT mode LCD via LCD
status=success
msg="System has been
changed to NAT mode LCD
via LCD"
32095 warning
system
LOG_ID_GUI_CHG_SUB_
MODULE
user="[s]" ui=[s] action=[s] A user has performed an action

status=[s] msg="[s] by user to the firewall via GUI. The
[s] via [s]"
action can be one of the
followings: reboot, shutdown,
reload, backup, factory_reset,
restore, upgrade,switch_mode,
download, upload, clear_mlog,
del_log, update, downgrade,
del_session, bootup
32096 warning
system
LOG_ID_GUI_DOWNLOAD_
LOG
user="[s]" ui=[s] action=[s] A user has downloaded a

status=[s] hash=[s] file=[s]
logging file from the firewall via
msg="[s] by user [s] via [s]" GUI
32100 warning
system
LOG_ID_FORTI_TOKEN_
SYNC
user="[s]" action=token_
sync msg="User [s]
synchronized his/her
FortiToken"
FortiToken synchronization
32101 notice
system
LOG_ID_LCD_CHG_CONF
user="[s]" ui=[s] msg="[s]

by [s]"
Administrator has changed

configuration from LCD
Page 608
Description
FortiGuard management
service license expiring
ID
Severity
Subtype Macro
Format
32102 unknown
system
LOG_ID_CHG_CONFIG
A user has changed the

user="[s]" ui=[s]
configuration
module="[s]"
submodule="[s]" msg="[s]
made a change from [s]:[s]"
32103 notice
system
LOG_ID_NEW_FIRMWARE
user=system
action=firmware
status=new msg="New
firmware is available from
FortiGuard"
32120 notice
system
LOG_ID_RPT_ADD_DATASET user="[s]" ui=[s] name="[s]" Report Dataset is added

msg="User [s] added a
report dataset [s] from [s]"
32122 notice
system
LOG_ID_RPT_DEL_DATASET user="[s]" ui=[s] name="[s]" A report dataset is deleted

msg="User [s] delete a
report dataset [s] from [s]"
32123 notice
system
LOG_ID_RPT_ADD_LAYOUT_ user="[s]" ui=[s] name="[n]" Report Summary entries is

added
ITEM
report summary entry [n]
from [s]"
32124 notice
system
LOG_ID_RPT_DEL_LAYOUT_ user="[s]" ui=[s] name="[n]" A report summary entries is

deleted
ITEM
report summary entry [n]
from [s]"
32125 notice
system
LOG_ID_RPT_ADD_CHART
user="[s]" ui=[s] name="[s]" Report Chart widget is added

report chart widget [s] from
[s]"
32126 notice
system
LOG_ID_RPT_DEL_CHART
user="[s]" ui=[s] name="[s]" A report chart widget is deleted

report chart widget [s] from
[s]"
32129 notice
system
LOG_ID_ADD_GUEST
user="[s]" ui=[s] name="[s]" A new guest user is added

status=[s] msg="User [s]
added guest user [s] from
[s]"
32130 notice
system
LOG_ID_CHG_USER
user="[s]" ui=[s] name="[s]" A local user's setting is

changed
old_status=[s] new_
status=[s] passwd=[s]
msg="User [s] changed
local user [s] setting from
[s]"
32131 notice
system
LOG_ID_DEL_GUEST
user="[s]" ui=[s] name="[s]" A guest user is deleted

deleted guest user [s] from
[s]"
32132 notice
system
LOG_ID_ADD_USER
user="[s]" ui=[s] name="[s]" A new local user is added

added local user [s] from
[s]"
Page 609
Description
New firmware is available from

FortiGuard
ID
Severity
Subtype Macro
Format
Description
32138 critical
system
LOG_ID_REBOOT
device is rebooted
32139 critical |
warning |
notice
system
LOG_ID_UPD_SIGN_DB
Update src-vis object.

user="[s]" ui=[s]
action=update msg="User
[s] requested a geoip object
update from [s]"
32140 notice
system
32140
user="[s]" ui=[s]
field=date-time msg="The
[s] ntp server, [s]([s]), is
determined [s] at [s]"
ntp server status change
32142 alert | error system

| warning |
notice
LOG_ID_BACKUP_CONF
action=backup
status=success
msg="Configuration
backed up to flash disk
after system upgrading"
backup configuration
32143 critical
system
32143
user="[s]" ui="[s]"
action=update-image
msg="User [s] loaded a
wrong layout image from
[s]."
update image
32148 notice
system
LOG_ID_GET_CRL
user="[s]" ui=[s]
action=crl-update crl=[s]
msg="User [s] requested a
CRL update from [s]"
get CRL
32149 notice
system
LOG_ID_COMMAND_FAIL
user="[s]" ui=[s] ret=[n]

command failure
msg="Command failed:'[s]'
Return code [n]: [s]"
32151 notice
system
LOG_ID_ADD_IP6_LOCAL_
POL
[s]
A new ipv6 firewall local in

policy is added
32152 notice
system
LOG_ID_CHG_IP6_LOCAL_
POL
[s]
A ipv6 firewall local in policy's

setting is changed
32153 notice
system
LOG_ID_DEL_IP6_LOCAL_
POL
[s]
A ipv6 firewall local in policy is

deleted
32155 notice
system
LOG_ID_ACT_FTOKEN_REQ
user="[s]" ui=[s]
action=fortitoken-activate
serialno=[s] msg="User [s]
has requested to activate
FortiToken [s]."
Activate FortiToken
32156 notice
system
LOG_ID_ACT_FTOKEN_
SUCC
Activate FortiToken
serialno=[s] status=success
msg="Activation of
FortiToken [s] succeeded."
32157 notice
system
LOG_ID_SYNC_FTOKEN_
SUCC
user="[s]" ui=[s]
Synchronize FortiToken
action=fortitoken-synchroni
ze serialno=[s]
status=success
resynchronized FortiToken
[s] successfully."
Page 610
ID
Severity
Subtype Macro
Format
32158 notice
system
LOG_ID_SYNC_FTOKEN_
FAIL
Synchronize FortiToken
user="[s]" ui=[s]
action=fortitoken-synchroni
ze serialno=[s] status=failed
failed to resynchronize
FortiToken [s], because [s]."
32159 notice
system
LOG_ID_ACT_FTOKEN_FAIL
serialno=[s] status=failed
msg="Activation of
FortiToken [s] failed,
because [s]."
32168 notice
system
LOG_ID_REACH_VDOM_
LIMIT
adding new entry failed

user="[s]" ui=[s]
msg="Adding new entry
failed: vdom property limit
has been reached when
user [s] adds [s].[s] from [s]"
32170 alert
system
LOG_ID_ALARM_MSG
action=alarm alarmid=[n]
groupid=[n] msg="[s]"
alarm
32171 alert
system
LOG_ID_ALARM_ACK
user="[s]" ui=[s]
action=alarm-ack
alarmid=[n] acktime="[s]"
msg="[s]"
alarm ack
32172 notice
system
LOG_ID_ADD_IP4_LOCAL_
POL
[s]
A new firewall local in policy is

added
32173 notice
system
LOG_ID_CHG_IP4_LOCAL_
POL
[s]
A firewall local in policy's

setting is changed
32174 notice
system
LOG_ID_DEL_IP4_LOCAL_
POL
[s]
A firewall local in policy is

deleted
32188 warning
system
LOG_ID_SSL_PROXY_CA_
INIT_FAIL
msg="SSL Proxy CA
initialization failed"
[s]
32200 critical
system
LOG_ID_SHUTDOWN
user="[s]" ui=[s]
action=shutdown
msg="User [s] shutdown
the device from [s].[s]"
shutdown device
32201 critical
system
LOG_ID_LOAD_IMG_SUCC
loaded an image
user="[s]" ui=[s]
action=loaded-image
msg="User [s] loaded the
image from [s], the new
image does not support CC
mode."
32202 critical
system
LOG_ID_RESTORE_IMG
user="[s]" ui=[s]
action=restore-image
msg="User [s] restored the
image from [s] ([s],build[s]
-> [s],build[s])"
Page 611
Description
Activate FortiToken
restore the image
ID
Severity
Subtype Macro
Format
32203 critical |
warning |
notice
system
LOG_ID_RESTORE_CONF
restore the configuration

user="[s]" ui=[s]
action=restore-configuratio
n msg="User [s] restored
the configuration from [s]"
32204 critical |
notice
system
LOG_ID_RESTORE_FGD_
SVR
user="[s]" ui=[s] action=[s]

msg="User [s] restored [s]
file from [s]"
restore the fortiguard service
32205 critical |
notice
system
LOG_ID_RESTORE_VDOM_
LIC
user="[s]" ui=[s] action=[s]

msg="User [s] restored [s]
file from [s]"
restore VM license
32206 warning
system
LOG_ID_RESTORE_SCRIPT
restore script
user="system"
action=restore-script
msg="System restored
script [s] from management
station"
32207 warning
system
LOG_ID_RETRIEVE_CONF_
LIST
user="[s]" ui=[s]
action=retrieve-[s]
msg="User [s] failed to
retrieve the [s] list from
management station"
32208 critical
system
import the pkcs12 certificate

LOG_ID_IMP_PKCS12_CERT user="[s]" ui=[s]
action=import-certificate
msg="User [s] imported the
certificate from [s]"
32209 critical |
notice
system
LOG_ID_RESTORE_USR_
DEF_IPS
restore the user-defined IPS

user="[s]" ui=[s]
action=restore-ips-signatur signatures
e status=success
restored the user-defined
IPS signatures from [s]"
32210 notice
system
LOG_ID_BACKUP_IMG
user="[s]" ui=[s]
action=backup
status=success
msg="Firmware image
backed up to flash disk for
system [s]"
32211 notice
system
LOG_ID_UPLOAD_REVISION
upload revision
user="[s]" ui=[s]
action=upload
status=success msg="User
[s] upload the [s] from [s] to
flash disk"
32212 notice
system
LOG_ID_DEL_REVISION
action=delete
status=success
msg="[s]:[n] has been
deleted from revision data
base"
Page 612
Description
retrieve configuration list failure
backup image
revision DB deletion
ID
Severity
Subtype Macro
Format
Description
32213 warning
system
LOG_ID_RESTORE_
TEMPLATE
user="system"
action=restore-cfg
msg="System restored [s]
file [s] from management
station"
restore template
32214 warning
system
LOG_ID_RESTORE_FILE
user="system"
action=restore-[s]
msg="System failed to
restore [s] file [s] from
management station"
restore failure
32215 critical
system
LOG_ID_UPT_IMG
user="[s]" ui="[s]"
action=update-image
msg="User [s] loaded a
wrong image from [s]."
update image
32217 warning |
notice
system
LOG_ID_UPD_IPS
user="[s]" ui="[s]"
[s] has updated IPS
package by SCP"
An user has updated the IPS

package by SCP
32218 warning
system
LOG_ID_UPD_DLP
user="[s]"
ui="Fortimanager"
[s] failed to update DLP
fingerprint database by
SCP"
An user failed to update the

DLP fingerprint database by
SCP
32219 warning
system
LOG_ID_BACKUP_OUTPUT
user="[s]" ui="[s]"
action=backup msg="User
[s] backed up the result of
batch mode commands by
SCP"
An user has backed up the

result of standardized error
output by SCP
32220 warning
system
LOG_ID_BACKUP_
COMMAND
user="[s]" ui="[s]"
[s] backed up the result of
batch mode commands by
SCP"
An user has backed up the

result of batch mode
commands by SCP
32221 warning
system
LOG_ID_UPD_VDOM_LIC
user="[s]" ui="[s]"
[s] has installed VM license
by SCP"
An user has installed the VM

license by SCP
32222 notice
system
global setting change

LOG_ID_GLB_SETTING_CHG user="[s]" ui=[s]
field=virtual-domain
action=[s] msg="User [s]
changed global setting from
[s]"
32223 error |
notice
system
LOG_ID_BACKUP_USER_
DEF_IPS
user="[s]" ui=[s]
backup the user-defined IPS
action=backup
signatures failure
status=failure
failed to back up the
user-defined IPS signatures
from [s]"
Page 613
ID
Severity
Subtype Macro
Format
Description
32224 notice
system
LOG_ID_BACKUP_LOG
user="[s]" ui=[s]
[s] backed up [s] log from
[s]"
backup log
32225 notice
system
revision DB clearance
LOG_ID_DEL_ALL_REVISION action=delete
status=success
msg="[s]:revision data base
corruption detected, reset."
32226 critical
system
LOG_ID_LOAD_IMG_FAIL
user="[s]" ui=[s]
action=loaded-image
status=failure msg="User
[s] loaded a wrong image
from [s]."
32240 critical
system
LOG_ID_SYS_USB_MODE
System is operating in USB

action=reboot
mode
status=success
msg="System is rebooted
and operating in USB mode
with configurations loaded
from USB (read-only)"
32252 critical
system
LOG_ID_FACTORY_RESET
user="[s]" ui=[s]
action=factory-reset
msg="User [s] reset to the
factory settings from [s]"
32253 critical
system
LOG_ID_FORMAT_RAID
config raid
user="[s]" ui=[s]
action=format-rebuild-level
msg="User [s] formatted
the RAID disk from [s]"
32254 critical
system
LOG_ID_ENABLE_RAID
user="[s]" ui=[s]
action=enable-raid
msg="User [s] enabled
RAID from [s]"
config raid
32255 critical
system
LOG_ID_DISABLE_RAID
user="[s]" ui=[s]
action=disable-raid
msg="User [s] disabled
RAID from [s]"
config raid
32300 notice
system
LOG_ID_UPLOAD_RPT_IMG
user="[s]" ui=[s] status=[s]

action=upload-report-imag
e reason="[s]" msg="User
'[s]' [s] upload the report
image file '[s]' from [s]([s])"
upload the report image file
32301 notice
system
LOG_ID_ADD_VDOM
user="[s]" ui=[s]
action=add-vdom
msg="Virtual domain [s] is
added"
Vdom is added
32302 notice
system
LOG_ID_DEL_VDOM
user="[s]" ui=[s]
action=del-vdom
msg="Virtual domain [s] is
deleted"
Vdom is deleted
Page 614
loaded an image
factory reset
ID
Severity
Subtype Macro
Format
Description
32340 critical
system
LOG_ID_LOG_DISK_UNAVAIL msg="Log disk is

unavailable"
Log disk is unavailable
32341 notice
system
LOG_ID_LOG_DISK_
DEFAULT_DISABLED
msg="Disk log status

changed to disabled in
upgrade process."
disk log status changed
32400 alert
system
LOG_ID_CONF_CHG
user="[s]" ui=[s]
msg="Configuration is
changed in the admin
session"
config changed
32545 critical
system
LOG_ID_SYS_RESTART
user=none ui=none
action=reboot
msg="System will reboot
due to scheduled daily
restart."
System restart
32546 warning
system
LOG_ID_APPLICATION_
CRASH
action=crash msg="Pid: [s], Application crash

application: [s], Firmware:
[s], Signal [n] received,
Backtrace:[s]"
35001 notice
system
LOG_ID_HA_SYNC_VIRDB
msg="HA slave sync

virdb([s]) [s]"
HA slave sync virdb
35002 notice
system
LOG_ID_HA_SYNC_ETDB
msg="HA slave sync

etdb([s]) [s]"
HA slave sync etdb
35003 notice
system
LOG_ID_HA_SYNC_EXDB
msg="HA slave sync

exdb([s]) [s]"
HA slave sync exdb
35004 notice
system
LOG_ID_HA_SYNC_FLDB
msg="HA slave sync

fldb([s]) [s]"
HA slave sync fldb
35005 notice
system
LOG_ID_HA_SYNC_IPS
msg="HA slave sync ids([s]) HA slave sync ids package

package [s]"
35007 notice
system
LOG_ID_HA_SYNC_AV
msg="HA slave sync AV([s]) HA slave sync AV package

package [s]"
35008 notice
system
LOG_ID_HA_SYNC_VCM
msg="HA slave sync

VCM([s]) package [s]"
HA slave sync VCM package
35009 notice
system
LOG_ID_HA_SYNC_CID
msg="HA slave sync

CID([s]) package [s]"
HA slave sync CID package
35010 error
system
LOG_ID_HA_SYNC_FAIL
msg="HA slave sync failed

in [n] turns"
HA slave sync failed
36880 warning
system
LOG_ID_EVENT_SYSTEM_
MAC_HOST_STORE_LIMIT
msg="Number of detected
user devices exceeds limit
that can be persistently
stored. Detected [n]; can
save [n]."
user device data store limit
Page 615
ID
Severity
Subtype Macro
Format
37124 error
vpn
MESGID_NEG_I_P1_ERROR
msg="IPsec phase 1 error" IPsec phase 1 error log

action=[s] remip=[s]
locip=[s] remport=[n]
locport=[n] outintf=[s]
cookies="[s]" user="[s]"
group="[s]" xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" status=[s]
error_reason="[s]" peer_
notif="[s]"
37125 error
vpn
MESGID_NEG_I_P2_ERROR
msg="IPsec phase 2 error" IPsec phase 2 error log

xauthgroup="[s]"
error_reason="[s]"
37126 error
vpn
MESGID_NEG_NO_STATE_
ERROR
msg="IPsec no state error" IPsec no state error log

xauthgroup="[s]"
error_reason="[s]"
37133 notice
vpn
MESGID_INSTALL_SA
install IPsec SA log

msg="install IPsec SA"
xauthgroup="[s]"
vpntunnel="[s]" role=[s] in_
spi="[s]" out_spi="[s]"
37134 notice
vpn
MESGID_DELETE_P1_SA
msg="delete IPsec phase 1 delete IPsec phase 1 SA log

SA" action=[s] remip=[s]
xauthgroup="[s]"
vpntunnel="[s]"
37135 notice
vpn
MESGID_DELETE_P2_SA

xauthgroup="[s]"
vpntunnel="[s]" enc_
spi="[s]" dec_spi="[s]"
Page 616
Description
ID
Severity
Subtype Macro
Format
37136 error
vpn
MESGID_DPD_FAILURE
IPsec DPD failure log

msg="IPsec DPD failure"
xauthgroup="[s]"
37137 error
vpn
MESGID_CONN_FAILURE
IPsec connection failure log

msg="IPsec connection
failure" action=[s] remip=[s]
xauthgroup="[s]"
37138 notice
vpn
MESGID_CONN_UPDOWN
IPsec connection status

change log
status change" action=[s]
remip=[s] locip=[s]
remport=[n] locport=[n]
outintf=[s] cookies="[s]"
xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" tunnelip=[s]
tunnelid=[n]
tunneltype="ipsec"
duration=[n] sent=[n]
rcvd=[n] nextstat=[n]
tunnel="[s]"
37139 notice
vpn
MESGID_P2_UPDOWN
msg="IPsec phase 2 status IPsec phase 2 status change

log
change" action=[s]
remip=[s] locip=[s]
xauthuser="[s]"
xauthgroup="[s]"
vpntunnel="[s]" phase2_
name=[s]
37140 notice
vpn
MESGID_AUTO_IPSEC
msg="auto-ipsec status
change" action=[s]
remip=[s] locip=[s]
xauthuser="[s]"
xauthgroup="[s]"
reason="[s]"
Page 617
Description
auto-ipsec status log
ID
Severity
Subtype Macro
Format
Description
37141 notice
vpn
MESGID_CONN_STATS
IPsec tunnel statistics log

msg="IPsec tunnel
statistics" action=[s]
remip=[s] locip=[s]
xauthuser="[s]"
xauthgroup="[s]"
tunnelid=[n]
tunneltype="[s]"
tunnel="[s]"
37188 error
vpn
MESGID_NEG_I_P1_ERROR_ msg="IPsec phase 1 error" IPsec phase 1 error log

IKEV2
group="[s]" vpntunnel="[s]"
status=[s] error_
reason="[s]"
37189 error
vpn
MESGID_NEG_I_P2_ERROR_ msg="IPsec phase 2 error" IPsec phase 2 error log

IKEV2
status=[s] error_
reason="[s]"
37190 error
vpn
MESGID_NEG_NO_STATE_
ERROR_IKEV2
37197 notice
vpn
install IPsec SA log

MESGID_INSTALL_SA_IKEV2 msg="install IPsec SA"
role=[s] in_spi="[s]" out_
spi="[s]"
37198 notice
vpn
MESGID_DELETE_P1_SA_
IKEV2
msg="IPsec no state error" IPsec no state error log

status=[s] error_
reason="[s]"

Page 618
ID
Severity
Subtype Macro
Format
37199 notice
vpn
MESGID_DELETE_P2_SA_
IKEV2

enc_spi="[s]" dec_spi="[s]"
37200 error
vpn
MESGID_DPD_FAILURE_
IKEV2
IPsec DPD failure log

msg="IPsec DPD failure"
status=[s]
37201 error
vpn
MESGID_CONN_FAILURE_
IKEV2
IPsec connection failure log

failure" action=[s] remip=[s]
status=[s]
37202 notice
vpn
MESGID_CONN_UPDOWN_
IKEV2
IPsec connection status

change log
status change" action=[s]
remip=[s] locip=[s]
tunnelid=[n]
tunneltype="ipsec"
tunnel="[s]"
37203 notice
vpn
MESGID_P2_UPDOWN_
IKEV2
msg="IPsec phase 2 status IPsec phase 2 status change

log
change" action=[s]
remip=[s] locip=[s]
vpntunnel="[s]" phase2_
name="[s]"
37204 notice
vpn
MESGID_CONN_STATS_
IKEV2
msg="IPsec tunnel
IPsec tunnel statistics log
statistics" action=[s]
remip=[s] locip=[s]
tunnelid=[n]
tunneltype="[s]"
tunnel="[s]"
Page 619
Description
ID
Severity
Subtype Macro
Format
Description
37888 notice
system
MESGID_HA_GROUP_
DELETE
msg="HA group is deleted" HA group delete log

ha_group=[n]
37889 notice
system
MESGID_VC_DELETE
msg="Virtual cluster is
deleted" vcluster=[n]
Virtual cluster delete log
37890 notice
system
MESGID_VC_MOVE_VDOM
msg="Virtual cluster's
vdom is moved" from_
vcluster=[n] to_vcluster=[n]
vdname="[s]"
Virtual cluster move vdom log
37891 notice
system
MESGID_VC_ADD_VDOM
msg="Virtual cluster's
vdom is added" to_
vcluster=[n] vdname="[s]"
Virtual cluster add vdom log
37892 notice
system
MESGID_VC_MOVE_MEMB_
STATE
37893 notice
system
MESGID_VC_DETECT_
MEMB_DEAD
msg="Virtual cluster
detected member dead"
vcluster=[n] ha_group=[n]
sn="[s]"
Virtual cluster detect member

dead log
37894 notice
system
MESGID_VC_DETECT_
MEMB_JOIN
msg="Virtual cluster
detected member join"
vcluster=[n] ha_group=[n]
sn="[s]"
Virtual cluster detect member

join log
37895 notice
system
MESGID_VC_ADD_HADEV
msg="Virtual cluster add

HA device" vcluster=[n]
devintfname="[s]"
Virtual cluster add HA

device(interface) log
37896 notice
system
MESGID_VC_DEL_HADEV
msg="Virtual cluster delete

HA device(interface)"
vcluster=[n]
devintfname="[s]"
Virtual cluster delete HA

device(interface) log
37897 notice
system
MESGID_HADEV_READY
msg="HA device(interface)
ready" ha_role=[s]
devintfname="[s]"
HA device(interface) ready log
37898 warning
system
MESGID_HADEV_FAIL
fail" ha_role=[s]
devintfname="[s]"
HA device(interface) fail log
37899 notice
system
MESGID_HADEV_PEERINFO
peerinfo" ha_role=[s]
devintfname="[s]"
HA device(interface) peerinfo
log
37900 notice
system
MESGID_HBDEV_DELETE
msg="Heartbeat
device(interface) delete"
devintfname="[s]"
Heartbeat device(interface)
delete log
37901 critical
system
MESGID_HBDEV_DOWN
msg="Heartbeat
Heartbeat device(interface)
device(interface) down" ha_ down log
role=[s] hbdn_reason="[s]"
devintfname="[s]"
Virtual cluster move member

state log
Page 620
ID
Severity
Subtype Macro
Format
Description
Heartbeat device(interface) up
log
MESGID_HBDEV_UP
msg="Heartbeat
device(interface) up" ha_
role=[s] devintfname="[s]"
MESGID_SYNC_STATUS
msg="The sync status with The sync status with the

the master" sync_type=[s] master log
sync_status="[s]"
MESGID_HA_ACTIVITY
msg="HA activity report"

ip=[s] ha-prio=[n]
activity="[s]"
HA activity report log
38010 alert
user
LOG_ID_FIPS_ENCRY_FAIL
user="[s]" ui=[s]
action=encryption
cipher=aes-128-cbc
status=failed msg="EVP
encryption failed"
Encryption failed
38011 alert
user
LOG_ID_FIPS_DECRY_FAIL
user="[s]" ui=[s]
action=decryption
cipher=aes-128-cbc
status=failed msg="EVP
decryption failed"
Decryption failed
38012 notice
user
LOG_ID_ENTROPY_TOKEN
user=system
action=seeding
msg="Seeding PRNG from
entropy token"
Seeding from entropy token
38031 notice
user
LOG_ID_FSSO_LOGON
user="[s]" src=[n].[n].[n].[n] authentication information

server="[s]"
action=FSSO-polling-logon
status=success
reason="[s]"
msg="FSSO-polling-logon
event from [s]: user [s]
logged on [n].[n].[n].[n]"
38032 notice
user
LOG_ID_FSSO_LOGOFF
user="[s]" src=[n].[n].[n].[n] authentication information

server="[s]"
action=FSSO-polling-logoff
status=success
reason="[s]"
msg="FSSO-polling-logoff
event from [s]: user [s]
logged off [n].[n].[n].[n]"
38033 notice
user
LOG_ID_FSSO_SVR_STATUS user="[s]" server="[s]"

authentication information
action=FSSO-polling-AD-s
erver
msg="FSSO-polling-AD-se
rver status changes: [s] ->
[s]"
Page 621
ID
Severity
Subtype Macro
Format
38400 notice
system
LOGID_EVENT_NOTIF_
SEND_SUCC
The system successfully sent a

user="[s]" from="[s]"
notification message log
to="[s]" service="[s]"
proto=[s] dst=[s] dport=[n]
nf_type=[s] virus="[s]"
profile="[s]"
profiletype="[s]"
profilegroup="[s]" count=[n]
duration=[n]
msg="Successfuly sent a
notification message."
38401 warning
system
LOGID_EVENT_NOTIF_
SEND_FAIL
The system was unable to

user="[s]" from="[s]"
send a notification message
to="[s]" service="[s]"
proto=[s] dst=[s] dport=[n] log
nf_type=[s] virus="[s]"
profile="[s]"
profiletype="[s]"
profilegroup="[s]" count=[n]
duration=[n] msg="Unable
to send notification
message." sess_
duration=[n]
38402 notice
system
LOGID_EVENT_NOTIF_DNS_
FAIL
hostname="[s]"
service="[s]" profile="[s]"
profiletype="[s]" profile_
vd="[s]" msg="Unable to
resolve hostname."
The system was unable to

resolve an MMSC hostname
log
38403 notice
system
LOGID_EVENT_NOTIF_
INSUFFICIENT_RESOURCE
msg="[s] ([s])"
Insufficient resource
38404 notice
system
LOGID_EVENT_NOTIF_
HOSTNAME_ERROR
hostname="[s]" msg="[s]"
Unable to resolve FortiGuard

hostname
38405 notice
system
LOGID_NOTIF_CODE_
SENDTO_SMS_PHONE
send activation code

user="[s]"
action=send-activation-cod
e msg="Send token [s]
activation code [s] to [s]"
38406 notice
system
LOGID_NOTIF_CODE_
SENDTO_SMS_TO

user="[s]"
38407 notice
system
LOGID_NOTIF_CODE_
SENDTO_EMAIL

user="[s]"
LOGID_EVENT_OFTP_SSL_
CONNECTED
dst=[n].[n].[n].[n] dstport=[n] SSL connection established.

action=connect
status=success msg="SSL
connection to [n].[n].[n].[n]
is successfully
established."
Page 622
Description
ID
Severity
Subtype Macro
Format
Description
DISCONNECTED
dst=[n].[n].[n].[n] dstport=[n] SSL connection closed.

action=disconnect
status=success msg="SSL
connection to [n].[n].[n].[n]
is successfully closed."
FAILED
dst=[n].[n].[n].[n] dstport=[n] SSL connection failure.

reason="[s]([n])"
action=connect
status=failure msg="SSL
read to [n].[n].[n].[n] has
failed."
38656 notice
user
LOGID_EVENT_RAD_RPT_
PROTO_ERROR
msg="[s]"
RADIUS
protocol/profile/context error,
missing stop
packet,accounting or other
report log
38657 notice
user
PROF_NOT_FOUND
msg="[s]"
RADIUS
missing stop
report log
38658 notice
user
CTX_NOT_FOUND
msg="[s]"
RADIUS
missing stop
report log
38659 notice
user
ACCT_STOP_MISSED
msg="[s]"
RADIUS
missing stop
report log
38660 notice
user
ACCT_EVENT
msg="[s]"
RADIUS
missing stop
report log
38661 notice
user
OTHER
msg="[s]"
RADIUS
missing stop
report log
38662 notice
user
LOGID_EVENT_RAD_STAT_
PROTO_ERROR
carrier_ep="[s]" ip=[s] rsso_ RADIUS protocol errors

key="[s]" msg="[s]" acct_
occurred log
stat=[s] reason="[s]"
38663 notice
user
PROF_NOT_FOUND
carrier_ep="[s]" ip=[s] rsso_ RADIUS start or interim-update

packet receivedwith missing or
invalid profile specified
38664 notice
user
CTX_NOT_FOUND
carrier_ep="[s]" ip=[s] rsso_ RADIUS no context found for

key="[s]" msg="[s]"
user
Page 623
ID
Severity
Subtype Macro
Format
38665 notice
user
ACCT_STOP_MISSED
carrier_ep="[s]" ip=[s] rsso_ RADIUS stop packet was

missed
38666 notice
user
ACCT_EVENT
carrier_ep="[s]" ip=[s] rsso_ RADIUS accounting event

38667 notice
user
OTHER
carrier_ep="[s]" ip=[s] rsso_ RADIUS other dynamic profile

event
count=[n]
39424 unknown
vpn
LOG_ID_EVENT_SSL_VPN_
USER_TUNNEL_UP
SSL user event log

action="[s]"
tunneltype="[s]" tunnel_
id=[n] remote_ip=[s] tunnel_
ip=[s] user="[s]" group="[s]"
[s][s][s] reason="[s]"
msg="[s]"
39425 unknown
vpn
USER_TUNNEL_DOWN
SSL user event log

action="[s]"
rcvd=[n] msg="[s]"
39426 unknown
vpn
USER_SSL_LOGIN_FAIL
SSL user event log

action="[s]"
msg="[s]"
39936 unknown
vpn
SESSION_WEB_TUNNEL_
STATS
SSL user event log

action="[s]"
[s][s][s] next_stats=[n]
rcvd=[n] msg="[s]"
39937 unknown
vpn
SESSION_WEBAPP_DENY
SSL user event log

action="[s]"
[s][s][s] app-type="[s]"
msg="[s]"
39938 unknown
vpn
SESSION_WEBAPP_PASS
action="[s]"
SSL user event log
msg="[s]"
Page 624
Description
ID
Severity
Subtype Macro
Format
39939 unknown
vpn
SESSION_WEBAPP_
TIMEOUT
SSL user event log

action="[s]"
msg="[s]"
39940 unknown
vpn
SESSION_WEBAPP_CLOSE
SSL user event log

action="[s]"
msg="[s]"
39941 unknown
vpn
SESSION_SYS_BUSY
SSL user event log

action="[s]"
msg="[s]"
39942 unknown
vpn
SESSION_CERT_OK
SSL user event log

action="[s]"
msg="[s]"
39943 unknown
vpn
SESSION_NEW_CON
SSL user event log

action="[s]"
msg="[s]"
39944 unknown
vpn
SESSION_ALERT
SSL user event log

action="[s]"
[s][s][s] alert="[s]"
desc="[s]" msg="[s]"
39945 unknown
vpn
SESSION_EXIT_FAIL
SSL user event log

action="[s]"
msg="[s]"
39946 unknown
vpn
SESSION_EXIT_ERR
action="[s]"
SSL user event log
msg="[s]"
Page 625
Description
ID
Severity
Subtype Macro
Format
39947 unknown
vpn
SESSION_TUNNEL_UP
SSL user event log

action="[s]"
msg="[s]"
39948 unknown
vpn
SESSION_TUNNEL_DOWN
SSL user event log

action="[s]"
rcvd=[n] msg="[s]"
39949 unknown
vpn
SESSION_TUNNEL_STATS
SSL user event log

action="[s]"
[s][s][s] next_stats=[n]
rcvd=[n] msg="[s]"
39950 unknown
vpn
SESSION_TUNNEL_
UNKNOWNTAG
SSL user event log

action="[s]"
msg="[s]"
39951 unknown
vpn
SESSION_TUNNEL_ERROR
SSL user event log

action="[s]"
msg="[s]"
39952 unknown
vpn
SESSION_ENTER_
CONSERVE_MODE
SSL user event log

action="[s]"
msg="[s]"
39953 unknown
vpn
SESSION_LEAVE_
CONSERVE_MODE
SSL user event log

action="[s]"
msg="[s]"
40001 unknown
vpn
LOG_ID_PPTP_TUNNEL_UP
[s][s][s][s]msg="[s] [s]"
Page 626
Description
ID
Severity
Subtype Macro
Format
Description
40002 unknown
vpn
LOG_ID_PPTP_TUNNEL_
DOWN
[s][s][s][s]msg="[s] [s]"
40003 unknown
vpn
LOG_ID_PPTP_TUNNEL_
STAT
[s][s][s][s]msg="[s] [s]"
40014 warning
vpn
LOG_ID_PPTP_REACH_
MAX_CON
The maximum number of PPTP

status=failure
connections has been reached
action=connect
msg="PPTP: the maximum
number of connections has
been reached. No more
clients can connect."
40016 warning
vpn
LOG_ID_L2TPD_SVR_
DISCON
action=disconnect
status=success
reason="interface not
found" msg="L2TPD
closed all client
connections in vdom '[s]'
because failed to find
interface by device index"
L2TPD disconnection
40017 warning
vpn
LOG_ID_L2TPD_CLIENT_
CON_FAIL
action=connect
status=failure reason="no
ip available" msg="No IP
addresses left to assign in
virtual domain: [s]"
L2TP client connection
40019 information vpn
DISCON
action=disconnect
status=success
msg="Client [n].[n].[n].[n]
control connection (id [n])
finished"
L2TP client disconnection
40021 debug
vpn
LOG_ID_PPTP_NOT_CONIG
status=failure
action=connect
msg="PPTP: connection
request in unconfigured
pptp is not configured (in this

virtual domain)
40022 warning
vpn
LOG_ID_PPTP_NO_IP_AVAIL
status=failure
action=connect
msg="PPTP: No IP
addresses left to assign in
No ip available
40024 warning
vpn
LOG_ID_PPTP_OUT_MEM
status=failure action=start Not enough memory

msg="failed to expand pptp
config list due to not
enough memory"
Page 627
ID
Severity
Subtype Macro
Format
Description
40034 notice
vpn
LOG_ID_PPTP_START
action=start
status=success
msg="PPTPD started
successfully"
PPTPD start
40035 error
vpn
LOG_ID_PPTP_START_FAIL
action=start status=failure
reason="failed to create
socket" msg="PPTPD
failed to start because
failed to create socket"
PPTPD start
40036 notice
vpn
LOG_ID_PPTP_EXIT
action=exit status=success PPTPD exit

msg="PPTPD exited
successfully"
LOG_ID_PPTPD_SVR_
DISCON
action=disconnect
status=success
reason="PPTP setting is
changed" msg="PPTPD
closed all client
connections in vdom '[s]'
because PPTP setting was
changed"
LOG_ID_PPTPD_CLIENT_
CON
PPTPD client connection

action=connect
status=success
control connection started"
LOG_ID_PPTPD_CLIENT_
DISCON
action=disconnect
status=success
control connection
finished"
PPTPD client disconnection
40101 unknown
vpn
LOG_ID_L2TP_TUNNEL_UP
[s][s][s][s]msg="[s] [s]"
40102 unknown
vpn
LOG_ID_L2TP_TUNNEL_
DOWN
[s][s][s][s]msg="[s] [s]"
40103 unknown
vpn
LOG_ID_L2TP_TUNNEL_
STAT
[s][s][s][s]msg="[s] [s]"
40114 notice
vpn
LOG_ID_L2TPD_START
action=start
status=success
msg="L2TPD started
successfully"
L2TPD starting
Page 628
PPTPD disconnect
ID
Severity
Subtype Macro
Format
vpn
LOG_ID_L2TPD_EXIT
action=exit status=success L2TPD exiting

msg="L2TPD exited
successfully"
CON
action=connect
status=success
msg="Client [s] control
connection started (id [n]),
assigned ip [n].[n].[n].[n]"
40704 notice
system
LOG_ID_EVENT_SYS_PERF
action="perf-stats" cpu=[n] system performace log

mem=[n] totalsession=[n]
msg="Performance
statistics"
40960 notice
wad
LOGID_EVENT_WAD_
WEBPROXY_FWD_SRV_
ERROR
fwserver_name="[s]" addr_
type=[s] ip=[s] fqdn="[s]"
port=[n] msg="[s]"
Web proxy forward server error
41000 notice
system
LOG_ID_UPD_FGT_SUCC
[s] msg="Fortigate [s]

[s][s][s] [s][s][s] [s][s][s]
[s][s][s] [s][s][s] [s][s][s]
[s][s][s] [s][s][s] from [s]"
Administrator has updated

fortigate successfully
41001 critical
system
LOG_ID_UPD_FGT_FAIL
[s] msg="Fortigate [s]

failed"
Administrator has failed to

update fortigate
41002 notice
system
LOG_ID_UPD_SRC_VIS
status=update src-vis=yes
msg="FortiGate updated
src-vis ([s])"

src-vis plugin successfully
41003 critical
system
LOG_ID_INVALID_UPD_LIC
action=update
status=failure msg="HA
member [s] does not have
valid license"
Invalid update license
41005 notice
system
LOG_ID_UPD_VCM
status=update vcm=yes
msg="FortiGate updated
VCM ([s])"

VCM plugin successfully
CERT_LOAD
action="[s]" user="[s]"
ui="[s]" name="[s]"
msg="[s]" cert-type=[s]
Certificate log
CERT_REMOVAL
action="[s]" user="[s]"
ui="[s]" name="[s]"
msg="[s]" cert-type=[s]
Certificate log
CERT_UPDATE
action="[s]" cert-type=[s]
status="[s]" name="[s]"
method="[s]" msg="[s]"
Certificate log
SETTING_UPDATE
action="info" user="[s]"
ui="[s]" msg="User
changed SSL setting"
SSL Setting Updated
CERT_ERR
Certificate log
40115 notice
Page 629
Description
L2TP client connection
ID
Severity
Subtype Macro
Format
Description
Certificate log
CERT_UPDATE_FAILED
43008 notice
user
LOG_ID_EVENT_AUTH_
SUCCESS
Authentication log
src=[s] dst=[s] policyid=3
user="user"
group="usergroup"
ui="HTTP([s])"
status=success
reason="reason"
msg="User user succeeded
in authentication"
43009 notice
user
LOG_ID_EVENT_AUTH_
FAILED

user="user"
group="usergroup"
ui="HTTP([s])"
status=failure
reason="reason"
msg="User user failed in
authentication"
Authentication log
43010 warning
user
LOG_ID_EVENT_AUTH_
LOCKOUT

user="user"
group="usergroup"
ui="HTTP([s])"
status=locked_out
reason="reason"
msg="User from [s] was
locked out"
Authentication log
43011 notice
user
LOG_ID_EVENT_AUTH_
TIME_OUT
src=[s] dst=[s] policyid=[n]

ui="[s]" action=[s]
status=[s]
reason="Authentication
timed out" msg="[s]"
Authentication log
43012 notice
user
LOG_ID_EVENT_AUTH_
FSAE_AUTH_SUCCESS
src=[s] dst=[s] proto=[n]

policyid=[n] user="[s]"
adgroup="[s]" ui="[s]"
action=[s] status=[s]
reason="[s]" msg="[s]"
FSSO Authentication log
43013 notice
user
LOG_ID_EVENT_AUTH_
FSAE_AUTH_FAIL
src=[s] dst=[s] proto=[n]

policyid=[n] user="[s]"
adgroup="[s]" ui="[s]"
FSSO Authentication log
43014 notice
user
LOG_ID_EVENT_AUTH_
FSAE_LOGON
src=[s] user="[s]"
server="[s]" action=[s]
msg="[s]"
FSSO log on/off
43015 notice
user
LOG_ID_EVENT_AUTH_
FSAE_LOGOFF
src=[s] user="[s]"
server="[s]" action=[s]
msg="[s]"
FSSO log on/off
Page 630
ID
Severity
Subtype Macro
Format
Description
43016 notice
user
LOG_ID_EVENT_AUTH_
NTLM_AUTH_SUCCESS

user="[s]" adgroup="[s]"
group="[s]" ui="[s]"
NTLM authentication log
43017 notice
user
LOG_ID_EVENT_AUTH_
NTLM_AUTH_FAIL

user="[s]" adgroup="[s]"
group="[s]" ui="[s]"
NTLM authentication log
43018 warning
user
LOG_ID_EVENT_AUTH_
FGOVRD_FAIL
src=[s] dst=[s] initiator=[s]

status=[s] reason="[s]"
msg="[s]"
Fortiguard override failed log
43019 warning
user
LOG_ID_EVENT_AUTH_
FGOVRD_TBL_FULL
src=[s] dst=[s] initiator=N/A Fortiguard override log

status=failure
reason="reason"
msg="FortiGuard Web
Filtering override table is
full"
43020 notice
user
LOG_ID_EVENT_AUTH_
FGOVRD_SUCCESS
Fortiguard override succeeded

log
scope=[s] scope_data="[s]"
rule_type=[s] rule_
data="[s]" offsite=[s]
expiry="[s]" oldwprof="[s]"
newwprof="[s]" msg="[s]"
43021 notice
user
LOG_ID_EVENT_AUTH_
ENDPOINT_CHECK
dst=[s] ui="HTTP(0.0.0.0)"
msg="forticlient msg"
Endpoint log
43022 notice
user
LOG_ID_EVENT_AUTH_
ENDPOINT_LICENSE
dst=[s] ui="HTTP(0.0.0.0)"
Endpoint log
43023 notice
user
LOG_ID_EVENT_AUTH_
ENDPOINT_DET_RECORD
dst=[s] ui="N/A(0.0.0.0)"
Endpoint log
43024 notice
user
LOG_ID_EVENT_AUTH_
ENDPOINT_DET_SESSION
dst=[s] ui="HTTP(0.0.0.0)"
Endpoint log
43025 notice
user
LOG_ID_EVENT_AUTH_
PROXY_SUCCESS

ui="[s]" action=[s]
msg="[s]"
Wad-auth HTTP log
43026 notice
user
LOG_ID_EVENT_AUTH_
PROXY_FAILED

ui="[s]" action=[s]
msg="[s]"
Wad-auth FTP log
43027 notice
user
LOG_ID_EVENT_AUTH_
PROXY_TIME_OUT

ui="[s]" action=[s]
status=[s] reason="user
timed out" msg="[s]"
Wad-auth time out log
Page 631
ID
Severity
Subtype Macro
Format
Description
43028 notice
user
LOG_ID_EVENT_AUTH_
PROXY_AUTHORIZATION_
FAILED

ui="[s]" action=[s]
msg="[s]"
Wad-auth HTTP log
43029 notice
user
LOG_ID_EVENT_AUTH_
WARNING_SUCCESS
Fortiguard override succeeded

log
scope=[s] scope_data="[s]"
rule_type=[s] rule_
data="[s]" offsite=[s]
expiry="[s]" oldwprof="[s]"
newwprof="[s]" msg="[s]"
43030 warning
user
LOG_ID_EVENT_AUTH_
WARNING_TBL_FULL

msg="[s]"
LOGID_MMS_STATS
MMS Statistics log

proto=[s] infected=[n]
suspicious=[n] scanned=[n]
intercepted=[n] blocked=[n]
checksum=[n] duration=[n]
43520 notice
wireless
LOG_ID_EVENT_WIRELESS_
SYS
action="[s]" msg="[s]"
wireless system activity log
43522 notice
wireless
WTP
sn="[s]" ap="[s]"
approfile="[s]" ip=[s]
meshmode="[s]"
snmeshparent="[s]"
action="[s]" reason="[s]"
msg="[s]"
physical AP activity log
43524 notice
wireless
STA
sn="[s]" ap="[s]" vap="[s]" wireless client activity log

ssid="[s]" user="[s]"
group="[s]" mac=[s] ip=[s]
channel=[n] radioband="[s]"
security="[s]" action="[s]"
43526 notice
wireless
WTPR
sn="[s]" ap="[s]" ip="[s]"

radioid=[n]
configcountry="[s]"
opercountry="[s]"
cfgtxpower=[n]
opertxpower=[n]
action="[s]" msg="[s]"
physical AP radio activity log
43527 notice
wireless
ROGUE_CFG
action="[s]" ssid="[s]"
bssid=[s] apstatus=[n]
msg="[s]"
wireless rogue AP status config

log
43529 notice
wireless
CLB
sn="[s]" ap="[s]" vap="[s]"

ssid="[s]" mac="[s]"
radioband="[s]"
stacount=[n] action="[s]"
wireless client load balancing

log
Page 632
Fortiguard override failed log
ID
Severity
Subtype Macro
Format
43530 notice
wireless
WIDS_WL_BRIDGE
wireless wids detected log

action="[s]"
Threattype="[s]" live=[n]
age=[n] channel=[n] rssi=[n]
Frametype="[s]" DS="[s]"
bssid="[s]" seq=[n]
Encrypt=[n] TAMAC="[s]"
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]"
43532 notice
wireless
WIDS_NL_PBRESP

action="[s]"
bssid="[s]" seq=[n]
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]"
43533 notice
wireless
WIDS_MAC_OUI
wireless wids
action="[s]"
invalid-OUI-detect log
bssid="[s]" seq=[n]
Encrypt=[n] TAMAC=[s]
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" Invalidmac=[s]
43534 notice
wireless
WIDS_LONG_DUR
wireless wids long-dur-detect

action="[s]"
log
bssid="[s]" seq=[n]
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" Dur=[n]
43535 notice
wireless
WIDS_WEP_IV
action="[s]"
wireless wids
weak-wepiv-detect log
bssid="[s]" seq=[n]
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" Weakwepiv=[s]
Page 633
Description
ID
Severity
Subtype Macro
Format
Description
43542 notice
wireless
WIDS_EAPOL_FLOOD
action="[s]"
TAMAC=[s] manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" eapoltype=[s]
eapolcnt=[n]
wireless wids
eapol-packet-flood log
43544 notice
wireless
WIDS_MGMT_FLOOD
wireless wids
action="[s]"
mgmt-flood-detect log
bssid="[s]" TAMAC=[s]
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]" mgmtcnt=[n]
43546 notice
wireless
WIDS_SPOOF_DEAUTH

action="[s]"
bssid="[s]" seq=[n]
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]"
43548 notice
wireless
WIDS_ASLEAP

action="[s]"
bssid="[s]" seq=[n]
manuf="[s]"
sndetected="[s]"
radioiddetected=[n]
msg="[s]"
43550 notice
wireless
STA_LOCATE
sn="[s]" ap="[s]" radioid=[n] wireless station presence

detection log
radioband="[s]"
stamac="[s]" signal=[n]
noise=[n] action="[s]"
msg="[s]"
43776 notice
system
LOGID_EVENT_NAC_
QUARANTINE
src=[s] dst=[s] src_int=[s]

proto=[n] service="[s]"
action=[s] user="[s]"
group="[s]" policyid=[n]
banned_src=[s] banned_
rule="[s]" sensor="[s][n]"
43800 critical
system
LOG_ID_EVENT_ELBC_
BLADE_JOIN
[s]="blade-join" [s]="[n]"
blade joins cluster
[s]="[n]" [s]="[s]" [s]="blade
in slot [n] of chassis [n] is
ready to process traffic"
Page 634
NAC quarantine event log
ID
Severity
Subtype Macro
Format
43801 critical
system
LOG_ID_EVENT_ELBC_
BLADE_LEAVE
blade leaves cluster

[s]="blade-leave" [s]="[n]"
[s]="[n]" [s]="[s]" [s]="blade
in slot [n] of chassis [n] is no
longer ready to process
traffic"
43802 critical
system
LOG_ID_EVENT_ELBC_
MASTER_BLADE_FOUND
[s]="master-found" [s]="[n]" master blade found

[s]="[n]" [s]="[s]" [s]="blade
in slot [n] of chassis [n]
became master. there was
no previous master."
43803 critical
system
LOG_ID_EVENT_ELBC_
MASTER_BLADE_LOST
master blade lost

[s]="master-lost" [s]="[n]"
[s]="[n]" [s]="[s]" [s]="blade
longer master. there is no
new master."
43804 critical
system
LOG_ID_EVENT_ELBC_
MASTER_BLADE_CHANGE
master blade changed

[s]="master-changed"
[s]="[n]" [s]="[n]" [s]="[n]"
[s]="[n]" [s]="[s]" [s]="blade
longer master. blade in slot
[n] of chassis [n] is the new
master"
43805 critical
system
LOG_ID_EVENT_ELBC_
ACTIVE_CHANNEL_FOUND
[s]="channel-activate"
[s]="[n]" [s]="[n]" [s]="[s]"
[s]="[n]" [s]="Channel [n]
(FortiSwitch in slot [n]) of
chassis [n] became active.
there was no previous
active channel"
ELBC channel becomes active
43806 critical
system
LOG_ID_EVENT_ELBC_
ACTIVE_CHANNEL_LOST
[s]="channel-deactivate"
[s]="[n]" [s]="[n]" [s]="[s]"
[s]="[n]" [s]="Channel [n]
chassis [n] became
inactive. there is currently
no active channel."
ELBC channel becomes

inactive
43807 critical
system
LOG_ID_EVENT_ELBC_
[s]="channel-failover"
ACTIVE_CHANNEL_CHANGE [s]="[n]" [s]="[n]" [s]="[s]"
[s]="[n]" [s]="[n]"
[s]="Channel [n]
chassis [n] failed over to
channel [n] (FortiSwitch in
slot [n])."
ELBC channel failover
43808 critical
system
LOG_ID_EVENT_ELBC_
CHASSIS_ACTIVE
chassis becomes active
[s]="chassis-activated"
[s]="[n]" [s]="[s]"
[s]="chassis [n] became
active and will process
traffic"
Page 635
Description
ID
Severity
Subtype Macro
Format
Description
system
LOG_ID_EVENT_ELBC_
CHASSIS_INACTIVE
[s]="chassis-deactivated"
[s]="[n]" [s]="[s]"
[s]="chassis [n] became
passive and will not
process traffic"
chassis becomes inactive
LOG_ID_DNS_RESPONSE
policyid=22 src=[s] dst=[s]

src_int="eth0" dst_
int="switch0" user="user"
group="group" dns_
name="fotinet dns" dns_
ip="1.1.1.1"
test dns event log
LOGID_EVENT_CONFIG_
PATH
user="[s]" ui="[s]"
action=[s] cfgtid=[n]
cfgpath="[s]" msg="[s]"
config path log
LOGID_EVENT_CONFIG_OBJ user="[s]" ui="[s]"

cfgpath="[s]" cfgobj="[s]"
msg="[s]"
config obj log
LOGID_EVENT_CONFIG_
ATTR
user="[s]" ui="[s]"
cfgpath="[s]" cfgattr=[s]
msg="[s]"
config attr log
LOGID_EVENT_CONFIG_
OBJATTR
user="[s]" ui="[s]"
cfgpath="[s]" cfgobj="[s]"
cfgattr=[s] msg="[s]"
config obj attr log
44801 notice
system
44801
limit=[n]
msg=[Inbound/Outbound]
bandwidth rate exceeded
the shaper limit.
[Inbound/Outbound]
bandwidth rate exceeded
45000 debug
router
LOG_ID_VSD_SSL_RCV_HS
SSL handshake received

serial=[s] policy=[n]
identidx=[n] vip="[s]"
src=[s] src-port=[n] dst=[s]
dst-port=[n] action=receive
handshake=[s] msg=[s]
45001 error
router
LOG_ID_VSD_SSL_RCV_
WRG_HS
SSL received incorrect

handshake message
expected=[s] received=[s]
msg="Incorrect SSL
handshake message"
45002 debug
router
LOG_ID_VSD_SSL_SENT_HS serial=[s] policy_id=[n]

dst-port=[n] action=send
handshake=[s] msg=[s]
43809 critical
Page 636
SSL handshake sent
ID
Severity
Subtype Macro
Format
45003 error
router
LOG_ID_VSD_SSL_WRG_
HS_LEN
SSL handshake has invalid

length
len=[n] msg="Incorrect SSL
handshake length"
45004 debug
router
SSL ChangeCipherSpec
LOG_ID_VSD_SSL_RCV_CCS serial=[s] policy=[n]
received
msg=ChangeCipherSpec
45005 error
router
LOG_ID_VSD_SSL_RSA_DH_ serial=[s] policy=[n]

FAIL
dst-port=[n] action=close
msg="RSA verification of
Diffie-Hellman parameters
failed"
RSA verification of
Diffie-Hellman parameters
failed
45006 debug
router
LOG_ID_VSD_SSL_SENT_
CCS
msg=ChangeCipherSpec
SSL ChangeCipherSpec sent
45007 error
router
LOG_ID_VSD_SSL_BAD_
HASH
Hash in SSL Finished does not

match calculated hash
dst-port=[n] local=[s]
remote=[s] action=close
msg="Hash in SSL Finished
does not match calculated
hash"
45009 error
router
LOG_ID_VSD_SSL_DECRY_
FAIL
reason=[n] msg="SSL
decryption failure"
45010 debug
router
LOG_ID_VSD_SSL_
SESSION_CLOSED
SSL session closed

msg="SSL session closed"
45011 error
router
LOG_ID_VSD_SSL_LESS_
MINOR
min-minor=[n]
recv-minor=[n] msg="SSL
minor below mininum
configured value"
Page 637
Description
SSL decryption failure
SSL minor version less than

configured minimum value
ID
Severity
Subtype Macro
Format
Description
45012 warning
router
LOG_ID_VSD_SSL_REACH_
MAX_CON
msg="SSL maximum
connections reached"
SSL maximum connection limit

reached
45013 error
router
LOG_ID_VSD_SSL_NOT_
SUPPORT_CS
msg="None of the offered
CipherSuites are
supported"
None of the offered SSL

CipherSuites are supported
45016 debug
router
LOG_ID_VSD_SSL_HS_FIN
dst-port=[n]
action=complete
msg="SSL Handshake
complete"
SSL handshake complete
45017 error
router
SSL handshake too long

LOG_ID_VSD_SSL_HS_TOO_ serial=[s] policy=[n]
LONG
handshake=[s] len=[n]
max=[n] msg="SSL
Handshake too long"
45018 debug
router
LOG_ID_VSD_SSL_MORE_
MINOR
SSL minor version larger than

configured maximum value
dst-port=[n] action=recv
max-minor=[n]
recv-minor=[n] msg="SSL
capping minor version at
maximum configured value"
45019 error
router
ALERT_ERR
level=[n] desc=[n]
msg="SSL Alert sent"
SSL Alert sent
45020 debug
router
LOG_ID_VSD_SSL_
SESSION_EXPIRE
vip="[s]" addr=[s] port=[n]

created="[s]" id=[s]
action=expire msg="SSL
session state expired"
SSL session state expiry
45021 debug
router
ALERT
level=[n] desc=[n]
msg="SSL Alert sent"
SSL Alert sent
Page 638
ID
Severity
Subtype Macro
Format
45022 debug
router
LOG_ID_VSD_SSL_RCV_CH
SSL ClientHello received

handshake=ClientHello
msg=ClientHello ssl2=[n]
major=[n] minor=[n]
session_
id="[s]"[s][s][s][s][s][s]
45023 debug
router
LOG_ID_VSD_SSL_RCV_SH
SSL ServerHello received

handshake=ServerHello
msg=ServerHello major=[n]
minor=[n] cipher=[s]
session_id="[s]"[s][s][s]
45024 debug
router
SSL ServerHello sent

LOG_ID_VSD_SSL_SENT_SH serial=[s] policy=[n]
handshake=ServerHello
msg=ServerHello major=[n]
minor=[n] cipher=[s]
session_id="[s]"[s][s][s]
45025 error |
debug
router
LOG_ID_VSD_SSL_RCV_
ALERT
SSL Alert received

level=[n] desc=[n]
msg="SSL Alert received"
45027 error
router
LOG_ID_VSD_SSL_INVALID_
CONT_TYPE
Invalid SSL ContentType

type=[n] msg="Invalid SSL
ContentType"
45029 error
router
LOG_ID_VSD_SSL_BAD_
CCS_LEN
msg="Bad length in SSL
ChangeCipherSpec"
45031 error
router
LOG_ID_VSD_SSL_BAD_DH
SSL Diffie-Hellman has bad
value
dst-port=[n]min=[n] max=[n]
received=[n] action=close
msg="[s]"
Page 639
Description
SSL ChangeCipherSpec has

bad length
ID
Severity
Subtype Macro
Format
Description
45032 error
router
LOG_ID_VSD_SSL_PUB_
KEY_TOO_BIG
Certificate's public key is too

big for SSL offloading
dst-port=[n]len=[n] max=[n]
action=close msg="[s]"
45033 error
router
LOG_ID_VSD_SSL_NOT_
SUPPORT_CM
msg="None of the offered
CompressionMethods are
supported"
None of the offered SSL

CompressionMethods are
supported
45056 notice
system
LOG_ID_FCC_EXCEED
license_limit=[n]
reason="[s]" repeat=[n]
msg="FortiClient license
maximum has been
reached."
forticlient license exceed msg
LOG_ID_FCC_ADD
add forticlient connection msg

license_limit=[s] license_
used=[n] used_for_type=[n]
connection_type=[s]
count=[n] user="[s]" ip=[s]
name="[s]" forticlient_
id="[s]" msg="Add a
FortiClient Connection."
LOG_ID_FCC_CLOSE
45059 notice
system
LOG_ID_FCC_UPGRADE_
SUCC
ui="[s]" user="[s]" license_
limit=[s] msg="FortiClient
license has been
upgraded."
upgrade forticlient license msg
45060 error
system
LOG_ID_FCC_UPGRADE_
FAIL
ui="[s]" user="[s]"
reason="[s]" msg="Failed
to upgrade FortiClient
license."
upgrade forticlient license

failed msg
45100 warning
system
LOG_ID_EC_REG_FAIL
user="[s]" hostname="[s]"
ip=[n].[n].[n].[n] forticlient_
id=[s] interface=[s]
msg="FortiClient
registration failed due to
blocked UID."
FortiClient registration fail msg
45101 notice
system
LOG_ID_EC_REG_SUCCEED
msg="FortiClient
registration succeeded."
FortiClient registration succeed

msg
close forticlient connection

msg
Page 640
ID
Severity
Subtype Macro
Format
Description
FortiClient registration renew
msg
45102 notice
system
LOG_ID_EC_REG_RENEWED user="[s]" hostname="[s]"

msg="FortiClient
registration renewed."
45103 notice
system
LOG_ID_EC_REG_BLOCK
45104 notice
system
LOG_ID_EC_REG_UNBLOCK forticlient_id=[s]
FortiClient registration unblock
msg="FortiClient is
msg
unblocked for registration."
45105 notice
system
LOG_ID_EC_REG_DEREG
forticlient_id=[s]
msg="FortiClient is
de-registered."
FortiClient registration
de-register msg
45106 notice
system
LOG_ID_EC_REG_LIC_
UPGRADED
msg="FortiClient
registration license
upgraded."
FortiClient registration license

upgrade msg
45107 notice
system
LOG_ID_EC_CONF_
DISTRIBUTED
msg="FortiClient
configuration distributed."
FortiClient configuration
distribute msg
45108 notice
system
LOG_ID_EC_FTCL_UNREG
msg="FortiClient
unregistered."
FortiClient unregister msg
45109 notice
system
LOG_ID_EC_FTCL_LOGOFF
msg="FortiClient logged
off."
FortiClient logoff msg
45110 notice
system
LOG_ID_EC_FTCL_ENABLE_
NOTSYNC
msg="FortiClient SYNC_
WITH_FGT disabled."
FortiClient disable SYNC_

WITH_FGT msg
46000 notice
system
VIP realserver has been

LOG_ID_VIP_REAL_SVR_ENA vip="[s]"
server=[n].[n].[n].[n] port=[n] enabled.
status=[s] action=enable
msg="ldb server enabled"
46001 alert
system
LOG_ID_VIP_REAL_SVR_
DISA
VIP realserver has been

vip="[s]"
server=[n].[n].[n].[n] port=[n] disabled.
status=[s] action=disable
msg="ldb server disabled"
46002 notice
system
LOG_ID_VIP_REAL_SVR_UP
vip="[s]"
VIP realserver has become up.
server=[n].[n].[n].[n] port=[n]
status=[s] action=up
msg="ldb server up"
forticlient_id=[s]
FortiClient registration block
msg="FortiClient is blocked msg
for registration."
Page 641
ID
Severity
Subtype Macro
Format
46003 alert
system
DOWN
VIP realserver has been down.

vip="[s]"
server=[n].[n].[n].[n] port=[n]
status=[s] action=down
msg="ldb server down"
46004 notice
system
ENT_HOLDDOWN
VIP realserver has started

vip="[s]"
server=[n].[n].[n].[n] port=[n] holddown period.
status=[s] action=holddown
msg="ldb server entered
holddown period"
interval=[n](sec)
46005 alert
system
FAIL_HOLDDOWN
VIP realserver has failed

vip="[s]"
server=[n].[n].[n].[n] port=[n] holddown.
status=[s] action=holddown
msg="ldb server health
checking failed during
holddown period"
46006 debug
system
Health monitor has detected

LOG_ID_VIP_REAL_SVR_FAIL vip="[s]"
server=[n].[n].[n].[n] port=[n] VIP realserver health problem.
status=[s]
monitor-name=[s]
monitor-type=[s]
action=check msg="ldb
server health checking
failed"
46084 error
system
LOG_EVENT_REPUTATION_
VDOM_PURGE_ERROR
action=reputation_purge
msg="Failed to complete
reputation db maintenance
for vdom [s]"
VDOM_PURGE_SUCCESS
reputation tracking data

action=reputation_purge
maintenance
status=success
msg="Completed
reputation db maintenance"
ERASE_DATA_ERROR
action=reputation_clear
msg="Failed to erase
reputation db for vdom [s]"
ERASE_DATA_SUCCESS
reputation report
action=reputation_clear
status=success
msg="Erased reputation db
for vdom [s]"
LOG_ID_AMC_ENTER_
BYPASS
msg="The AMC card in slot AMC card entered bypass

[s] has entered bypass
mode
mode due to [s]."
LOG_ID_AMC_EXIT_BYPASS msg="The AMC card in slot AMC card exited bypass mode
[s] has exited bypass mode
due to [s]."
LOG_ID_ENTER_BYPASS
msg="The bypass ports

pair have entered bypass
mode."
Page 642
Description
reputation tracking data

maintenance
reputation report
Bypass ports pair entered

bypass mode
ID
Severity
Subtype Macro
Format
Description
Bypass ports pair exited
bypass mode
LOG_ID_EXIT_BYPASS
msg="The bypass ports

pair have exited bypass
mode."
48000 debug
wad
LOG_ID_WAD_SSL_RCV_HS
session_id=[s] policyid=[n] SSL handshake received

src=[n].[n].[n].[n] srcport=[n]
dst=[n].[n].[n].[n] dstport=[n]
action=receive
handshake="[s]"
48001 error
wad
LOG_ID_WAD_SSL_RCV_
WRG_HS
session_id=[s] policyid=[n] SSL handshake has invalid

src=[n].[n].[n].[n] srcport=[n] length
dst=[n].[n].[n].[n] dstport=[n]
action=receive
msg="Incorrect SSL
handshake length. len:[n]"
Page 643

Fortinet Messages PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fortinet Messages PDF

Uploaded by

Copyright:

Available Formats

FortiGate Log Message Reference

v5.0 Patch Release 10

FortiGate Log Message Reference - FortiOS 5.0.10

Customer Service & Support

Patch 6 Release. Added Variable Event Logs Addendum.

Patch 9 Release. Complete corrections of all terminology.

Patch 10 Release. Added new Variable Event Logs.

Log Field Name Changes in FortiOS 5.0

Log Subtype Name Changes in FortiOS 5.0

ipsec, sslvpn-user, sslvpn-admin, sslvpn-session

ha, gtp, nac-quarantine, config, notification, perfhistorical, forticlient, mms-stats, amc-intf-bypass,

dns, dhcp, l2tp/pptp/pppoe

The date at which the log was recorded.

The time at which the log was recorded.

The status of the traffic.

The source IP.

The destination IP.

The destination name. This can be a name or an IP address.

The translated IP in NAT mode. For Transparent mode, it is zero.

The translated source IP in NAT mode. For Transparent mode, it is zero.

The service where the event or activity occurred.

Time value in seconds.

The number of sent bytes related to the log message.

The number of received bytes related to the log message.

Shaper dropped sent bytes.

Shaper dropped received bytes.

shaperperipdropbyte PerIP dropped bytes.

The name of the traffic shaper sending the bytes.

The name of the traffic shaper receiving the bytes.

The perIP shaper name.

The number of sent packets related to the log message.

The number of received packets related to the log message.

The name of the VPN tunnel used by the traffic.

The destination interface.

The application category that the application is associated with.

The group name.

Name of the device's OS.

Version number (if available) of the device's OS.

Unauthenticated user name.

Method used to detect username.

Client Reputation score.

Client Reputation action.

The date at which the log was recorded.

The time at which the log was recorded.

The status of the traffic.

The source IP.

The destination IP.

The destination name. This can be a name or an IP address.

The service where the event or activity occurred.

Time value in seconds.

The number of sent bytes related to the log message.

The number of received bytes related to the log message.

Shaper dropped sent bytes.

Shaper dropped received bytes.

shaperperipdropbyte PerIP dropped bytes.

The name of the traffic shaper sending the bytes.

The name of the traffic shaper receiving the bytes.

The perIP shaper name.

The number of sent packets related to the log message.

The number of received packets related to the log message.

The name of the VPN tunnel used by the traffic.

The destination interface.