You are on page 1of 26

COMPREHENSIVE INTERNET SECURITY

Log Event Reference Guide

SonicWALL Internet Security Appliances

Log Event Messages


The messages explained in this book are generated by the SonicWALL as part of its logging and notification feature. The messages are useful for system administrators when monitoring and operating the SonicWALL. There are eight categories of events: Dropped Attacks Blocked Network Debug System Errors System Maintenance User Activity VPN Statistics Event Logging automatically begins when the SonicWALL is powered on and configured. The SonicWALL supports a traffic log containing entries with multiple fields.

Page 1

SonicWALL SonicOS Log View


Date and Time Message Source Destination Notes

Rule

Page 2 SonicWALL Internet Security Appliance Log Events Reference Guide

SonicWALL Firmware Log View

Time and Date Stamp

Source IP Address

Additional Information Rule Number (If Applicable)

Event Message

Destination IP Address

SonicWALL Log Messages


Each log entry contains the date and time of the event and a brief message describing the event. It is also possible to copy the log entries from the management interface and paste into a report. The SonicWALL manages log events in the following manner: TCP, UDP, or ICMP packets dropped When IP packets are dropped by the SonicWALL, dropped TCP, UDP and ICMP messages are displayed. The messages include the source and destination IP addresses of the packet. The TCP or UDP port number or the ICMP code follows the IP address. Log messages usually include the name of the service in quotation marks. Web, FTP, Gopher, or Newsgroup blocked When a computer attempts to connect to the blocked site or newsgroup, a log event is displayed. Blocked is defined as a Web site, connection, or event that is denied access from the SonicWALL. The computers IP address, Ethernet address, the name of the

Page 3

blocked Web site, and the Content Filter List Code is displayed. Code definitions for the 12 Content Filter List categories are shown below. 1. Violence 2. Intimate Apparel/Swimsuit 3. Nudism 4. Adult/Mature Content/ Pornography 5. Weapns 6. Hate/Racism 7. Cult 8. Drugs/Illegal Drugs 9. Criminal Skills/Illegal Skills 10. Sex Education 11. Gambling 12. Alcohol & Tobacco

Descriptions of the categories are available at <http://www.sonicwall.com/Content-Filter/ categories.html>. ActiveX, Java, Cookie or Code Archive blocked When ActiveX, Java or Web cookies are blocked, messages with the source and destination IP addresses of the connection attempt is displayed. Ping of Death, IP Spoof, and SYN Flood Attacks The IP address of the machine under attack and the source of the attack is displayed. In most attacks, the source address shown is fake and does not reflect the real source of the attack.

Tip!

Some network conditions can produce network traffic that appears to be an attack, even when no one is deliberately attacking the LAN. To follow up on a possible attack, contact your ISP to determine the source of the attack. Regardless of the nature of the attack, your LAN is protected and no further steps are needed.

Log Events
This section lists the log events by category. Each log event description includes an explanation of its meaning, and if necessary, a recommended action.

Dropped Log Event Messages


Dropped - A dropped event is a service that is denied entry into the SonicWALL because it violates configured or default security policies. No response is returned to the sender of the event. The SonicWALL logs these events as follows: TCP Dropped - An unauthorized TCP packet was detected and refused. UDP Dropped - An unauthorized UDP packet was detected and refused. Web access request dropped - An Web access request was detected and refused.

Page 4 SonicWALL Internet Security Appliance Log Events Reference Guide

Fragmented Packet Dropped - The SonicWALL refused a fragmented packet. IPSec (ESP) packet dropped - An IPSec packet was dropped by the SonicWALL. Port configured to receive IPSEC Only. Drop packet received in the clear. - The SonicWALL is configured to receive IPSec packets only, therefore, unencrypted packets are dropped. ICMP Dropped - ICMP uses datagrams of various types for communicating between control messages between hosts and routers on a TCP/IP network. In this case, the communication was dropped by the SonicWALL. Denied TCP connection from LAN - The SonicWALL refused a TCP connection from the LAN. Unknown Protocol Dropped - The SonicWALL has detected and refused an unknown protocol. Internet Access restricted to authorized users. Drop packet received in the clear. IPSec (AH) packet dropped - The SonicWALL has detected and refused an IPSec packet encrypted using AH.

Events Logged as Attacks


Attacks - Events categorized by the SonicWALL as attacks are e-mailed to you if you have configured the automation section of Logging. Attacks can be Smurf, Ripper, IP Spoof, or other events. Attacks are logged as listed below: Ping of death blocked - The SonicWALL has detected an attempted Ping of Death attack by detecting grossly oversized ICMP packets and rejecting them. IP Spoof Detected - A packet with a source IP address and arriving at an interface that conflicts with the SonicWALL route table was detected and rejected by the SonicWALL. Possible Syn Flood Attack - The SonicWALL has detected and prevented a possible SYN attack, a type of denial of service attack. Probable Syn Flood Attack - - The SonicWALL has detected and prevented a probable SYN attack, a form of denial of service attack. Land Attack Dropped - The SonciWALL has detected and blocked SYN packets whose source IP addresses are spoofed to be the same as the destination IP addresses. Administrator login Failure - incorrect password - Someone attempted to log into the SonicWALL using the wrong password. Unknown IPSec SPI - The SonicWALL has detected and blocked an unknown IPSec SPI attempting to connect to the SonicWALL. IPSec Authentication Failed - The parameters for an IPSec connection do not match and authentication failed. Senna Spy Attack Dropped - The SonicWALL has detected and prevented a trojan attack. Page 5

Priority Attack Dropped - The SonicWALL has detected and prevented a priority attack. Ini Killer Attack Dropped - The SonicWALL has detected and prevented a trojan attack. Smurf Amplification Attack Dropped - The SonicWALL has detected and prevented a Denial of Service attack. Possible Port Scan Dropped - A possible port scan was detected and rejected by the SonicWALL. Probable TCP NULL scan - The SonicWALL has detected TCP frames with a sequence number of zero and all control bits set to zero and rejected them. IPSEC Replay Detected - An IPSec Replay was detected and rejected by the SonicWALL. Forbidden E-Mail attachment deleted - When enabled on the SonicWALL, the logging file records forbidden e-mail attachments received by the SonicWALL. TCP Xmas Tree Blocked - The SonicWALL detected and blocked a TCP Xmas Tree scan. User login failure rate exceeded - source address locked out - A user has attempted logging into the SonicWALL with incorrect credentials. IPSec Decryption Failed - The SonicWALL was unable to decrypt the IPSec packets. IPSec packet to or from an illegal host - The SonicWALL detected an IPSec packet with a source or destination IP address that does not match any security policies configured on the SonicWALL. Back Orifice Attack Dropped - Back Orifice is a two part application consisting of a client and server piece. The client application running on one computer can be used to monitor and control a second computer running the server application. The SonicWALL has detected and dropped this attack. NetBus Attack Dropped - NetBus is a well-known back door Trojan attack. The SonicWALL has detected and dropped this attack. Net Spy Attack Dropped - The SonicWALL has detected and dropped a Net Spy attack. Sub Seven Attack Dropped - The SonicWALL has detected and dropped the Trojan attack, Sub Seven. Ripper Attack Dropped - The SonicWALL has detected and dropped a Ripper Attack. Striker Attack Dropped - The SonicWALL has detected and dropped a Striker Attack. Probable Port Scan Dropped - The SonicWALL detected an excessive number of port scans and dropped the traffic. Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. The SonicWALL Anti-Virus subscription has expired. Renew your subscription at http:// www.mysonicwall.com. Forbidden E-Mail attachment disabled - When configured on the SonicWALL, forbidden e-mail attachments are disabled. Page 6 SonicWALL Internet Security Appliance Log Events Reference Guide

Probable TCP FIN scan - The SonicWALL has detected and blocked traffic resembling a TCP FIN scan. Probable TCP XMAS scan - The SonicWALL has detected and blocked TCP traffic with a sequence number of zero and the FIN, URG, and PUSH bits are set. Probable TCP NULL scan - The SonicWALL has detected and blocked TCP traffic with a sequence number of zero and all the control bits are set. E-Mail fragment dropped - When configured on the SonicWALL, e-mail fragments are prevented from accessing the SonicWALL. Malformed IP packet dropped. - The SonicWALL has detected and blocked a malformed IP packet. FTP: PORT bounce attack dropped. - The SonicWALL has detected and blocked a Port bounce attack. FTP: PASV response bounce attack dropped. The SonicWALL has detected and blocked a PASV response bounce attack which is a Denial of Service attack.

Events Logged as Blocked


If an event is configured as blocked, a log message records the event when access is attempted from the SonicWALL. Blocked events include ActiveX, Java, Newsgroups, or Web sites. Web site blocked - When an attempt is made by a user on the network to access a blocked Web site, the computer IP address, Ethernet address, the name of the blocked Web site, and the Content Filter code is displayed as the log message. Newsgroup blocked - When an attempt is made by a user on the network to access a blocked newsgroup, the computer IP address, Ethernet address, the name of the blocked newsgroup, and the Content Filter code is displayed as the log message. Web site accessed - When a Web site is accessed by a user on the network, the computer IP address, Ethernet address, and the name of the Web site is displayed as the log message. Newsgroup accessed - When a newsgroup is accessed by a user on the network, the computer IP address, Ethernet address, and the name of the Web site is displayed as the log message. ActiveX blocked - When ActiveX is blocked, the log message displays the source and destination IP address of the attempted connection. Java blocked - When Java is blocked, the log message displays the source and destination IP address of the attempted connection. ActiveX or Java archive blocked - When ActiveX and Java archives are blocked, the log message displays the source and destination IP address of the attempted connection.

Page 7

Cookie removed - When cookies are blocked, the log message displays the source and destination IP address of the attempted connection.

Events Logged as Debug


When Network Debug is selected, events are logged on the SonicWALL to allow you to troubleshoot problematic connections or security policies. IPSec packet dropped; waiting for pending IPSec connection - Previous IPSec (ESP) connection for pass-through is not complete. New IPSec connection cannot be started and the IPSec (ESP) packet is dropped. IPSec connection interrupt - The SonicWALL is not in an acceptable condition for IPSec passthrough. ARP timeout - The allowable time for a requested ARP response has expired. Broadcast packet dropped - A nonallowed broadcast packet is dropped. No ICMP redirect sent - A nonallowed packet was received that generated an ICMP redirect, however, the source and destination is unknown. Therefore, no ICMP redirect was sent. Out-of-order command packet dropped - While processing an FTP connection, an out of order packet was detected and dropped. Failure to add data channel - While processing an FTP connection, the SonicWALL was unable to create a new connection cache entry. Possibly, there are no more available connections. RealAudio decode failure - While processing a RealAudio stream, a decode failure occured. NAT translated packet exceeds size limit, packet dropped - While performing NAT, a packed is larger than the allowable limit and was dropped. IKE Responder: Mode %d - not transport mode. Xauth is required but not supported by peer.- An IKE responder requires XAUTH, but it is not supported by the peer. Source routed IP packet dropped - A packet with source route options was detected, but the IP header was larger than the allowed size and was dropped. DHCP DISCOVER received from local device - A local DHCP client on the SonicWALL network is attempting to locate a DHCP server. DHCP REQUEST received from local device - A local DHCP client on the SonicWALL is requesting a DHCP lease. Duplicate packet dropped - Two or more identical packets received. Any packets received after the initial packet were dropped by the SonicWALL. No HOST tag found in HTTP request - An HTTP request was received by the SonicWALL without the required HOST tag. The request was ignored. Page 8 SonicWALL Internet Security Appliance Log Events Reference Guide

Received fragmented packet or fragmentation needed - A packet larger than the configured MTU was received or a packet with a fragmented bit was received when fragmentation support is not configured on the SonicWALL. Log Debug - A state-specific log message used to assist SonicWALL technical support with unusual issues experienced by customers. VPN Log Debug - A state-specific log message used to assist SonicWALL technical support with unusual issues experienced by customers. Firewall access from LAN - The SonicWALL management interface was accessed from the LAN. DHCP RELEASE received from remote device - A DHCP Client has released its DHCP lease. Issuer match failed - The certificate issuer information does not match the SonicWALL certificate information. DHCP lease relayed to remote device - A DHCP lease was sent to a remote device from a local device. DHCP REQUEST received from remote device - A DHCP lease was requested from the a remote device. DHCP DISCOVER received from remote device - A remote DHCP client is trying to locate a DHCP server on the SonicWALL network. DHCP DECLINE received from remote device - A remote DHCP client has refused the proposed DHCP lease. DHCP OFFER received from server - The DHCP server has offered a DHCP lease to a client. DHCP NAK received from server - The DHCP server has denied the DHCP servers lease request. IPSec (ESP) packet dropped; waiting for pending IPSec connection - Previous IPSec (ESP) connection for pass-through is not complete. New IPSec connection cannot be started and the IPSec (ESP) packet is dropped. IPSec (AH) packet dropped; waiting for pending IPSec connection - Previous IPSec (AH) connection for pass-through is not complete. New IPSec connection cannot be started and the IPSec (AH) packet is dropped.

Page 9

Events Logged as System Errors


Events categorized as System Errors are logged by the SonicWALL. System errors can include hardware failures, high availability issues, expired subscription notification, and diagnostic codes. Problem sending log email; check log settings - When configured on the SonicWALL, log files from the SonicWALL are e-mailed to the address configured on the Log Automation page. Check the settings on your Log Automation page if you see this error message. NAT could not remap incoming packet - The SonicWALL cannot remap an incoming packet to the correct destination. License exceeded: Connection dropped because too many IP addresses are in use on your LAN - You have too many users on your network and not enough licenses to support them. Diagnostic Code D - Error detected during software encryption or decryption of IPSec packets. Primary missed heartbeats from Active Backup: Primary going Active - The Backup SonicWALL became active when the Primary failed. Now the Backup is not sending heartbeats to the Primary causing a failback to the Primary SonicWALL. Primary received error signal from Active Backup: Primary going Active - The Backup SonicWALL is in an error state causing it to send error signals to the Primary SonicWALL. The Primary takes over as the main SonicWALL. Backup firewall being preempted by Primary - The Primary firewall is taking over as the main firewall. Error setting the IP address of the backup, please manually set to backup LAN IP - The Primary firewall encountered a problem trying to synchronize the LAN IP settings. You must manually configure the LAN IP address on the Backup SonicWALL. Content filter subscription expired. - Your content filter subscription is no longer valid. You must renew it on http://www.mysonicwall.com. Primary WAN link down, Backup going Active - For the TELE3 SP, the primary WAN link is down, and the backup (modem) is going to be the primary WAN link. Global VPN Client License Exceeded: Connection denied. - You do not have enough licenses for the Global VPN Clients on your network. You can get more licenses at http://www.mysonicwall.com Global VPN Client connection is not allowed. Appliance is not registered. - You must register your SonicWALL appliance at http://www.mysonicwall.com in order to use your Global VPN client. Probing failure on %s If probing is configured on the SonicWALL, probing has encountered a problem causing it to fail. %s Ethernet Port Down - The Ethernet port is not able to send data. Page 10 SonicWALL Internet Security Appliance Log Events Reference Guide

Illegal LAN address in use - An IP address outside of the configured scope is in use. The cache is full; %d open connections; some will be dropped - The SonicWALL connection cache is full and some connections will be dropped. Diagnostic Code A - The Watchdog detected a suspended task. Diagnostic Code C - The Watchdog detected low memory resources. Diagnostic Code E - Failed to allocate memory for Encryption or Authentication keys. Primary firewall has transitioned to Idle - The Backup SonicWALL is now the active firewall and the Primary is now the Backup SonicWALL. Backup missed heartbeats from Active Primary: Backup going Active - The Active Primary firewall did not send heartbeats to the Backup, therefore the Backup is taking over as the Primary Firewall. Backup received error signal from Active Primary: Backup going Active - An error condition exists on the Active Primary firewall and the Backup firewall is becoming the Primary firewall. Primary firewall preempting Backup - The Primary firewall has become active again and is taking over as the Primary firewall. Backup going Active in preempt mode after reboot - After rebooting the SonicWALL and HA is enabled, the Backup SonicWALL is configured to be active instead of the Primary SonicWALL. Error updating HA peer configuration - Configuration changes could not be updated on the Primary and Backup firewalls. Backup WAN link down, Primary going Active - The modem connection on the TELE3 SP lost its dial-up connection and the WAN connection is becoming the primary connection. Failed to synchronize Relay IP Table Blocked Quick Mode for Client using Default KeyId - The SonicWALL blocked Quick Mode negotiation with the Global VPN Client using the default keyID. The current WAN interface is not ready to route packets. %s Ethernet Port Up - The Ethernet Port has returned to active status. The network connection in use is %s - The network connection is the specified source. Requesting CRL From - A VPN Certificate Revocation List was received from the specified location. CRL Loaded From - A Certificate Revocation List was loaded from the specified location. Failed to get CRL From - The SonicWALL was unable to retrieve a Certificate Revocation List. Not Enough Memory to hold the CRL - The SonicWALL did not have enough RAM available when retrieving the Certificate Revocation List. Page 11

Connection Timed Out - A connection entry cache entry timed out. Connection has been dropped. Cant Connect to the CRL Server - The SonicWALL is unable to connect to the CRL server. Unknown Reason - A state-specific log message used to assist Tech Support with diagnosing unusual customer issues. Failed to Process CRL From - The SonicWALL was unable to process a retrieved CRL from the specified location. Bad CRL Format - A CRL was received in an incorrect format. Issuer Match Failed - A CRL list was received from an unauthorized provider. Certificate on Revoked List - A VPN connection was attempted using an unauthorized certificate. No Certificate for - A VPN connection was attempted using an non-existent certificate.

Events Logged as System Maintenance


Events relating to network connections such as PPPoE, PPTP, and L2TP as well as system start up are logged as system maintenance entries. SonicWALL activated - The SonicWALL is now up and actively managing your connection. Starting PPPoE discovery - The SonicWALL is looking for the PPoE connection. PPPoE discovery process complete - The SonicWALL has located the PPoE connection. PPPoE starting PAP Authentication - The SonicWALL is beginning to authenticate with the remote PPoE connection using PAP (Password Authentication Protocol). PPPoE PAP Authentication success - The SonicWALL has successfully authenticated to the remote PPoE connection. PPPoE PAP Authentication Failed - The SonicWALL failed to authenticate to the remote connection. Check your network settings. PPPoE PAP Authentication Failed. Please verify PPPoE username and password. The PPoE connection failed due to an incorrect username and password. Check the network settings on the SonicWALL for the correct username and password. PPPoE starting CHAP Authentication - The SonicWALL is attempting to authenticate to the PPPoE connection using CHAP (Challenge Handshake Authentication Protocol). PPPoE CHAP Authentication Failed - The PPPoE connection failed to authenticate using CHAP. Disconnecting PPPoE due to traffic timeout - The PPPoE connection timed out because there was not enough network traffic to keep it active.

Page 12 SonicWALL Internet Security Appliance Log Events Reference Guide

PPPoE Network Connected - The PPPoE connection is successfully connected. PPPoE Network Disconnected - The PPPoE connections is disconnected. PPPoE LCP Link Up - LCP is used in conjunction with PAP or CHAP to establish the connection. This link is up. PPPoE LCP Link Down - LCP is used in conjunction with PAP or CHAP to establish the connection. This link is down. No response from ISP Disconnecting PPPoE. - The ISP did not respond to the connection request. The negotiation is disconnected. PPPoE terminated - The PPPoE connection is terminated. L2TP Connect Initiated by the User - A request to connect to a L2TP server is initiated. L2TP Session Negotiation Started - Negotiation for a L2TP session has started. L2TP Tunnel Negotiation Started - Negotiation for a L2TP tunnel has started. L2TP Tunnel Established - The SonicWALL has established a L2TP tunnel. L2TP PPP Negotiation Started - The SonicWALL has begun PPP negotiation over the L2TP connection. L2TP PPP Authentication Failed - PPP Authentication failed. Check your L2TP settings. L2TP Session Disconnect from Remote - The remote site has disconnected the L2TP session. L2TP LCP Down - LCP is a protocol used as part of the authentication process. LCP is unavailable. L2TP LCP Up - LCP is a protocol used as part of the authentication process. LCP is available. Disconnecting L2TP Tunnel due to traffic timeout. - The L2TP tunnel is disconnected due to inactivity on the connection. L2TP Disconnect Initiated by the User - Disconnection from the remote L2TP connection is requested by a user. L2TP Max Retransmission Exceeded - Retransmission of data has exceeded the maximum allowed retransmissions. L2TP PPP link down - The PPP link is down. PPTP Connect Initiated by the User - A user has initiated a PPTP connection. PPTP Control Connection Negotiation Started - Negotiation has been initiated for PPTP Control Connection. PPTP Control Connection Established - PPTP Control Connection has been successfully established. Page 13

PPTP PPP Negotiation Started - The PPTP connection has begun PPP negotiations. PPTP PPP Link Up - The PPP link is up. PPTP PPP Link down - The PPP link is down. PPTP PPP Up - PPP callback is up. PPTP PPP Down - PPP callback is down. PPTP PPP Session Up - The PPTP Session is up. PPTP PPP Authentication Failed - PPP authentication has failed. PPTP starting PAP Authentication - The SonicWALL is establishing a PPTP connection using PAP for authentication. PPTP PAP Authentication success. - PAP authentication is successful. Data can be sent via the PPTP connection. PPTP PAP Authentication Failed - PAP authentication failed. Check your SonicWALL network settings. PPTP PAP Authentication Failed. - Please verify PPTP username and password Check your SonicWALL network settings to verify your username and password. PPTP Max Retransmission Exceeded - Attempts to retransmit data has exceeded the number of allowed retransmissions. PPTP Tunnel Disconnect from Remote - The PPTP tunnel is disconnected from the remote location. PPTP Session Disconnect from Remote - The PPTP tunnel is disconnected from the remote location. PPTP LCP Down - LCP is a protocol used as part of the authentication process. LCP is unavailable. PPTP LCP Up - LCP is a protocol used as part of the authentication process. LCP is available. PPTP starting CHAP Authentication - The PPTP connection is authenticating using CHAP. PPTP CHAP Authentication Failed. Please verify PPTP username and password The authentication process failed. Check your network settings to verify that the information is correct. PPTP PPP Link Finished - The PPTP PPP link is complete. Disconnecting PPTP Tunnel due to traffic timeout - Due to inactivity on the connection, the PPTP tunnel is disconnecting. PPTP Session Negotiation Started - The SonicWALL is beginning to negotiate the PPTP sessions.

Page 14 SonicWALL Internet Security Appliance Log Events Reference Guide

PPTP Session Established - The PPTP session is established by the SonicWALL. PPTP Disconnect Initiated by the User - A user has initiated a PPTP disconnect on the SonicWALL. HTTP management port has changed - The HTTP management port has changed. You must remember the port number to log into the SonicWALL. Adminstrator name changed - The administrator name has been changed on the SonicWALL. You need to remember the name in order to log into the SonicWALL. VPN disabled by administrator - VPN has been disabled on the SonicWALL. No VPN SAs are in effect and disabling VPN interrupts any current VPN connections. Log Cleared - The Log was cleared by clicking Clear Log on the Log View page. Restarting SonicWALL; dumping log to email - The SonicWALL is restarting either at a users request or after changing settings on the SonicWALL. The log file is e-mailed to the address configured on the Log Automation page. Access attempt from host without Anti-Virus agent installed - Anti-Virus is required to be installed on all computers on the network if Anti-Virus is enabled on the SonicWALL. VPN enabled by administrator - VPN is enabled by the administrator by selecting Enable VPN on the VPN page. Log successfully sent via email - When configured, the SonicWALL e-mails the log files to the administrator. HTTPS management port has changed - The HTTPS management port was changed. You must remember the port number when attempting to manage the SonicWALL using HTTPS. SonicWALL initializing - The SonicWALL is restarting after uploading new firmware or resetting the appliance. Anti-Virus agent out-of-date on host - The Anti-Virus agent has not been updated. Update the agent for the latest virus information.

Events Logged as User Activity


Log events generated as User Activity include user login success and failure, administrator login success and failure, XAUTH success and failure, Access Rules added and deleted, remote user login success and failure, logout activity, modem events for the TELE3 SP, IKE events, and IPSec events. Successful local user login - A user in the local database logged into the SonicWALL successfully. Unknown user attempted to log in - A user not configured on the SonicWALL attempted to log into the SonicWALL.

Page 15

Login screen timed out - The login screen with the username and password fields timed out. Successful administrator login - An administrator successfully logged into the SonicWALL. User login failed - RADIUS authentication failure - A user configured for RADIUS Authentication failed to log into the SonicWALL. User login failed - RADIUS configuration error - A user configured for RADIUS Authentication is improperly configured on the SonicWALL. Administrator logged out - A SonicWALL Administrator logged out of the SonicWALL. User logged out - A user has logged out of the SonicWALL. User logged out - inactivity timer expired - A user was logged out when the connection did not detect data transmission. Locked out user re-enabled by admin - A user attempted to log onto the SonicWALL but was locked out when authentication failed. The administrator has re-enabled the users account. User login failed - incorrect password - A user attempted to log into the SonicWALL using the wrong password. Administrator login failed - incorrect password from the CLI - An administrator failed to log into the SonicWALL using the incorrect password over the CLI port. Successful remote user login - A remote user successfully logged into the SonicWALL. User login failed - RADIUS server timeout - A user could not log in because the RADIUS server timed out. User login failed - User has no privileges for login from that location - The user does not have privileges to log in from a specified location. Administrator logged out - inactivity timer expired - The SonicWALL did not detect any activity for specified time period and logged the Administrator out of the SonicWALL. User logged out - max session time exceeded - A user was logged out after exceeding the specified session time established for the user. Locked out user re-enabled - lockout period expired - A user attempted log into the SonicWALL and failed resulting in the user becoming locked out of the SonicWALL. The time period for the lockout has expired. Administrator logged out from the CLI - The SonicWALL administrator logged out from the SonicWALL while using the CLI interface.

VPN/IKE Log Events


Dynamic IPSec client connected - A VPN client has connected to the SonicWALL. Incompatible IPSec Security Association - VPN SAs do not match each other. Page 16 SonicWALL Internet Security Appliance Log Events Reference Guide

IKE Responder: IPSec proposal does not match (Phase 2) - The initiating SonicWALL sent an IPSec proposal that does not match the responding SonicWALL during Phase 2 negotiations. Starting IKE negotiation - The SonicWALL is beginning IKE negotiation by matching encryption, hash, and authentication algorithms, as well as Diffe-Hellman keys and the Security Protocol. IKE Responder: No matching Phase 1 ID found for proposed remote network Phase 1 of the IKE negotiation failed because the information did not match on the responding SonicWALLs network. IKE Responder: No match for proposed remote network address - The information entered in the initiating SonicWALLs destination network field did not match the responding network information. IKE Responder: Tunnel terminates outside firewall but proposed local network is not NAT public address - The VPN tunnel is configured to terminate outside the responding firewall but the IP address for the local network is not the public IP address. IKE Responder: Tunnel terminates on DMZ but proposed local network is on LAN The Security Association is configured to terminate on the responding DMZ but the IP address is a LAN IP address. IKE Responder: AH Perfect Forward Secrecy mismatch - Perfect Forward Secrecy is configured but the authentication does not match on the responding SonicWALL. IKE Responder: Algorithms and/or keys do not match - The responding SonicWALL does not have matching algorithms or keys. Check the configuration on both appliances. IKE Initiator: Start Quick Mode (Phase 2). - The initiating SonicWALL is beginning the second phase of Quick Mode negotiation. Quick Mode is used in SAs configured using AH or ESP. IKE SA lifetime expired. - The Security Association has expired because it has exceeded the configured lifetime. IKE Responder: Received Quick Mode Request (Phase 2) - The responding SonicWALL has received a request from the first SonicWALL to begin Phase 2 of Quick Mode negotiation. IKE Initiator: Aggressive Mode complete (Phase 1). The initiating SonicWALL has completed Phase 1 of an Aggressive Mode negotiation. IKE Responder: Received Aggressive Mode request (Phase 1) - The responding SonicWALL has received a request from the initiating SonicWALL to begin Aggressive Mode (Phase 1) negotiations. IKE Initiator: Start Aggressive Mode negotiation (Phase 1) - The initiating SonicWALL is beginning Aggressive Mode Negotiation (Phase 1).

Page 17

IKE Responder: Aggressive Mode complete (Phase 1) - The responding SonicWALL has completed Aggressive Mode (Phase 1) negotiations. IKE Responder: IKE proposal does not match (Phase 1) - The responding SonicWALL does not have a matching IKE proposal from the initiating SonicWALL. IKE Responder: Proposed local network is 0.0.0.0 but SA has no LAN Default Gateway - The initiating SonicWALL has proposed a local network but the SA has no IP address in the Default LAN Gateway field. Failed payload verification after decryption - The payload in the Authentication header failed verification after it was decrypted. SA is disabled. Check VPN SA settings - The VPN SA was disabled by the administrator. Computed hash does not match hash received from peer - The hash algorithm for the SA does not match the peer hash algorithm. Check the configuration on each SonicWALL. Received IPSEC SA delete request - The SonicWALL has received a request to delete an IPSec Security Association. Received notify: INVALID_COOKIES - The SonicWALL has received notification of invalid cookies. Received notify: INVALID_SPI - The SPI is invalid on the SonicWALL. The VPN tunnel is not connected. VPN Cleanup: Dynamic network settings change - The network settings have changed and the SonicWALL is cleaning up the network information. Illegal IPSec SPI - The SPI is not authorized for connecting the VPN tunnel. IKE Responder: Accepting IPSec proposal (Phase 2) - The responding SonicWALL is accepting the initiating SonicWALL IPSec proposal. IKE negotiation complete. Adding IPSec SA. (Phase 2) - The initiating and responding SonicWALL appliances have successfully negotiated the VPN SA. IKE Responder: Mode %d - not tunnel mode - The responding SonicWALL is not in tunnel mode. IKE Responder: Proposed remote network is 0.0.0.0 but not DHCP relay nor default route - The negotiating SonicWALL has proposed a network IP address but not the DHCP relay or default route IP address. IKE Responder: Default LAN gateway is set but peer is not proposing to use this SA as a default route - The responding SonicWALL has determined that the initiating SonicWALL was not configured to use the SA as the default route for Internet traffic.

Page 18 SonicWALL Internet Security Appliance Log Events Reference Guide

IKE Responder: Tunnel terminates inside firewall but proposed local network is not inside firewall - The initiating SonicWALL is proposing a remote IP address that is not on the local network inside the remote firewall. IKE Responder: Tunnel terminates on LAN but proposed local network is on DMZ The initiating SonicWALL is configured to terminate the VPN tunnel on the remote LAN but the IP address is on the remote DMZ. IKE Responder: ESP Perfect Forward Secrecy mismatch - The responding SonicWALL has a different authentication configured so the authentication doesnt match the initiating SonicWALL. IKE Initiator: Start Main Mode negotiation (Phase 1) - The initiating SonicWALL is starting Phase 1 of Main Mode negotiation and sending a request to the remote SonicWALL. IKE Initiator: Main Mode complete (Phase 1) - Phase 1 Main Mode has successfully completed negotiations on the initiating SonicWALL. IKE Responder: Received Main Mode request (Phase 1) - The responding SonicWALL has received a request from the initiating SonicWALL to begin Phase 1 Main Mode negotiations. IKE Responder: Main Mode complete (Phase 1) - The responding SonicWALL has completed Phase 1 Main Mode negotiations. IKE Initiator: Accepting IPSec proposal (Phase 2) - The initiating SonicWALL is in the process of accepting Phase 2 IPSec proposal. IKE Initiator: Received notify. NO_PROPOSAL_CHOSEN - The initiating SonicWALL has received a notification from the responding SonicWALL that no proposal was chosen. Check the SA configuration on the initiating SonicWALL. IKE negotiation aborted due to timeout - The SonicWALL could not complete the IKE negotiation because the connection timed out. Failed payload verification after decryption. Possible preshared key mismatch - The Preshared Secret does not match and the SonicWALL cannot properly decrypt the packet. Received packet retransmission. Drop duplicate packet - The SonicWALL received two identical packets and dropped one of them. Received notify: ISAKMP_AUTH_FAILED - The SonicWALL could not authenticate and the VPN tunnel is not established. Received notify: PAYLOAD_MALFORMED - The payload packet was malformed and could not be decrypted. Received IKE SA delete request - The responding SonicWALL received a Phase 1 delete request from the initiating SonicWALL. Page 19

Received notify: RESPONDER_LIFETIME - The initiating SonicWALL received notification that the responding SonicWALL is using a lifetime different from the lifetime on the initiating SonicWALL. IKE Initiator: Accepting peer lifetime. (Phase 1) - The initiating SonicWALL is accepting the SA lifetime configured on the responding SonicWALL. Received notify: INVALID_ID_INFO - The SonicWALL received notification that its Phase 1 ID is not correct. Modem Log Events PPP Dial-Up: Dialing: %s - The TELE3 SP is dialing the telephone number configured in its dial-up profile. PPP Dial-Up: No link carrier detected - check phone number - The SP could not connect because no phone carrier was detected. PPP Dial-Up: Dialed number did not answer - The dialed number did not answer. PPP Dial-Up: Link carrier lost - The SP lost the connection to the phone carrier. PPP: PAP Authentication failed - check username/password - Authentication with the dial-up ISP failed due to incorrect username and/or password. Check your dial-up profile. PPP: MS-CHAP authentication failed - check username/password - Authentication with the dial-up ISP failed due to incorrect username and/or password. Check your dial-up profile. PPP: Starting CHAP authentication - The authentication process with the dial-up ISP is beginning. PPP Dial-Up: PPP negotiation failed - disconnecting - The SP failed PPP negotiation with the dial-up ISP and is disconnecting from the ISP. PPP Dial-Up: Failed to get IP address - The SP could not obtain an IP address from the dial-up ISP. PPP Dial-Up: PPP link established - The SP has established a PPP link with the dial-up ISP. PPP Dial-Up: Shutting down link - The phone connection is shutting down. PPP Dial-Up: User requested disconnect - A request to disconnect from the dial-up ISP has been made by a user. PPP Dial-Up: Connect request canceled - A manual connection request is canceled. PPP Dial-Up: Trying to failover but Primary Profile is manual - The SP is attempting to failover from the WAN port to the modem, but the Primary Dial-up profile is configured for manual dialing. PPP Dial-Up: No dialtone detected - check phone-line connection - The SP did not detect a dialtone when trying to dial the ISP using the modem.

Page 20 SonicWALL Internet Security Appliance Log Events Reference Guide

PPP Dial-Up: Dialed number is busy - The phone number configured in the dial-up profile is busy. PPP Dial-Up: Connected at %s bps - starting PPP - The modem has successfully dialed the ISP and connected to it. The SP is now beginning PPP negotiations. PPP: Authentication successful - The SP successfully authenticated with the dial-up ISP. Data can now be transmitted using this connections. PPP: CHAP authentication failed - check username/password - The SP could not authenticate to the dial-up ISP with the configured username and/or password. Check the dial-up profile information. PPP: Starting MS-CHAP authentication - The SP is beginning authentication with the dial-up ISP. PPP: Starting PAP authentication - The SP is beginning authentication with the dial-up ISP. PPP Dial-Up: Idle time limit exceeded - disconnecting - No data has been transmitted for a specified period of time, therefore, the SP is disconnecting from the ISP. PPP Dial-Up: Received new IP address - The SP received a new IP address from the dial-up ISP. PPP Dial-Up: PPP link down - The PPP link is down and the SP cannot connect to the ISP. PPP Dial-Up: Initialization : %s - The modem is initializing. PPP Dial-Up: User requested connect - A user on the SP has requested a connection via the modem. PPP Dial-Up: Manual intervention needed. Check Primary Profile or Profile details Configuration of the dial-up profile may be incorrect. Check the profile and verify the information. PPP Dial-Up: Startup without Ethernet cable, will try to dial on outbound traffic The SP is not connect to the WAN with an Ethernet cable. The SP will dial the ISP when outbound data is detected. Other User Activity Log Events XAUTH Succeeded with VPN client - The VPN Client successfully authenticated using XAUTH. XAUTH Failed with VPN client, Cannot Contact RADIUS Server - The VPN SA is configured to require XAUTH using a RADIUS server, however, it cannot contact the RADIUS server. Verify your RADIUS settings. Received a path MTU icmp message from router/gateway - The SonicWALL received a routing message from a router and/or gateway on the network. Page 21

NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device - NAT Trarversal is enabled and the local SonicWALL discovered a NAT/NAPT device in front of the remote SonicWALL. NAT Discovery : No NAT/NAPT device detected between IPSec Security gateways NAT Traversal is enabled on the SonicWALL and did not detect a NAT/NATPT device on a VPN tunnel between two SonicWALL appliances. Access Rule added - An Access Rule was added to the SonicWALL. The type of rule is described in the Notes section of the View Log page. Access Rule deleted - An Access Rule was deleted from the SonicWALL. The type of rule is described in the Notes section of the View Log page. PPPoE user name changed by Administrator - The PPPoE user name was changed by the Administrator. Web access request received - The SonicWALL received a Web access request from the LAN. XAUTH Failed with VPN client, Authentication failure - A remote user using VPN Client to access the SonicWALL did not authenticate using XAUTH. VPN Client Policy Provisioning - A VPN Client has received its VPN SA configuration from the SonicWALL. NAT Discovery : Local IPSec Security Gateway behind a NAT/NAPT Device - NAT Traversal is enabled and has detected a NAT/NATP device between the SonicWALL and the WAN. NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal NAT Traversal is enabled on the SonicWALL, but it is trying to connect to a VPN Gateway that doesnt support NAT Traversal. Access Rule modified - An Access Rule has been modified on the SonicWALL. The type of rule is described in the Notes section of the View Log page. Access Rules restored to defaults - The SonicWALL has restored the default rule set.

Page 22 SonicWALL Internet Security Appliance Log Events Reference Guide

Events Logged as VPN Statistics


Three events are categorized as a VPN statistic: VPN TCP SYN, VPN TCP FIN, and VPN TCP PSH.

Wireless Log Events


For the SOHO TZW, 802.11b authentication and association messages are recorded as Log Events. 802.11b Management >Disassociated - Reason: A wireless client has disassociated from the SOHO TZW. 802.11b Management >Association Failed - Reason: The TZW has reached the maximum associated wireless clients. 802.11b Management >Associated - Reason : A wireless client is associated on the TZW. 802.11b Management >Association Failed - Reason: The wireless client attempted to use an unsupported authentication algorithm. 802.11b Management > ACL Check Passed - Reason: The wireless client passed MAC ACL check.. 802.11b Management > ACL Check Failed - Reason: The wireless client failed MAC ACL check. 802.11b Management > Authentication Failed - Reason: Wireless client authentication failed because client authentication packet sequence is out of order. 802.11b Management > Authentication Failed -Reason: A wireless client attempted to authenticate using Open System WEP encryption which is not allowed on the TZW. 802.11b Management > Authentication Failed - Reason - A wireless client attempted to authenctiate using an unknown algorithm. 802.11b Management > Deauthenticated - An authenticated user has logged out of the TZW. User Login Failed - User has no privileges for wlan guest services - A wireless user attempted to log into the WLAN but does not have privileges to do so. wlan firmware image has been updated - The wireless radio card has been updated with new firmware. Packet dropped by wlan guest check - A packet did not match the guest check requirements on the WLAN. Packet dropped by wlan vpn traversal check - A packet did not meet WLAN VPN traversal requirements and was dropped. WLAN disabled by administrator - The administrator disabled the WLAN port. WLAN enabled by administrator - The administrator enabled the WLAN port.

Page 23

WiFiSec Enforcement disabled by administrator - The administrator has disabled WiFiSec and VPN is no longer enforced on the WLAN. WiFiSec Enforcement enabled by administrator - WiFiSec is enabled and VPN is required to access the WLAN. Wireless MAC Filter List enabled by administrator - Wireless MAC Filter List is enabled and wireless cards access the WLAN using the MAC address as part of the authentication process. Wireless MAC Filter List disabled by administrator - Wireless card MAC addresses are no longer required as part of the authentication process. 802.11b Management - Activity on 802.11b is listed in the Notes column. wlan recovery - WLAN network has recovered from an error.

Syslog Only Entries


The following messages only appear in the syslog output. These messages do not appear in the SonicWALL Management Interface Log>View page. Connection Opened - The firewall has identified a TCP or UDP packet transfer through the firewall; contains bytes sent, and IP addresses and port numbers for both source and destination. Connection Closed - The firewall has identified a TCP or UDP packet transfer through the firewall that has finished; contains bytes sent, and IP addresses and port numbers for both source and destination. m=97 - Special type of connection closed entry for HTTP connections; also includes dstname and arg (which together form the URL), and the IP addresses and port numbers for both source and destination.

Page 24 SonicWALL Internet Security Appliance Log Events Reference Guide

SonicWALL,Inc. 1143 Borregas Avenue Sunnyvale,CA 94089-1306

T: 408.745.9600 F: 408.745.9300

www.sonicwall.com

2002 SonicWALL, Inc. SonicWALL is a registered trademark of SonicWALL, Inc. Other product and company names mentioned herein may be trademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.

P/ N 232- 000393- 01 Rev A 2/04

You might also like