Freedom9 freeGuard 100 Reference Manual

Other manuals for freeGuard 100: Specifications, Install Manual, Administration Manual, Command Line Interface Manual

Manual is about: UTM Firewall

Page of 57

Download

Print this page

Bookmark us

freeGuard 100

UTM Firewall

LOG MESSAGE REFERENCE

P/N: F0025000

Rev. 1.0

1 2 3 4 5 6 7 Next › »

Summary of freeGuard 100

Page 1
Freeguard 100 utm firewall log message reference p/n: f0025000 rev. 1.0
Page 2
Copyright and trademark information this document contains proprietary information that is protected by copyright. All rights reserved. No part of this document may be photocopied, reproduced, or translated into another language without express prior to written consent of freedom9 inc. © copyright 2...
Page 4
Freeguard 100 log message reference i table of contents 1 general information.................................................................................................................. 1 1.1 o verview ...............................................................................................
Page 5
Ii 4.5 w eb filter log messages .......................................................................................................... 41 4.5.1 u rlblock .......................................................................................................................... 41 4.5.2 u rlexempt...
Page 6
Freeguard 100 log message reference 1 1 general information 1.1 overview you can configure the freeguard 100 to record various types of logs to one or more locations. You can also configure alert emails to notify administrators of specified events. This guide describes the basics of the freeguard 10...
Page 8
Freeguard 100 log message reference 3 you can also register the freeguard 100 utm firewalls at http://www.Freedom9.Com and modify your registration information at any time. Freedom9 email support is available from the following address: support@freedom9.Com when requesting technical support, please ...
Page 9
4 2 logging configuration overview you can configure the logging type, the logging severity level, and the logging location for the freeguard 100 logs. You can also customize alert emails to notify administrators of selected events. This section provides a general overview of configuring logging and...
Page 10
Freeguard 100 log message reference 5 to configure log settings: 1. Go to log&report > log config > log setting. 2. Select a check box to enable logging to that location. 3. Select the blue arrow beside the location. The setting options appear for that location. 4. Enter the ip address if logging to...
Page 11
6 configuration are filters used for determining alert email content. The filters are the same as those used for configuring log setting (but without traffic logging), and are described in “log setting options”. 2.1.4 configuring alert email note: before configuring alert email make sure you configu...
Page 12
Freeguard 100 log message reference 7 figure 1: traffic and event log filter settings 2.1.6 configuring log filters configure log filters for each location to which you are saving logs. To configure log filters: 1. Go to log&report > log config > log filter. 2. Enable the logging type for each locat...
Page 13
8 1. Go to system > network > interface. 2. Click the edit icon for an interface. 3. Click “log”. 4. Click “ok”. 5. Repeat steps 1 through 4 for each interface for which you want to enable logging. You can enable traffic logging for a firewall policy. All connections accepted by the firewall policy ...
Page 14
Freeguard 100 log message reference 9 choosing columns you can customize your log messages display using the column settings window. The column settings apply only when the formatted (not raw) display is selected. To change the columns in the log message display: 1. While viewing log messages, click...
Page 15
10 figure 4: log search window 3. If you want to search for log messages in a particular date range, select the from and to dates. 4. Select one of the following options: • all of the following - the message must contain all of the keywords • any of the following - the message must contain at least ...
Page 16
Freeguard 100 log message reference 11 3 log formats the freeguard 100 log messages have two parts: • log header • log body in the following example of an event log message, the log header is marked in bold. 2004-05-22 19:32:56 log_id=0420073001 type=ips subtype=anomaly pri=critical attack_id=100663...
Page 17
12 violation – policy violation traffic 23 system – system activity event 00 event (event log) 01 ipsec – ipsec negotiation event 01 dhcp – dhcp service event 02 ppp – l2tp/pptp/pppoe service event 03 admin – admin event 04 ha – ha activity event 05 auth – firewall authentication event 06 pattern – ...
Page 18
Freeguard 100 log message reference 13 critical functionality is affected. Critical level log messages include virus detection, out of memory, out of range, and routing problem messages. Error an error condition exists and functionality is probably affected. Warning functionality might be affected. ...
Page 19
14 3.2.1 traffic log body with traffic logging enabled, the freeguard 100 records all the traffic to and through the freeguard 100 interfaces. For information on how to enable traffic logging, see “enabling traffic logging”. An example traffic log body contains the following information: rule= polic...
Page 20
Freeguard 100 log message reference 15 tran_disp the packet is source nat translated or destination nat translated. For descriptions of traffic log messages, see “traffic log messages”. 3.2.2 event log body event logs record system activity, ipsec, dhcp, ppp, administration, high availability (ha) a...
Page 22
Freeguard 100 log message reference 17 4 log messages this section describes the following log messages: • traffic log messages • event log messages • antivirus log messages • attack log messages • web filter log messages • spam filter log messages note: you can search for a specific message using t...
Page 24
Freeguard 100 log message reference 19 message id: 20032 severity: critical message: interface not found in meaning: the freeguard 100 cannot find the specified interface. Action: check configuration of the interface and check any physical connections. Message id: 20033 severity: information message...
Page 25
20 meaning: the value to be placed in mtu options sent by the router must be either zero or between the specified range for the specified interface. A value of zero indicates that no mtu options are sent. Action: reconfigure router according to range. Message id: 20039 severity: critical message: ad...
Page 26
Freeguard 100 log message reference 21 action: as above. Message id: 20045 severity: critical message: invalid prefix length for meaning: prefix length is too long action: adjust packet prefix length. Message id: 20046 severity: critical message: advvalidlifetime must be greater than advpreferredlif...
Page 27
22 severity: information message: radvd receive signal= meaning: the ipv6 router advertisement daemon received the specified signal and isgoing to exit. Action: none. Message id: 20055 severity: critical message: can not create query to interface at ::! Meaning: the ipv6 router advertisement daemo...
Page 28
Freeguard 100 log message reference 23 meaning: the ipv6 router advertisement daemon received an icmpv6 ra packet with invalid length. Action: none message id: 20063 severity: warning message: received icmpv6 ra packet with non-linklocal source address meaning: the ipv6 router advertisement daemon r...
Page 29
24 message: our advreachabletime on doesn't agree with interface_name> meaning: the advreachabletime configured on the specified freeguard 100 interface does not agree with the value on the specified remote interface. A value ofzero means unspecified (by this router). The value must be no greater th...
Page 30
Freeguard 100 log message reference 25 message id: 20077 severity: warning message: our advpreferredlifetime on for doesn't agree with meaning: the advpreferredlifetime value on the specified freeguard 100 interface does not agree with the value on the specified remote interface. Action: configure t...
Page 31
26 severity: critical message: freeguard 100 category is updated meaning: freeguard 100 category is updated. Action: none message id: 20101 severity: notification message: act=upload status= file= user= server= port= meaning: status of file upload. Action: none message id: 20101 severity: variable m...
Page 32
Freeguard 100 log message reference 27 message: id= status=failure msg=”failed to find its avprotection profile” meaning: the specified user group or firewall policy could not find its protection profile. Action: none message id: 22010 severity: error message: failed to send rating result meaning: t...
Page 35
30 meaning: the maximum number of pptp connections had been reached. Action: none message id: 29005 severity: warning message: mgr: error with manager select()! Meaning: pptp server encountered an error during polling pptp requests. Action: none message id: 29006 severity: warning message: mgr: acce...
Page 36
Freeguard 100 log message reference 31 message id: 29022 severity: warning message: all ip address of pptp in domain- are assigned meaning: there are no more available ip addresses for the specified domain. Action: reassign ip addresses or increase the range. Message id: 29024 severity: warning mess...
Page 44
Freeguard 100 log message reference 39 ha master became slave ha move to standby state detected ha member dead detected new joined ha member meaning: as described in message. Action: none message id: 35001 severity: warning message: ip= ha-prio=%d msg= meaning: ha monitor port report as described in...
Page 45
40 severity: warning message: user= service= action= status=failure reason= src= srcname=n/adst= dstname=n/a meaning: the specified user failed to get authenticated because of the specified reason. Action: ensure users and administrators have the correct login information and have access to the free...
Page 47
42 message: msg="calloc() failed: ” meaning: insufficient resources. Action: delete logs to free some memory. Message id: 93009 severity: critical message: hostname= msg="gethostbyname() failed: ” meaning: cannot resolve the name of the freeguard 100 server. Action: check settings. Message id: 93013...
Page 48
Freeguard 100 log message reference 43 action: none message id: 99502 severity: information message: src= dst= src_int= dst_int= service=http status=profile= cat= cat_desc= url=msg= meaning: a web site was monitored by the web category filtering service. The clientand server addresses, the protectio...
Page 49
44 meaning: the email message from the specified source was blocked because the source email address is marked as spam by the email address list. Action: none message id: 80004 severity: notification message: src= dst= src_int= dst_int= service=smtp status=detected msg="the email contains banned hea...
Page 50
Freeguard 100 log message reference 45 meaning: the email message from the specified source was blocked because the source ip address is on an dnsbl or an ordbl. Action: none message id: 83002 severity: notification message: src= dst= src_int= dst_int= service=pop3 status=detected msg="smtphelo/ehlo...
Page 51
46 message id: 86000 severity: notification message: src= dst= src_int= dst_int= service=pop3 status=detected msg="from ip is in ip blacklist" meaning: the email message from the specified source was blocked because the source ip address is marked as spam by the ip address list. Action: none message...
Page 52
Freeguard 100 log message reference 47 meaning: the email message from the specified source was blocked because the domain name of the reply-to or from address does not have an a or mx record on the dns server. Action: none message id: 86006 severity: notification message: src= dst= src_int= dst_int...
Page 53
48 4.7.4 pop3 the following message is generated when archiving pop3 meta-data. Message id: 06280 severity: information message: ::>:: :f/t=:0=no) action: none 4.7.5 imap the following message is generated when archiving imap meta-data. Message id: 06290 severity: information message: ::>:: :f/t=:0=...
Page 54
Freeguard 100 log message reference 49 5 glossary connection: a link between machines, applications, processes, and so on that can be logical, physical, or both. Demilitarized zone (dmz): used to host internet services without allowing unauthorized access to an internal (private) network. Typically,...
Page 55
50 isps to operate virtual private networks (vpns). L2tp merges pptp from microsoft and l2f from cisco systems. To create an l2tp vpn, your isp’s routers must support l2tp. Internet protocol security (ipsec): a set of protocols that support secure exchange of packets at the ip layer. Ipsec is most o...
Page 56
Freeguard 100 log message reference 51 determines the type of error checking to be used, the data compression method (if any), how the sending device indicates that it has finished sending a message, and how the receiving device indicates that it has received a message. Remote authentication dial-in...
Page 57
52 6 certifications fcc this equipment has been tested and found to comply with part 15 of the fcc rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference (2) this device must accept any interference received. Including interference that may ca...