FortiOS Log Reference Guide

VERSION 5.2.1
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com

FORTINET VIDEO GUIDE
http://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com 

FORTIGATE COOKBOOK
http://cookbook.fortinet.com

FORTINET TRAINING SERVICES
http://www.fortinet.com/training

FORTIGUARD CENTER
http://www.fortiguard.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdocs@fortinet.com

November 04, 2014

FortiOS 5.2.1 Log Reference Guide

01-521-257022-20141104
TABLE OF CONTENTS

Change Log 5
Introduction 6
Before You Begin 7
How This Reference is Organized 7
Overview 8
Managing and Understanding Logs 9
Log Types and Sub Types 10
Type 10
Subtype 11
Priority Level 11
Log Message Format 12
Log Field Format 12
Log Schema Structure 13
Header and Body Fields 13
Log ID Numbers 16
Log ID Definitions 17
Traffic Log 21
Traffic Log Messages 28
Security Log 29
Application Control 30
Application Control Log Messages 33
AntiVirus 34
AntiVirus Log Messages 40
DLP 42
DLP Log Messages 46
Email Filter 47
Email Filter Log Messages 51
Web Filter 53
Web Filter Log Messages 58
IPS 61
IPS Log Messages 64
Event Log 65
Endpoint Control 66
Endpoint Log Messages 70
GTP 71
GTP Log Messages 80
High Availability 82
High Availability Log Messages 84
Router 86
Router Log Messages 87
System 88
System Log Messages 97
User 116
User Log Messages 119
VPN 121
VPN Log Messages 128
WAD 131
WAD Log Messages 134
Wireless 136
Wireless Log Messages 141
Change Log

Date Change Description

2014-11-04 Initial release.

2015-01-30 l Updated Log ID numbering section.

l Added log definitions for log type and sub type IDs.
l Added notes about UTM log type information in Security log section.
Introduction

This document provides information about all the log messages applicable to the FortiGate devices running FortiOS
version 5.2.1. The logs are intended for administrators to be used as reference for more information about a specific
log entry and message that is generated.

This chapter includes the following topics:

Before You Begin 7

How This Reference is Organized 7

6 Log Reference Guide

Fortinet Technologies Inc.
Before You Begin Introduction

Before You Begin

Before you begin using this reference, read the following notes:

The information in this document applies to all FortiGate units currently running FortiGate 5.2 or higher.

l Ensure that you have enabled logging for FortiGate unit. For more information, see the Logging and Reporting
chapter in the FortiGate handbook.
l Each log message is displayed in RAW format in the Log View of the web-based manager.
l Each log message is documented similar to how it appears in the log viewer table based on the RAW format. For
more information, see the Logging and Reporting chapter in the FortiGate Handbook.

NOTE: This reference contains detailed information for each log type and sub type; however, this reference contains
only information gathered at publication and, as a result, not every log message field contains detailed information.

How This Reference is Organized

The following sections are grouped by log type with the exception of Event and Security log types which are grouped by
sub types, for example; Security->AntiVirus and Event->System, due to the large number of sub types associated
with the security and event logs.

Log Reference Guide 7

Fortinet Technologies Inc.
Overview

The log types described in this document report traffic, security, and event log information useful for system
administrators when recording, monitoring, and tracing the operation of a FortiGate device running FortiOS. The logs
provide information regarding the following:

l Firewall attacks
l Configuration changes
l Successful and unsuccessful system operations

This chapter includes the following topic:

Managing and Understanding Logs 9

Log Types and Sub Types 10
Type 10
Subtype 11
Priority Level 11
Log Message Format 12
Log Field Format 12

8 Log Reference Guide

Fortinet Technologies Inc.
Managing and Understanding Logs Overview

Managing and Understanding Logs

This document is organized by log types and sub types which provide quick access to messages related to specific logs
and filters the messages into meaningful sections in the database.

It provides administrators with a comprehensive list of all the log messages that the FortiGate generates with
explanations of what the messages mean and what possible actions you might take upon receiving them. The
document is organized by log type and sub types. In each section, the log entry messages are listed by their log type
ID numbers. See, the Log Types and Sub Types section for more information about the Log ID numbering format.

Log Reference Guide 9

Fortinet Technologies Inc.
 Overview Log Types and Sub Types

Log Types and Sub Types

FortiGate devices can record the following types and sub types of log entry information:
Log Details
Type Description Sub Type

Traffic Records traffic flow information, such as an HTTP/HTTPS request and l Local
its response, if any.
l Forward

l Multicast

l Sniffer

Security Records virus attack and intrusion attempts. l AntiVirus

(UTM)
l Application Control

l Data Leak Prevention (DLP)

l Intrusion Prevention (IPS)

l Email Filter

l Web Filter

Event Records system and administrative events, such as downloading a l System

backup copy of the configuration, or daemon activities.
l High Availability

l Router

l Endpoint Control

l GTP

l Virtual Private Network (VPN)

l WAD

l Wireless

l User

Type

Each log entry contains a Type (type) field that indicates its log type, and in which log file it is stored.

10 Log Reference Guide

Fortinet Technologies Inc.
 Log Types and Sub Types Overview

Subtype

Each log entry might also contain a Sub Type (subtype) field within a log type, based on the feature associated with
the cause of the log entry.

For example:

l In event logs, some log entries have a subtype of user, system, or other sub types.
l In security (UTM) logs, some log entries have a subtype of DLP, Web Filter, Email or other sub types.
l In traffic logs, the sub types are: local, forward, multicast, and sniffer.

Priority Level

Each log entry contains a Level (pri) field that indicates the estimated severity of the event that caused the log entry,
such as pri=warning, and therefore how high a priority it is likely to be. Level (pri) associations with the descriptions
below are not always uniform. They also may not correspond with your own definitions of how severe each event is. If
you require notification when a specific event occurs, either configure SNMP traps or alert email by administrator-
defined Severity Level (severity_level) or ID (log_id), not by Level (pri).
Priority Levels
Level (0 is Name Description
highest)

0 Emergency The system is unusable or not responding.

1 Alert Immediate action required. Used in security logs.

2 Critical Funcationality is affected.

3 Error An error exists and funcationality could be affected.

4 Warning Funcationality could be affected.

5 Notification Information about normal events.

6 Information General information about system operations. Used in event logs to record con-
figuration changes.

For each location where the FortiGate device can store log files (disk, memory, Syslog or FortiAnalyzer), you can
define a severity threshold. The FortiGate stores all log messages equal to or exceeding the log severity level
selected. For example, if you select Error, FortiGate will store log messages whose log severity level is Error, Critical,
Alert, and Emergency.

Log Reference Guide 11

Fortinet Technologies Inc.
 Overview Log Types and Sub Types

Log Message Format

For documentation purposes, all log types and sub types follow this generic table format to present the log message
entry and severity information.

Example: Log Message Details

Message ID Message Severity

2 LOG_ID_TRAFFIC_ALLOW Notice

Log Field Format

The following table describes the standard format in which each log type is described in this document. For
documentation purposes, all log types and sub types follow this generic table format to present the log entry
information.
Example: Log Entry Information
Log Field Log Field Description Data Type Length Value(s)

appact The security action from app control ENUM 16 l block

l encrypt-kickout

l monitor

l pass

l reject

l reset

12 Log Reference Guide

Fortinet Technologies Inc.
 Log Types and Sub Types Log Schema Structure

Log Schema Structure

This section describes the schema of the FortiGate log entries.

Header and Body Fields

Each log entry consists of several fields and values. In the web-based manager, the logs are displayed in a Formatted
table view or Raw format. You can download the logs in the raw format for further analysis.

l Header - Contains the date and time the log originated, log identifier, message identifier, administrative domain
(ADOM), the log caategory, severity level, and where the log originated. These fields are common to all log types.
l Body - Describes the reason why the log was created and actions taken by the FortiGate device to address it. These
fields vary by log type.

Following is an example of traffic log entry in raw format. The body fields are highlighted in Bold.

date=2014-07-04 time=14:26:59 logid=0001000014 type=traffic subtype=local

level=notice vd=vdom1 srcip=10.6.30.254 srcport=54705 srcintf="mgmt1"
dstip=10.6.30.1 dstport=80 dstintf="vdom1" sessionid=350696 status=close
policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service=HTTP

Log Reference Guide 13

Fortinet Technologies Inc.
 Log Schema Structure Log Types and Sub Types

proto=6 app="Web Management" duration=13 sentbyte=1948 rcvdbyte=3553 sentpkt=9

rcvdpkt=9 devtype="Fortinet Device" osname="Fortinet OS"
mastersrcmac=00:09:0f:67:6c:31 srcmac=00:09:0f:67:6c:31

The following table describes each possible header and body field, according to its name as it appears in the
Formatted or Raw view.
Example: Traffic Log (Raw Format)
Field Name Field Exists in Log Type Example Field - Value (raw format)
(Raw format Description
view in
parentheses)

Traffic Event Security

Header

Date (date) The day, month, √ √ √ date=2014-07-04

and year when the
log message was
reported.

Time (time) The hour clock √ √ √ time=14:26:59

when the log mes-
sage was recorded.

ID (log_id) See Log ID √ √ √ logid=0001000014

MSG (msg) See Message IDs √ √ √ msg=000100000012

Type (type) See Type √ √ √ type=traffic

Sub Type(sub- See Sub Type √ √ √ subtype=local

type)

VDOM (vd) The virtual domain √ √ √ vd=vdom1

in which the log
message was recor-
ded.

Level (pri) Priority level √ √ √ level=notice

Body

14 Log Reference Guide

Fortinet Technologies Inc.
 Log Types and Sub Types Log Schema Structure

Example: Traffic Log (Raw Format)

Field Name Field Exists in Log Type Example Field - Value (raw format)
(Raw format Description
view in
parentheses)

Protocol (proto) tcp: The protocl √ √ √ proto=6

used by web traffic
(tcp by default)

Source IP  The IP address of √ √ √ srcip=10.6.30.254

(srcip) the traffic’s origin.
The source varies
by the direction:

• In HTTP
requests, this
is the web
browser or
other client.

• In HTTP
responses,
this is the
physical
server.

Source Port The port number of √ √ √ srcport=54705

(srcport) the traffic's origin.

Source Inter- The interface of the √ √ √ srcintf="mgmt1"

face(srcintf) traffic's origin.

Destination IP  The destination √ √ √ dstip=10.6.30.1

(dstip) IP address for the
web.

Destination The port number of √ √ √ dstport=80

Port(dstport) the traffic's des-
tination.

Destination The interface of the √ √ √ dstintf="vdom1"

Interface traffic's destination.
(dstintf)

Log Reference Guide 15

Fortinet Technologies Inc.
 Log Schema Structure Log ID Numbers

Example: Traffic Log (Raw Format)

Field Name Field Exists in Log Type Example Field - Value (raw format)
(Raw format Description
view in
parentheses)

Session ID (ses- The session num- √ √ √ sessionid=350696

sionid) ber for the traffic
connection

Status (status) The status of the √ √ √ status=close

session

Policy (policyid) The name of the √ √ √ policyid=0

server policy gov-
erning the traffic
which caused the
log message.

Service (ser- http or https The √ √ √ service=HTTP

vice) name of the applic-
ation-layer protocol
used by the traffic.
By definition, for
FortiWeb, this is
always HTTP or
HTTPS.

User (user) The daemon or √ √ √ user=admin

name of the admin-
istrator account that
performed the
action that caused
the log message.

Log ID Numbers

The ID (log_id) is a 10-digit field located in the header, immediately following the time and date fields. It is a unique
identifier for that specific log and includes the following information about the log entry.

16 Log Reference Guide

Fortinet Technologies Inc.
 Log ID Numbers Log Schema Structure

Log ID number components Description Examples

Log Type Represented by the l Traffic log IDs begin with "00".
first two digits of the l Event log IDs begin with "01".
log ID.

Sub Type or Event Type Represented by the l VPN log subtype is

second two digits of represented with "01" which
the log ID. belongs to the Event log type
that is represented with "01".

Therefore, all VPN related

Event log IDs will begin with the
0101 log ID series.

Message ID The last six digits of l An administrator account

the log ID represent always has the log ID
the message ID. 0000003401.

The log_id field is a number assigned to all permutations of the same message. It classifies a log entry by the nature
of the cause of the log message, such as administrator authentication failures or traffic. Other log messages that
share the same cause will share the same log_id.

Log ID Definitions

Following are the definitions for the log type IDs and sub type IDs applicable to FortiOS version 5.2.1 and later.

Log Type IDs Sub Type IDs

traffic:0 l forward:0
l local:1
l multicast:2
l sniffer:4

Log Reference Guide 17

Fortinet Technologies Inc.
Log Schema Structure Log ID Numbers

Log Type IDs Sub Type IDs

event:1 l system:0
l vpn:1
l user:2
l router:3
l wireless:4
l wad:5
l gtp:6
l endpoint:7
l ha:8

antivirus: 2 l virus:2
l suspicious:0
l analytics:1
l botnet:2
l infected:11
l filename:12
l oversize:13
l scanerror:62
l switchproto:63

webfilter:3 l content:14
l urlfilter:15
l ftgd_blk:16
l ftgd_allow:17
l ftgd_err:18
l activexfilter:35
l cookiefilter:36
l appletfilter:37
l ftgd_quota_counting:38
l ftgd_quota_expired:39
l ftgd_quota:40
l scriptfilter:41
l webfilter_command_block:43

ips:4 l signature:19

18 Log Reference Guide

Fortinet Technologies Inc.
Log ID Numbers Log Schema Structure

Log Type IDs Sub Type IDs

spam: 5 l msn-hotmail:5
l yahoo-mail:6
l gmail:7
l smtp:8
l pop3:9
l imap:10
l mapi:11
l carrier-endpoint-filter:
l 47 mass-mms:52

contentlog: 6 l HTTP:24
l FTP:25
l SMTP:26
l POP3:27
l IMAP:28
l HTTPS:30
l im-all:31
l NNTP:39
l VOIP:40
l SMTPS:55
l POP3S:56
l IMAPS:57
l MM1:48
l MM3:49
l MM4:50
l MM7:51

anomaly: 7 l anomaly: 20

voip: 8 l viop: 14

dlp: 9 l dlp:54
l dlp-docsource:55

app-ctrl-all: 10 l app-ctrl-all:59

Log Reference Guide 19

Fortinet Technologies Inc.
Log Schema Structure Log ID Numbers

Log Type IDs Sub Type IDs

netscan: 11 l discovery:0
l vulnerability:1

UTM l virus:2
l webfilter:3
l ips:4
l spam:5
l contentlog:6
l voip:8
l dlp:9
l app-ctrl:10

20 Log Reference Guide

Fortinet Technologies Inc.
Traffic Log

Traffic log messages record network traffic passing through the FortiGate unit.

Traffic logs include the following log subtypes.

l Forward
l Multicast
l Local
l Sniffer

In the log fields, the logs are defined as: type=traffic; subtypes = local , multicast, local, and sniffer.

The following table describes the log fields of the Traffic log.

NOTE: In the policyid field of traffic log messages, the number may be zero because any policy that is automatically
added by the FortiGate unit is indexed as zero. For more information, see the Fortinet Knowledge Base article, Firewall
policy=0.

Log Details
Log Field Log Field Data  Length Value
Name Description Type

action status of the session.  String 16 l close

Uses following defin- l deny
ition: l dns
l ip-conn
- Deny = blocked by
l start
firewall policy.
l timeout
- Start = session start
log (special option to
enable logging at start
of a session).  This
means firewall
allowed.

- All Others = allowed

by Firewall Policy and
the status indicates
how it was closed.

app Application name String 96

21 Log Reference Guide

Fortinet Technologies Inc.
 Traffic Log

Log Field Log Field Data  Length Value

Name Description Type

appact The security action String 16 l block

from app control l encrypt-kickout
l monitor
l pass
l reject
l reset

appcat Application category String 64

appid Application ID UINT32 10

applist Application Control String 64

profile (name)

apprisk Application Risk Level String 16 l critical

l elevated
l high
l low
l medium

collectedemail Email address from String 66

Email Collection Capt-
ive Portal

countapp Number of App Ctrl UINT32 10

logs associated with
the session

countav Number of AV logs UINT32 10

associated with the
session

countdlp Number of the DLP UINT32 10

logs associated with
the session

Log Reference Guide 22

Fortinet Technologies Inc.
Traffic Log

Log Field Log Field Data  Length Value

Name Description Type

countemail Number of the email UINT32 10

logs associated with
the session

countips Number of the IPS UINT32 10

logs associated with
the session

countweb Number of the Web Fil- UINT32 10

ter logs associated
with the session

craction Action performed by UINT32 10

Client Reputation

crlevel Client Reputation level String 10

crscore Client Reupation score UINT32 10

custom Custom field Custom

date Date String 10

devid Device serial number String 16

devtype Device type String 32

dstcountry Country name for the String 64

destination IP

dstintf Destination Interface String 32

dstip Destination IP Address IP 39

Address

dstname The destination name. String 66

dstport Destination Port UINT16 5

dstssid Destination SSID String 33

23 Log Reference Guide

Fortinet Technologies Inc.
 Traffic Log

Log Field Log Field Data  Length Value

Name Description Type

dstuuid UUID of the Destin- String 37

ation IP address

duration Duration of the ses- UINT32 10

sion

group User group name String 64

lanin LAN incoming traffic in UINT64 20

bytes

lanout LAN outgoing traffic in UINT64 20

bytes

level Log Level String 11

logid Log ID String 10

mastersrcmac The master MAC String 17

address for a host that
has multiple network
interfaces

msg Log message String 64

osname Name of the device's String 66

OS

osversion OS version of the String 66

device

policyid Firewall Policy ID UINT32 10

poluuid UUID of the Firewall String 37

Policy

proto protocol number UINT8 3

rcvdbyte Received Bytes UINT64 20

rcvdpkt Received Packets UINT32 10

Log Reference Guide 24

Fortinet Technologies Inc.
Traffic Log

Log Field Log Field Data  Length Value

Name Description Type

sentbyte Sent Bytes UINT64 20

sentpkt Sent Packets UINT32 10

service Name of service String 36

sessionid Session ID UINT32 10

shaperdroprcvdbyte Received bytes UINT32 10

dropped by shaper

shaperdropsentbyte Sent bytes dropped by UINT32 10

shaper

shaperperipdropbyte Dropped bytes per IP UINT32 10

by shaper

shaperperipname Traffic shaper name String 36

(per IP)

shaperrcvdname Traffic shaper name String 36

for received traffic

shapersentname Traffic shaper name String 36

for sent traffic

srccountry Country name for String 64

Source IP

srcintf Source interface name String 32

srcip Source IP address IP 39

Address

srcmac MAC address asso- String 17

ciated with the Source
IP

srcname Source name String 66

srcport Source port number UINT16 5

25 Log Reference Guide

Fortinet Technologies Inc.
 Traffic Log

Log Field Log Field Data  Length Value

Name Description Type

srcssid Source SSID String 33

srcuuid UUID of the Source IP String 37

Address

subtype Subtype of the traffic String 20 l local

l multicast
l forward
l sniffer

time Time String 8

trandisp NAT translation type String 16 l dnat

l noop
l snat
l snat+dnat

tranip NAT destination IP IP 39

Address

tranport NAT Destination Port UINT16 5

transip NAT Source IP IP 39

Address

transport NAT Source Port UINT16 5

type Log type String 16 l traffic

unauthuser Unauthenticated user String 66

name

unauthusersource The method used to String 66

detect unau-
thenticated user name

user User name String 256

Log Reference Guide 26

Fortinet Technologies Inc.
Traffic Log

Log Field Log Field Data  Length Value

Name Description Type

utmaction Security action per- String 32 l allow

formed by UTM l block
l n/a
l reset
l traffic-shape

vd Virtual domain name String 32

vpn The name of the VPN String 32

tunnel

vpntype The type of the VPN String 14 l ipsec-ddns

tunnel l ipsec-dynamic
l ipsec-static
l sslvpn

wanin WAN incoming traffic UINT32 10

in bytes

wanoptapptype WAN Optimization String 9 l cifs

Application type l ftp
l ftp-proxy
l http
l mapi
l tcp
l web-cache
l web-proxy

wanout WAN outgoing traffic UINT32 10

in bytes

27 Log Reference Guide

Fortinet Technologies Inc.
 Traffic Log Traffic Log Messages

Traffic Log Messages

The following table describes the log message IDs and messages of the Traffic log.
Log Message Details
Message Message Severity
ID

2 LOG_ID_TRAFFIC_ALLOW Notice

3 LOG_ID_TRAFFIC_DENY Warning

4 LOG_ID_TRAFFIC_OTHER_START Notice

5 LOG_ID_TRAFFIC_OTHER_ICMP_ALLOW Notice

6 LOG_ID_TRAFFIC_OTHER_ICMP_DENY Warning

7 LOG_ID_TRAFFIC_OTHER_INVALID Warning

8 LOG_ID_TRAFFIC_WANOPT Notice

9 LOG_ID_TRAFFIC_WEBCACHE Notice

10 LOG_ID_TRAFFIC_EXPLICIT_PROXY Notice

11 LOG_ID_TRAFFIC_FAIL_CONN Warning

12 LOG_ID_TRAFFIC_MULTICAST Notice

13 LOG_ID_TRAFFIC_END_FORWARD Notice

14 LOG_ID_TRAFFIC_END_LOCAL Notice

15 LOG_ID_TRAFFIC_START_FORWARD Notice

16 LOG_ID_TRAFFIC_START_LOCAL Notice

17 LOG_ID_TRAFFIC_SNIFFER Notice

28 Log Reference Guide

Fortinet Technologies Inc.
Security Log

The following sections provide information about the different types of logs recorded under the Security log type.

In FortiOS 5.0 and previous versions, the logs were displayed under the UTM log type. In FortiOS
5.2.0 and later versions, the UTM logs are displayed under the Security log type. All logs grouped
in the security log include the log field type=utm.

Application Control 30
Application Control Log Messages 33
AntiVirus 34
AntiVirus Log Messages 40
DLP 42
DLP Log Messages 46
Email Filter 47
Email Filter Log Messages 51
Web Filter 53
Web Filter Log Messages 58
IPS 61
IPS Log Messages 64

29 Log Reference Guide

Fortinet Technologies Inc.
 Security Log Application Control

Application Control

Application Control log messages record application control protocols and events.

In the log fields, these logs are defined as: type=utm, subtype=app-ctrl.
Log Details
Log Field Log Field Data Type Length Value
Name Description

action Security action performed enum 16

by App Control l block
l encrypt-kickout
l kickout
l monitor
l pass
l reject
l reset

level Log level String 11

logid Log ID String 10

msg Log message String 512

sessionid Session ID uint32

subtype Log subtype String 20 l app-ctrl

type Log type String 16 l utm

app Application name String 96

appcat Application category name String 64

appid Application ID uint32 0

applist Application Control profile String 64

name

filename File name String 256

30 Log Reference Guide

Fortinet Technologies Inc.
 Application Control Security Log

Log Details
Log Field Log Field Data Type Length Value
Name Description

direction Direction of the packets enum 8 l incoming

l N/A
l outgoing

eventtype App Control Event Type String 32

filesize File size in bytes uint64

url The URL address String 512

date Date String 10

time Time String 8

vd Virtual domain name String 32

user User name String 256

group User group name String 64

devid Device Serial Number String 16

hostname The host name of a URL String 256

sentbyte Sent Bytes UINT64

rcvdbyte Received Bytes UINT64

dstip Destination IP IP Address

srcip Source IP IP Address

dstport Destination Port uint16

srcport Source Port uint16

proto Protocol number uint8

service Service name String 36

Log Reference Guide 31

Fortinet Technologies Inc.
 Security Log Application Control

Log Details
Log Field Log Field Data Type Length Value
Name Description

clouduser User login ID detected by String 256

the Deep Application Con-
trol feature

cloudaction Action performed by cloud String 32

application

apprisk Application risk level enum l critical

l elevated
l high
l low
l medium

32 Log Reference Guide

Fortinet Technologies Inc.
 Application Control Security Log

Application Control Log Messages

The following table describes the log message IDs and messages of the Application Control log.
Log Message Details
Message Message Severity
ID

28672 LOGID_APP_CTRL_IM_BASIC Information

28673 LOGID_APP_CTRL_IM_BASIC_WITH_STATUS Information

28674 LOGID_APP_CTRL_IM_BASIC_WITH_COUNT Information

28675 LOGID_APP_CTRL_IM_FILE Information

28676 LOGID_APP_CTRL_IM_CHAT Information

28677 LOGID_APP_CTRL_IM_CHAT_BLOCK Information

28678 LOGID_APP_CTRL_IM_BLOCK Information

28704 LOGID_APP_CTRL_IPS_PASS Information

28705 LOGID_APP_CTRL_IPS_BLOCK Warning

28706 LOGID_APP_CTRL_IPS_RESET Warning

28720 LOGID_APP_CTRL_SSH_PASS Information

28721 LOGID_APP_CTRL_SSH_BLOCK Warning

Log Reference Guide 33

Fortinet Technologies Inc.
 Security Log AntiVirus

AntiVirus

AntiVirus log messages record actual viruses that are contained in an email as well as anything that appears to be
similar to a virus or suspicious, such as in a file or in an email.

In the log fields, these logs are defined as: type= utm subtype=virus.
Log Details
Log Field Log Field Description Data Type Length Value
Name

action The security action per- enum 11 l analytics

formed by AV l blocked
l monitored
l pass through

agent User agent String 64

- eg. agent="Mozilla/5.0"

analyticscksum The checksum of the file String 64

submitted for analytics

analyticssubmit The flag for analytics sub- enum 10 l false

mission l true

botnet IP reputation detected bot-

nets

checksum The file checksum String 16

command Protocol specific com- String 16

mand, such as “POST”
and “GET” for HTTP,
“MODE” and “REST” for
FTP

date Date String 10

devid Device serial number String

34 Log Reference Guide

Fortinet Technologies Inc.
 AntiVirus Security Log

Log Details
Log Field Log Field Description Data Type Length Value
Name

direction Message/packets dir- enum 8 l incoming

ection l N/A
l outgoing

dstip Destination IP Address IP Address

dstport Destination Port uint16

dtype Data type for virus cat- String 32

egory

eventtype Event type of AV String 32

filefilter The filter used to identify enum 12 l none

the affected file l file pattern
l file type

filename File name String 256

Log Reference Guide 35

Fortinet Technologies Inc.
 Security Log AntiVirus

Log Details
Log Field Log Field Description Data Type Length Value
Name

filetype File type enum 16 l arj

l cab
l lzh
l rar
l tar
l zip
l bzip
l gzip
l bzip2
l bat
l msc
l uue
l mime
l base64
l binhex
l com
l elf
l exe
l hta
l html
l jad
l class
l cod
l javascript
l msoffice
l fsg
l upx
l petite
l aspack
l prc
l sis
l hlp
l activemime
l jpeg
l gif
l tiff
l png
l bmp
l ignored
l unknown

36 Log Reference Guide

Fortinet Technologies Inc.
 AntiVirus Security Log

Log Details
Log Field Log Field Description Data Type Length Value
Name

from Email address from String 128

the Email Headers
(IMAP/POP3/SMTP)

group Group name String

(authentication)

level The log priority level String 11

logid A ten-digit number. The String 10

first two digits represent
the log type and the fol-
lowing two digits rep-
resent the log subtype.
The last one to five digits
are the message id

msg Explains the activity or String 512

event that the FortiGate
unit recorded

profile The name of the String 64

profile that was used
to detect and take
action

profiletype The type of profile String 64

responsible for the
UTM action

proto Protocol number uint8

quarskip Quarantine skip enum 46 l File-was-not-

explanation quarantined.
l No-quarantine-for-
HTTP-GET-file-
pattern-block.
l No-quarantine-for-
oversized-files
l No-skip

Log Reference Guide 37

Fortinet Technologies Inc.
 Security Log AntiVirus

Log Details
Log Field Log Field Description Data Type Length Value
Name

rcvdbyte Received Bytes uint64

recipient Email addresses String 512

from the SMTP
envelope

ref The URL of the String 512

FortiGuard IPS
database entry for
the attack

sender Email address from String 128

the SMTP envelope

sentbyte Sent Bytes uint64

service Proxy service which enum 36 l ftp

scanned this traffic
l ftps
l http
l https
l im
l imap
l imaps
l mapi
l mm1
l mm3
l mm4
l mm7
l nntp
l pop3
l pop3s
l smb
l smtp
l smtps
l ssl

sessionid Session ID uint32

38 Log Reference Guide

Fortinet Technologies Inc.
 AntiVirus Security Log

Log Details
Log Field Log Field Description Data Type Length Value
Name

srcip Source IP Address IP Address

srcport Source Port uint16

subtype The subtype of the String 20 l virus

log message. The
possible values of
this field depend on
the log type

switchproto Protocol change String 128

information

time Time String 8

to Email address(es) String 512

from the Email
Headers
(IMAP/POP3/SMTP)

type The log type String 16 l utm

url The url address String 512

user Username String 256

(authentication)

vd VDOM name String 32

virus Virus Name String 128

virusid Virus ID (unique virus uint32

identifier)

Log Reference Guide 39

Fortinet Technologies Inc.
 Security Log AntiVirus

AntiVirus Log Messages

The following table describes the log message IDs and messages of the Anti Virus log.
Log Message Details
Message Message Severity
ID

8192 MESGID_INFECT_WARNING Warning

8193 MESGID_INFECT_NOTIF Notice

8194 MESGID_INFECT_MIME_WARNING Warning

8195 MESGID_INFECT_MIME_NOTIF Notice

8196 MESGID_WORM_WARNING Warning

8197 MESGID_WORM_NOTIF Notice

8198 MESGID_WORM_MIME_WARNING Warning

8199 MESGID_WORM_MIME_NOTIF Notice

8448 MESGID_BLOCK_WARNING Warning

8449 MESGID_BLOCK_NOTIF Notice

8450 MESGID_BLOCK_MIME_WARNING Warning

8451 MESGID_BLOCK_MIME_NOTIF Notice

8452 MESGID_BLOCK_COMMAND Warning

8453 MESGID_INTERCEPT Notice

8454 MESGID_INTERCEPT_MIME Notice

8455 MESGID_EXEMPT Notice

8456 MESGID_EXEMPT_MIME Notice

8457 MESGID_MMS_CHECKSUM Warning

40 Log Reference Guide

Fortinet Technologies Inc.
AntiVirus Security Log

Message Message Severity

ID

8458 MESGID_MMS_CHECKSUM_NOTIF Notice

8704 MESGID_OVERSIZE_WARNING Warning

8705 MESGID_OVERSIZE_NOTIF Notice

8706 MESGID_OVERSIZE_MIME_WARNING Warning

8707 MESGID_OVERSIZE_MIME_NOTIF Notice

8720 MESGID_SWITCH_PROTO_WARNING Warning

8721 MESGID_SWITCH_PROTO_NOTIF Notice

8960 MESGID_SCAN_UNCOMPNESTLIMIT Notice

8961 MESGID_SCAN_UNCOMPSIZELIMIT Notice

8962 MESGID_SCAN_ARCHIVE_ENCRYPTED_WARNING Warning

8963 MESGID_SCAN_ARCHIVE_ENCRYPTED_NOTIF Notice

8964 MESGID_SCAN_ARCHIVE_CORRUPTED_WARNING Warning

8965 MESGID_SCAN_ARCHIVE_CORRUPTED_NOTIF Notice

8966 MESGID_SCAN_ARCHIVE_MULTIPART_WARNING Warning

8967 MESGID_SCAN_ARCHIVE_MULTIPART_NOTIF Notice

8968 MESGID_SCAN_ARCHIVE_NESTED_WARNING Warning

8969 MESGID_SCAN_ARCHIVE_NESTED_NOTIF Notice

8970 MESGID_SCAN_ARCHIVE_OVERSIZE_WARNING Warning

8971 MESGID_SCAN_ARCHIVE_OVERSIZE_NOTIF Notice

8972 MESGID_SCAN_ARCHIVE_UNHANDLED_WARNING Warning

8973 MESGID_SCAN_ARCHIVE_UNHANDLED_NOTIF Notice

9233 MESGID_ANALYTICS_SUBMITTED Notice

Log Reference Guide 41

Fortinet Technologies Inc.
 Security Log DLP

DLP

Data Leak Protection (DLP) log messages record data leaks. These logs provide additional information to help
administrators better analyze and detect data leaks.

In the log fields, these logs are defined as: type= utm, subtype=dlp.
Log Details
Log Field Name Log Field Description Data Length Value
Type

action Security action performed by DLP enum 16 l ban

l ban-sender
l block
l exempt
l log-only
l quarantine-interface
l quarantine-ip

level Log priority level String 11

logid A ten-digit number. The first two String 10

digits represent the log type and the
following two digits represent the log
subtype. The last one to five digits
are the message id

msg Explains the activity or event that the String 512

FortiGate unit recorded

sessionid Session ID uint32

subtype The subtype of the log message. String 20 l dlp

The possible values of this field
depend on the log type

type Log type String 16 l utm

filename File name String 256

docsource DLP fingerprint document source String 515

42 Log Reference Guide

Fortinet Technologies Inc.
 DLP Security Log

Log Details
Log Field Name Log Field Description Data Length Value
Type

epoch Epoch used for locating file uint32

eventid The serial number of the dlparchive uint32

file in the same epoch

eventtype DLP event type String 32

filetype File type String 16

filtercat DLP filter category enum 8

filteridx DLP filter ID uint32

filtertype DLP filter type enum 23 l file

l message
l none
l credit-card
l encrypted
l file-size
l file-type
l fingerprint
l none
l regexp
l ssn
l watermark

profile DLP profile name String 64

sensitivity Sensitivity for document fingerprint String 36

severity Severity level of a DLP rule enum 8

subject The subject title of the email mes- String 128

sage

url The URL address String 512

filtername DLP rule name String 128

Log Reference Guide 43

Fortinet Technologies Inc.
 Security Log DLP

Log Details
Log Field Name Log Field Description Data Length Value
Type

direction Direction of packets enum 8 l incoming

l N/A
l outgoing

dlpextra DLP extra information String 256

profiletype Profile type String 64

date The date the log event was gen- String 10

erated on the device

time Time stamp of the event String 8

sender Email address from the SMTP envel- String 128

ope

recipient Email addresses from the SMTP String 512

envelope

to Email address(es) from the Email String 512

Headers (IMAP/POP3/SMTP)

from Email address from the Email Head- String 128

ers (IMAP/POP3/SMTP)

user User name String 256

vd Virtual domain name String 32

group User group name String 64

devid Device Serial Number String

hostname The host name of a URL String 256

sentbyte Sent Bytes UINT64

rcvdbyte Received bytes UINT64

44 Log Reference Guide

Fortinet Technologies Inc.
 DLP Security Log

Log Details
Log Field Name Log Field Description Data Length Value
Type

dstip Destination IP IP
Address

srcip Source IP IP
Address

srcport Source Port UINT16

dstport Destination Port UINT16

proto Protocol number UINT8

service Service name enum 36 l ftp

l ftps
l http
l https
l im
l imap
l imaps
l mapi
l mm1
l mm3
l mm4
l mm7
l nntp
l pop3
l pop3s
l smtp
l smtps
l ssl

agent User agent - eg. agent="Mozilla/5.0" String 64

filesize File size in bytes INT64

Log Reference Guide 45

Fortinet Technologies Inc.
 Security Log DLP

DLP Log Messages

The following table describes the log message IDs and messages of the Data Leak Protection log.
Log Message Details
Message Message Severity
ID

24576 LOG_ID_DLP_WARN Warning

24577 LOG_ID_DLP_NOTIF Notice

24578 LOG_ID_DLP_DOC_SOURCE Notice

24579 LOG_ID_DLP_DOC_SOURCE_ERROR Warning

46 Log Reference Guide

Fortinet Technologies Inc.
 Email Filter Security Log

Email Filter

Email filter log messages record email protocols, such as SMTP, POP3 and IMAP.

In the log fields, these logs are defined as: type= utm, subtype=emailfilter.
Log Details
Log Field Log Field Data Length Value
Name Type
Description

action Security action of the email filter enum 8 l blocked

l detected
l exempted

agent User agent - eg. agent="Mozilla/5.0" String 64

attachment The flag for email attachement enum 3 l no

l yes

banword Banned word String 128

cc Email address(es) from the Email Headers (IMAP/POP3/SMTP) String 512

date Date String 10

devid Device Serial Number String

direction Direction of packets enum 8 l incoming

l N/A
l outgoing

dstip Destination IP IP
Address

dstport Destination Port UINT16

eventtype Email Filter event type String 32

from Email address(es) from the Email Headers (IMAP/POP3/SMTP) String 512

group User group name String

Log Reference Guide 47

Fortinet Technologies Inc.
 Security Log Email Filter

Log Details
Log Field Log Field Data Length Value
Name Type
Description

level Log priority level String 11

logid A ten-digit number. The first two digits represent the log type and String 10
the following two digits represent the log subtype. The last one to
five digits are the message id

msg Explains the activity or event that the FortiGate unit recorded String 512

profile Email Filter profile name String 64

profiletype Profile type String 64

proto Protocol number uint8

rcvdbyte Received Bytes UINT64

recipient Email addresses from the SMTP envelope String 512

sender Email addresses from the SMTP envelope String 128

sentbyte Sent Bytes UINT64

48 Log Reference Guide

Fortinet Technologies Inc.
 Email Filter Security Log

Log Details
Log Field Log Field Data Length Value
Name Type
Description

service Service name enum 36 l ftp

l ftps
l http
l https
l im
l imap
l imaps
l mapi
l mm1
l mm3
l mm4
l mm7
l nntp
l pop3
l pop3s
l smtp
l smtps
l ssl

sessionid Session ID UINT32

size Email size in Bytes? String 16

srcip Source IP IP
Address

srcport Source Port UINT16

subject The subject title of  the email message String 256

subtype The subtype of the log message. The possible values of this field String 20 l email
depend on the log type filter

time Time String 8

to Email address(es) from the Email Headers (IMAP/POP3/SMTP) String 512

Log Reference Guide 49

Fortinet Technologies Inc.
 Security Log Email Filter

Log Details
Log Field Log Field Data Length Value
Name Type
Description

type Log type String 16 l utm

user User name String 256

vd Virtual domain name String 32

50 Log Reference Guide

Fortinet Technologies Inc.
 Email Filter Security Log

Email Filter Log Messages

The following table describes the log message IDs and messages of the Email log.

Log Message Details

Message Message Severity
ID

20480 LOGID_ANTISPAM_EMAIL_SMTP_NOTIF Notice

20481 LOGID_ANTISPAM_EMAIL_SMTP_BWORD_NOTIF Notice

20487 LOGID_ANTISPAM_ENDPOINT_MM7_WARNING Warning

20488 LOGID_ANTISPAM_ENDPOINT_MM7_NOTIF Notice

20489 LOGID_ANTISPAM_ENDPOINT_MM1_WARNING Warning

20490 LOGID_ANTISPAM_ENDPOINT_MM1_NOTIF Notice

20491 LOGID_ANTISPAM_EMAIL_IMAP_BWORD_NOTIF Notice

20492 LOGID_ANTISPAM_MM1_FLOOD_WARNING Warning

20493 LOGID_ANTISPAM_MM1_FLOOD_NOTIF Notice

20494 LOGID_ANTISPAM_MM4_FLOOD_WARNING Warning

20495 LOGID_ANTISPAM_MM4_FLOOD_NOTIF Notice

20496 LOGID_ANTISPAM_MM1_DUPE_WARNING Warning

20497 LOGID_ANTISPAM_MM1_DUPE_NOTIF Notice

20498 LOGID_ANTISPAM_MM4_DUPE_WARNING Warning

20499 LOGID_ANTISPAM_MM4_DUPE_NOTIF Notice

20500 LOGID_ANTISPAM_EMAIL_MSN_NOTIF Information

20501 LOGID_ANTISPAM_EMAIL_YAHOO_NOTIF Information

20502 LOGID_ANTISPAM_EMAIL_GOOGLE_NOTIF Information

Log Reference Guide 51

Fortinet Technologies Inc.
Security Log Email Filter

Message Message Severity

ID

20503 LOGID_EMAIL_SMTP_GENERAL_NOTIF Information

20504 LOGID_EMAIL_POP3_GENERAL_NOTIF Information

20505 LOGID_EMAIL_IMAP_GENERAL_NOTIF Information

20506 LOGID_EMAIL_MAPI_GENERAL_NOTIF Information

20507 LOGID_ANTISPAM_EMAIL_MAPI_BWORD_NOTIF Notice

20508 LOGID_ANTISPAM_EMAIL_MAPI_NOTIF Notice

52 Log Reference Guide

Fortinet Technologies Inc.
 Web Filter Security Log

Web Filter

Web filter log messages record URL activity as well as filters, such as a blocked URL as it is found in the URL black list.

In the log fields, these logs are defined as: type= utm, subtype=webfilter.
Log Details
Log Field Name Log Field Description Data Length Value
Type

action Security action performed by ENUM 11 l allowed

WF l blocked
l dlp
l exempted
l filtered
l passthrough

agent User agent String 64

- eg. agent="Mozilla/5.0"

banword Banned word String 128

cat Web category ID UINT8

catdesc Web category description String 64

contenttype Content Type from HTTP String 64

header

date Date String 10

devid Device Serial Number String

direction Direction of the web traffic ENUM 8 l incoming

l N/A
l outgoing

dstip Destination IP IP
Address

dstport Destination Port UINT16

Log Reference Guide 53

Fortinet Technologies Inc.
 Security Log Web Filter

Log Details
Log Field Name Log Field Description Data Length Value
Type

error URL rating error message String 256

eventtype Web Filter event type String 32

filtertype The script filter type ENUM 10 l javascript

l jscript
l n/a
l unknown
l vbscript

from MMS-only - From/To headers String 128

from the email

group User group name String 64

hostname The host name of a URL String 256

initiator The initiator user for override String 64

keyword Keyword used for search String 512

level Log priority level String 11

logid A ten-digit number. The first String 10

two digits represent the log
type and the following two
digits represent the log sub-
type. The last one to five digits
are the message id

method Rating override method by ENUM 6 l domain

URL domain name or IP l ip
address.

mode Rating override mode String 32

msg Explains the activity or event String 512

that the FortiGate unit recor-
ded

54 Log Reference Guide

Fortinet Technologies Inc.
 Web Filter Security Log

Log Details
Log Field Name Log Field Description Data Length Value
Type

ovrdid URL rating override ID UINT32

ovrdtbl Rating override table String 128

profile Web Filter profile name String 64

profiletype Profile type String 64

proto Protocol number UINT8

quotaexceeded Quota has been exceeded ENUM 3 l no

l yes

quotamax Maximum quota allowed UINT64

- in seconds if time-based
- in bytes if traffic-based

quotatype Quota type ENUM 16 l time

l traffic

quotaused Quota used UINT64

- in seconds if time-based
- in bytes if traffic-based).

rcvdbyte Received Bytes UINT64

reqtype Request type ENUM 8 l direct

l referral

ruledata Rule data String 512

ruletype Rule type ENUM 9 l directory

l domain
l rating

sentbyte Sent Bytes UINT64

Log Reference Guide 55

Fortinet Technologies Inc.
 Security Log Web Filter

Log Details
Log Field Name Log Field Description Data Length Value
Type

service Service name ENUM 36 l dns

l ftp
l ftps
l http
l https
l im
l imap
l imaps
l mm1
l mm3
l mm4
l mm7
l nntp
l pop3
l pop3s
l smtp
l smtps
l ssl

sessionid Session ID UINT32

srcip Source IP IP
Address

srcport Source Port UINT16

subtype The subtype of the log mes- String 20 l webfilter

sage. The possible values of
this field depend on the log
type

time Time String 8

to MMS-only - From/To headers String 512

from the email

56 Log Reference Guide

Fortinet Technologies Inc.
 Web Filter Security Log

Log Details
Log Field Name Log Field Description Data Length Value
Type

type Log type String 16 l utm

url The URL address String 512

urlfilteridx URL filter ID UINT32

urlfilterlist URL filter list String 64

urltype URL filter type ENUM 8 l ftp

l http
l https
l mail
l phishing
l telnet

user User name String

vd Virtual domain name String

Log Reference Guide 57

Fortinet Technologies Inc.
 Security Log Web Filter

Web Filter Log Messages

The following table describes the log message IDs and messages of the Web log.

Log Message Details

Message Message Severity
ID

12288 LOG_ID_WEB_CONTENT_BANWORD Warning

12289 LOG_ID_WEB_CONTENT_MMS_BANWORD Warning

12290 LOG_ID_WEB_CONTENT_EXEMPTWORD Notice

12291 LOG_ID_WEB_CONTENT_MMS_EXEMPTWORD Notice

12292 LOG_ID_WEB_CONTENT_KEYWORD Notice

12293 LOG_ID_WEB_CONTENT_SEARCH Notice

12305 LOG_ID_WEB_CONTENT_BANWORD_NOTIF Notice

12544 LOG_ID_URL_FILTER_BLOCK Warning

12545 LOG_ID_URL_FILTER_EXEMPT Information

12546 LOG_ID_URL_FILTER_ALLOW Information

12547 LOG_ID_URL_FILTER_INVALID_HOSTNAME_HTTP_ Notice

BLK

12548 LOG_ID_URL_FILTER_INVALID_HOSTNAME_ Notice

HTTPS_BLK

12549 LOG_ID_URL_FILTER_INVALID_HOSTNAME_HTTP_ Information

PASS

12550 LOG_ID_URL_FILTER_INVALID_HOSTNAME_ Information

HTTPS_PASS

12551 LOG_ID_URL_FILTER_INVALID_HOSTNAME_SNI_ Notice

BLK

58 Log Reference Guide

Fortinet Technologies Inc.
 Web Filter Security Log

Log Message Details

Message Message Severity
ID

12552 LOG_ID_URL_FILTER_INVALID_HOSTNAME_SNI_ Information

PASS

12553 LOG_ID_URL_FILTER_INVALID_CERT Notice

12554 LOG_ID_URL_FILTER_INVALID_SESSION Notice

12555 LOG_ID_URL_FILTER_SRV_CERT_ERR_BLK Notice

12556 LOG_ID_URL_FILTER_SRV_CERT_ERR_PASS Notice

12557 LOG_ID_URL_FILTER_FAMS_NOT_ACTIVE Critical

12558 LOG_ID_URL_FILTER_RATING_ERR Information

12559 LOG_ID_URL_FILTER_PASS Information

12800 LOG_ID_WEB_FTGD_ERR Error

12801 LOG_ID_WEB_FTGD_WARNING Warning

12802 LOG_ID_WEB_FTGD_QUOTA Information

13056 LOG_ID_WEB_FTGD_CAT_BLK Warning

13057 LOG_ID_WEB_FTGD_CAT_WARN Warning

13312 LOG_ID_WEB_FTGD_CAT_ALLOW Notice

13313 LOG_ID_WEB_FTGD_RULE_ALLOW Notice

13314 LOG_ID_WEB_FTGD_OFF_SITE_ALLOW Information

13315 LOG_ID_WEB_FTGD_QUOTA_COUNTING Notice

13316 LOG_ID_WEB_FTGD_QUOTA_EXPIRED Warning

13317 LOG_ID_WEB_URL Notice

13568 LOG_ID_WEB_SCRIPTFILTER_ACTIVEX Notice

Log Reference Guide 59

Fortinet Technologies Inc.
 Security Log Web Filter

Log Message Details

Message Message Severity
ID

13573 LOG_ID_WEB_SCRIPTFILTER_COOKIE Notice

13584 LOG_ID_WEB_SCRIPTFILTER_APPLET Notice

13600 LOG_ID_WEB_SCRIPTFILTER_OTHER Notice

13601 LOG_ID_WEB_WF_COOKIE Notice

13602 LOG_ID_WEB_WF_REFERER Notice

13603 LOG_ID_WEB_WF_COMMAND_BLOCK Warning

13616 LOG_ID_CONTENT_TYPE_BLOCK Warning

60 Log Reference Guide

Fortinet Technologies Inc.
 IPS Security Log

IPS

Intrusion logs record security logs for protocols, such as ICMP and virus attacks. The IPS logs also provide additional
log details, such as the anomaly logs. The "anomaly" logs are generated from the kernel without signatures. (e.g.TCP
SYN flood etc.).

In the log fields, these logs are defined as: type= utm, subtype=ips.
Log Details
Log Field Name Log Field Description Data Type Length Value

action Security action performed by IPS ENUM 16 l clear_session

l detected
l drop_session
l dropped
l pass_session
l reset
l reset_client
l reset_server

agent User agent String 66

- eg. agent="Mozilla/5.0"

attack Attack Name String

attackcontext the trigger patterns and the packetdata String

with base64 encoding

attackcontextid attack context id / total String

attackid Attack ID UINT32

count Repeat count for an attack event UINT32

date The date the log event was generated String 10

on the device

devid Device Serial Number String

Log Reference Guide 61

Fortinet Technologies Inc.
 Security Log IPS

Log Details
Log Field Name Log Field Description Data Type Length Value

direction Direction of packets ENUM 8 l incoming

l N/A
l outgoing

dstip Destination IP IP Address

dstport Destination Port UINT16

eventtype IPS Event Type String 32

group User group name String

icmpcode Destination Port of the ICMP message String 6

icmpid Source port of the ICMP message String 8

icmptype The type of ICMP message String 6

incidentserialno Incident serial number UINT32

level Log priority level String 11

logid A ten-digit number. The first two digits String 10

represent the log type and the following
two digits represent the log subtype.
The last one to five digits are the mes-
sage id

msg Log message for the attack String 518

profile Profile name for IPS String 64

profiletype Profile Type String 64

proto Protocol number UINT8

rcvdbyte Received Bytes UINT64

ref URL of the FortiGuard IPS database String 512

entry for the attack.

sentbyte Sent Bytes UINT64

62 Log Reference Guide

Fortinet Technologies Inc.
 IPS Security Log

Log Details
Log Field Name Log Field Description Data Type Length Value

service Service name String 36

sessionid Session ID UINT32

severity Severity of the attack ENUM 8 l critical

l high
l info
l low
l medium

srcip Source IP IP Address

srcport Source Port UINT16

subtype The subtype of the log message. The String 20 l ips

possible values of this field depend on
the log type

time Time stamp of the event String 8

type Log type String 16 l utm

user User name String 256

vd Virtual domain name String 32

Log Reference Guide 63

Fortinet Technologies Inc.
 Security Log IPS

IPS Log Messages

The following table describes the log message IDs and messages of the IPS log.

Log Message Details

Message Message Severity
ID

16384 LOGID_ATTCK_SIGNATURE_TCP_UDP Alert

16385 LOGID_ATTCK_SIGNATURE_ICMP Alert

16386 LOGID_ATTCK_SIGNATURE_OTHERS Alert

18432 LOGID_ATTCK_ANOMALY_TCP_UDP Alert

18433 LOGID_ATTCK_ANOMALY_ICMP Alert

18434 LOGID_ATTCK_ANOMALY_OTHERS Alert

64 Log Reference Guide

Fortinet Technologies Inc.
Event Log

The following sections provide information about the different types of logs recorded under the Event log type.

Event logs include the following log subtypes:

l Endpoint Control
l GTP
l High Availability
l System
l Router
l VPN
l USer
l WAD
l Wireless

In the log field, these logs are defined as: type=event; subtypes=endpoint control, gtp, vpn, user, wad, system, router,
wireless, high availability.

Endpoint Control 66
Endpoint Log Messages 70
GTP 71
GTP Log Messages 80
High Availability 82
High Availability Log Messages 84
Router 86
Router Log Messages 87
System 88
System Log Messages 97
User 116
User Log Messages 119
VPN 121
VPN Log Messages 128
WAD 131
WAD Log Messages 134
Wireless 136
Wireless Log Messages 141

65 Log Reference Guide

Fortinet Technologies Inc.
 Event Log EndpointControl

Endpoint Control

In the log fields, these logs are defined as: type=event subtype=endpoint.
Log Details
Log Field Log Field Description Data Length Value
Name Type

action The action the FortiGate unit should take for this fire- string
wall policy

connection_ Forticlient connection type string 6

type

count The number of dropped SIP packets uint16

date The date the log event was generated on the device string

devid The serial number of the device string

forticlient_id forticlient uuid string 33

hostname The host name or IP string

interface Interface string

ip IP address ip

level The log priority level string

license_ number of limited licenses string 32

limit

license_ number of licenses used uint16 5

used

logdesc Log field description string

logid A ten-digit number. The first two digits represent the string
log type and the following two digits represent the log
subtype. The last one to five digits are the message id

66 Log Reference Guide

Fortinet Technologies Inc.
 EndpointControl Event Log

Log Details
Log Field Log Field Description Data Length Value
Name Type

msg Explains the activity or event that the FortiGate unit string
recorded

name Name string

reason The reason this log was generated string

repeat uint16 5

Log Reference Guide 67

Fortinet Technologies Inc.
 Event Log EndpointControl

Log Details
Log Field Log Field Description Data Length Value
Name Type

status The status of the action the FortiGate unit took when string For event logs, the
the event occurred possible values of
this field depend on
the sub type:
l ipsec

l success
l failure
l negotiate_error
l esp_error
l dpd_failure
l sub type voip
l start
l end
l timeout
l blocked
l succeeded
l failed
l authentication-
required
l subcategory gtp
l forwarded
l prohibited
l rate-limited
l state-invalid
l tunnel-limited
l traffic-count
l user-data

subtype The subtype of the log message. The possible values string l endpoint
of this field depend on the log type

time Time stamp of the event string

type The log type string l event

68 Log Reference Guide

Fortinet Technologies Inc.
 EndpointControl Event Log

Log Details
Log Field Log Field Description Data Length Value
Name Type

authproto authentication protocol string 64

used_for_ used to describe the log type uint16 5

type

user The name of the user creating the traffic string

vd Virtual domain name string

Log Reference Guide 69

Fortinet Technologies Inc.
 Event Log EndpointControl

Endpoint Log Messages

The following table describes the log message IDs and messages of the Endpoint log.
Log Message Details
Message Message Severity
ID

45056 LOG_ID_FCC_EXCEED Notice

45057 LOG_ID_FCC_ADD Information

45058 LOG_ID_FCC_CLOSE Information

45059 LOG_ID_FCC_UPGRADE_SUCC Notice

45060 LOG_ID_FCC_UPGRADE_FAIL Error

45100 LOG_ID_EC_REG_FAIL Warning

45101 LOG_ID_EC_REG_SUCCEED Notice

45102 LOG_ID_EC_REG_RENEWED Notice

45103 LOG_ID_EC_REG_BLOCK Notice

45104 LOG_ID_EC_REG_UNBLOCK Notice

45105 LOG_ID_EC_REG_DEREG Notice

45106 LOG_ID_EC_REG_LIC_UPGRADED Notice

45107 LOG_ID_EC_CONF_DISTRIBUTED Notice

45108 LOG_ID_EC_FTCL_UNREG Notice

45109 LOG_ID_EC_FTCL_LOGOFF Notice

45110 LOG_ID_EC_FTCL_ENABLE_NOTSYNC Notice

70 Log Reference Guide

Fortinet Technologies Inc.
 Event Log GTP

GTP

Event-GTP log messages record GTP activity. These messages are recorded only when running FortiGate Carrier
firmware.

In the log fields, these logs are defined as: type=event subtype=gtp.
Log Details
Log Field Log Field Descrip- Data Type Length Value
Name tion

apn Access Point Name String 0

c-bytes Number of bytes for UINT64 20

signaling

c-ggsn Control plane GGSN IP Address 39

IP address for GTP
signaling

c-ggsn-teid Control plane for UINT32 10

GGSN TEID (Tunnel
endpoint identifier)
for signaling

c-gsn Control plane GSN IP Address 39

IP address for GTP
signaling

cpaddr Control Plane IP Address 39

Address (either
downlink or uplink)

cpdladdr Control plane down- IP Address 39

link IP address

cpdlisraddr Control plane ISR IP Address 39

downlink IP address

cpdlisrteid Control plane ISR UINT32 10

downlink teid

71 Log Reference Guide

Fortinet Technologies Inc.
 GTP Event Log

Log Details
Log Field Log Field Descrip- Data Type Length Value
Name tion

cpdlteid Control plane down- UINT32 10

link teid

c-pkts Number of packets UINT64 20

for signaling

cpteid Control Plane teid UINT32 10

(either downlink or
uplink)

cpuladdr Control plane uplink IP Address 39

IP address

cpulteid Control plane uplink UINT32 10

teid

c-sgsn Control plane SGSN IP Address 39

IP address for GTP
signalling

c-sgsn-teid Control plane for UINT32 10

SGSN TEID (Tunnel
endpoint identifier)
for signaling

date The date the log String 10

event was generated
on the device

Log Reference Guide 72

Fortinet Technologies Inc.
 Event Log GTP

Log Details
Log Field Log Field Descrip- Data Type Length Value
Name tion

deny_cause ENUM 0 l adv-policy-filter

l apn-filter
l ggsn-not-authorized
l gtp-in-gtp
l imsi-filter
l invalid-ie-length
l invalid-msg-length
l invalid-reserved-field
l invalid-state
l ip-policy
l miss-mandatory-ie
l msg-filter
l non-ip-policy
l out-state-ie
l out-state-msg
l packet-sanity
l rate-limited
l reserved-ie
l reserved-msg
l response-without-request
l sgsn-no-handover
l sgsn-not-authorized
l spoof
l unknown-gtp-version

devid The serial String 16

number of the
device

73 Log Reference Guide

Fortinet Technologies Inc.
 GTP Event Log

Log Details
Log Field Log Field Descrip- Data Type Length Value
Name tion

dtlexp ENUM 64 l cant-have-both-ebi-and-lbi

l cant-have-both-hteid-and-cteid
l cause-value-should-be-isr-deactivation
l expired-create-bearer-response
l expired-create-indirect-tunnel-response
l expired-create-response
l expired-create-session-response
l expired-delete-beaerer-response
l expired-delete-indirect-tunnel-response
l expired-delete-response
l expired-delete-session-response
l expired-echo-response
l expired-modified-bearer-response
l expired-release-access-bearer-response
l expired-update-bearer-response
l expired-update-response
l fteid-shouldnt-exist
l header-seq-num-is-missing
l hteid-is-zero
l ie-is-missing
l imsi-shouldnt-exist
l invalid-eps-bearer-id
l invalid-ie-length
l invalid-mcc-mnc
l invalid-tid
l malformed-extension-header
l malformed-p-flag
l malformed-piggybacked-msg
l malformed-t-flag
l neither-hteid-nor-cteid-exists
l no-tunnel-exists
l none
l payload-teid-is-zero
l response-hteid-doesnt-match-request

duration Tunnel duration UINT32 0

end-usr- End user IP Address 39

address address

from Source String 0

IP address

Log Reference Guide 74

Fortinet Technologies Inc.
 Event Log GTP

Log Details
Log Field Log Field Descrip- Data Type Length Value
Name tion

headerteid Header (Tunnel end- UINT32 10

point identifier)

ietype Malformed UINT8 3

GTP IE number

imei-sv International String 32

Mobile
Equipment
Identity or IMEI
is a number,
usually unique,
to identify
GSM, WCDMA,
and iDEN
mobile phones,
as well as some
satellite phones

imsi International String 0

mobile
subscriber ID

level The log priority String 11

level

linked- Linked Network UINT8 3

nsapi Service Access
Point Identifier

75 Log Reference Guide

Fortinet Technologies Inc.
 GTP Event Log

Log Details
Log Field Log Field Descrip- Data Type Length Value
Name tion

logid A ten-digit String 10

number. The
first two digits
represent the
log type and the
following two
digits represent
the log subtype.
The last one to
five digits are
the message id.

For more detail

about what the
combination of
type, subtype
and message
ID means

msg-type Message type UINT8 0

msisdn Mobile String 0

Subscriber
Integrated
Services Digital
Network-
Number
(telephone # to
a SIM card)

nsapi Network UINT8 3

Service Access
Point Identifier,
an identifier
used in cellular
data networks

rai Routing Area String 32

Identification

rat-type Type of router ENUM 7

audit tool

selection Access point ENUM 14

selection

Log Reference Guide 76

Fortinet Technologies Inc.
 Event Log GTP

Log Details
Log Field Log Field Descrip- Data Type Length Value
Name tion

seqnum GTP packet UINT32 10

sequence
number

snetwork Source String 64

Network, it's a
IE type in
GTPv2 packet

status The status of ENUM 23 l tunnel-limited

the action the
l tunnel-limited-monitor
FortiGate unit
took when the l user-data
event occurred

subtype The subtype of String 20 l gtp

the log
message. The
possible values
of this field
depend on the
log type

time Timestamp for String 8

the event

to Destination IP String 0
address

tunnel-idx VPN tunnel UINT32 0

index

type The log type String 16 l event

u-bytes Number of bytes UINT64 20

used for traffic

u-ggsn User plane IP Address 39

GGSN IP
address for
GTP user traffic

77 Log Reference Guide

Fortinet Technologies Inc.
 GTP Event Log

Log Details
Log Field Log Field Descrip- Data Type Length Value
Name tion

u-ggsn- User plane for UINT32 10

teid GGSN TEID
(Tunnel
endpoint
identifier) for
signaling

u-gsn User plane IP Address 39

GSN IP address
for GTP user
traffic

uli User Location String 32

Information

u-pkts Number of UINT64 20

packets used
for traffic

user_data User traffic String 256

content inside
gtp-u tunnel

u-sgsn User plane IP Address 39

SGSN IP
address for
GTP signalling

u-sgsn- User plane for UINT32 10

teid SGSN TEID
(Tunnel
endpoint
identifier) for
signaling

vd Virtual domain String 32

version Software String 64

version

Log Reference Guide 78

Fortinet Technologies Inc.
Event Log GTP

79 Log Reference Guide

Fortinet Technologies Inc.
 GTP Event Log

GTP Log Messages

The following table describes the log message IDs and messages of the GTP log.

Log Message Details

Message Message Severity
ID

41216 LOGID_GTP_FORWARD Information

41217 LOGID_GTP_DENY Information

41218 LOGID_GTP_RATE_LIMIT Information

41219 LOGID_GTP_STATE_INVALID Information

41220 LOGID_GTP_TUNNEL_LIMIT Information

41221 LOGID_GTP_TRAFFIC_COUNT Information

41222 LOGID_GTP_USER_DATA Information

41223 LOGID_GTPV2_FORWARD Information

41224 LOGID_GTPV2_DENY Information

41225 LOGID_GTPV2_RATE_LIMIT Information

41226 LOGID_GTPV2_STATE_INVALID Information

41227 LOGID_GTPV2_TUNNEL_LIMIT Information

41228 LOGID_GTPV2_TRAFFIC_COUNT Information

41229 LOGID_GTPU_FORWARD Information

41230 LOGID_GTPU_DENY Information

Log Reference Guide 80

Fortinet Technologies Inc.
Event Log GTP

81 Log Reference Guide

Fortinet Technologies Inc.
 Event Log High Availability

High Availability

Event-HA log messages are recorded when FortiGate units are in high availability mode. These log messages describe
changes in cluster unit status. The changes in status occur if a cluster unit fails or starts up, or if a link fails or is
restored. Each of these messages includes the serial number of the cluster unit reporting the message. You can use
the serial number to determine the status of cluster unit that has changed.

In the log fields, these logs are defined as: type=event subtype=ha.
Log Details
Log Field Name Log Field Description Data Length Value
Type

activity HA activity message String 128

devintfname HA device Interface Name String 32

from_vcluster source virtual cluster number UINT32 10

ha_group HA Group Number - can be 1 - 256 UINT8 3

ha_role The HA role in the cluster ENUM 6 l Master

l slave

ha-prio HA Priority UINT8 3

hbdn_reason heartbeat down reason ENUM 18 l Linkfail

l neighbor-
info-lost

sn String 64

sync_status The sync status with the master ENUM 11 l in-sync

l out-of-sync

sync_type The sync type with the master ENUM 14 l Configuration

s
l external-files

to_vcluster destination virtual cluster number UINT32 10

vcluster virtual cluster id UINT32 10

82 Log Reference Guide

Fortinet Technologies Inc.
 High Availability Event Log

Log Details
Log Field Name Log Field Description Data Length Value
Type

vcluster_member virtual cluster member id UINT32 10

vcluster_state virtual cluster state ENUM 7 l hello

l init
l standby
l work

vdname vdom name String 16

Log Reference Guide 83

Fortinet Technologies Inc.
 Event Log High Availability

High Availability Log Messages

The following table describes the log message IDs and messages of the HA log.

Log Message Details

Log ID Log Message Severity

35001 LOG_ID_HA_SYNC_VIRDB Notice

35002 LOG_ID_HA_SYNC_ETDB Notice

35003 LOG_ID_HA_SYNC_EXDB Notice

35005 LOG_ID_HA_SYNC_IPS Notice

35007 LOG_ID_HA_SYNC_AV Notice

35008 LOG_ID_HA_SYNC_VCM Notice

35009 LOG_ID_HA_SYNC_CID Notice

35010 LOG_ID_HA_SYNC_FAIL Error

37888 MESGID_HA_GROUP_DELETE Notice

37889 MESGID_VC_DELETE Notice

37890 MESGID_VC_MOVE_VDOM Notice

37891 MESGID_VC_ADD_VDOM Notice

37892 MESGID_VC_MOVE_MEMB_STATE Notice

37893 MESGID_VC_DETECT_MEMB_DEAD Critical

37894 MESGID_VC_DETECT_MEMB_JOIN Critical

37895 MESGID_VC_ADD_HADEV Notice

37896 MESGID_VC_DEL_HADEV Notice

37897 MESGID_HADEV_READY Notice

84 Log Reference Guide

Fortinet Technologies Inc.
 High Availability Event Log

Log Message Details

Log ID Log Message Severity

37898 MESGID_HADEV_FAIL Warning

37899 MESGID_HADEV_PEERINFO Notice

37900 MESGID_HBDEV_DELETE Notice

37901 MESGID_HBDEV_DOWN Critical

37902 MESGID_HBDEV_UP Information

37903 MESGID_SYNC_STATUS Information

37904 MESGID_HA_ACTIVITY Notice

37904 MESGID_HA_ACTIVITY Information

Log Reference Guide 85

Fortinet Technologies Inc.
 Event Log Router

Router

Event-Router log messages record events that occur on the FortiGate network interfaces.

In the log fields, these logs are defined as: type=event subtype=router.
Log Details
Log Log Field Description Data Length Value
Field Type
Name

date The date the log event was generated on the device String

devid The serial number of the device String

interface Interface String 32

level The log priority level String

logid A ten-digit number. The first two digits represent the log String
type and the following two digits represent the log sub-
type. The last one to five digits are the message id

msg Explains the activity or event that the FortiGate unit recor- String 256
ded

subtype The subtype of the log message. The possible values of String l router
this field depend on the log type

time Time stamp of the event String

type The log type String l event

vd Virtual domain name String

86 Log Reference Guide

Fortinet Technologies Inc.
 Router Event Log

Router Log Messages

The following table describes the log message IDs and messages of the Router log.

Log Message Details

Message Message Severity
ID

20300 LOG_ID_BGP_NB_STAT_CHG Unknown

27001 LOG_ID_VRRP_STATE_CHG Information

51000 51000 Information

Log Reference Guide 87

Fortinet Technologies Inc.
 Event Log System

System

Event-System log messages record events that occur in the FortiGate system, such as administrators logging in and
out, or events occurring on the interfaces.

In the log fields, these logs are defined as: type=event subtype=system.
Log Details
Log Field Log Field Description Data Type Length Value
Name

act accounting state String 16

action The action the FortiGate unit should take for this firewall policy String

addr address IP Address

assigned assigned IP address IP Address 39

banned_ banned rule or rreason String 36

rule

banned_src banned source String 16 l ips

l dos
l dlp-rule
l dlp-
compoun
d
l av

blocked The number of blocked messages UINT32 10

bandwidth String 42

cfgattr configuration attribute String 0

cfgobj configuration object String 256

cfgpath configuration path String 128

cfgtid config transaction id UINT32 10

88 Log Reference Guide

Fortinet Technologies Inc.
 System Event Log

Log Details
Log Field Log Field Description Data Type Length Value
Name

checksum The number of content checksum blocked messages UINT32 10

cipher String

connection_ Forticlient connection type String 6

type

conserve flag for conserve mode String 32

converted_ Files converted UINT32 10

files

count The number of dropped SIP packets UINT16

cpu The CPU usage, for performance UINT8 3

created date created String

daddr destination address 'dstip' String 80

daemon Daemon name String 32

datarange data range for reports String

date The date the log event was generated on the device String

desc description String

devid The serial number of the device String 16

dhcp_msg DHCP message String 0

dintf device interface String 36

dns_ip Domain name server IP address IP Address 39

dns_name Domain name server name String 64

dport The destination port number UINT16 5

Log Reference Guide 89

Fortinet Technologies Inc.
 Event Log System

Log Details
Log Field Log Field Description Data Type Length Value
Name

dstip The destination IP address IP Address

dst_int The interface where the through traffic goes to the public or Inter- String 64
net. For incoming traffic to the firewall, it is “unknown”

dst_port The destination port number of the TCP or UDP traffic. The des- UINT16
tination port is zero for other types of traffic.

duration The duration of the interval for item counts (such as infected, UINT16
scanned, etc) in this log entry

entermargin Enter margin UINT32 10

error error reason for log upload to forticloud String 256

exitmargin Exit margin UINT32 10

expected Number of expected packets String

fams_pause UINT32 10

field field name String 32

file file name for a generated report String 128

filesize report file size in bytes UINT64

forticlient_id forticlient uuid String 33

free String 32

from sender email address for notification String 128

gateway gateway ip address for  PPPoE status report IP Address 39

green String 32

handshake Handshake session ID String

hash character String 32

90 Log Reference Guide

Fortinet Technologies Inc.
 System Event Log

Log Details
Log Field Log Field Description Data Type Length Value
Name

hostname The host name or IP String 128

id ID / primary key for the record String

identidx The identity index number String

infected The number of infected messages UINT32 10

intercepted The number of intercepted messages UINT32 10

interface interface name or ID String 32

intf user interface String 16

iptype IP protocol type String 16

lease lease IP address range UINT32 10

len length UINT16

level The log priority level String 11

license_ License limit String 32

limit

license_ License used UINT16 5

used

limit UINT32 10

local Local IP address IP Address 39

log log type String 32

logid A ten-digit number. The first two digits represent the log type and String 10
the following two digits represent the log subtype. The last one to
five digits are the message id

major major priority level String

Log Reference Guide 91

Fortinet Technologies Inc.
 Event Log System

Log Details
Log Field Log Field Description Data Type Length Value
Name

max Maximum value String

max-minor String

mem The memory usage, for performance UINT8 3

min Minimum value String

min-minor String

minor minor priority level String

module module name String 32

monitor- String 32
name

monitor- String 32
type

msg Explains the activity or event that the FortiGate unit recorded String 256

msgproto The message protocol UINT8

mtu Maximum transmission unit UINT32 10

name User or host name String 128

nat Network address translation IP Address 39

new_status latest status String 512

new_value new virtual domain name String 128

92 Log Reference Guide

Fortinet Technologies Inc.
 System Event Log

Log Details
Log Field Log Field Description Data Type Length Value
Name

nf_type The notification type String 0 l bword

l file_block
l carrier_
ep_bwl
l flood
l dupe
l alert
l mms_
checksu
m
l virus

old_status archived status String 512

old_value original virtual domain name String 16

passwd Password String 20

pid Policy ID UINT32 10

policy The policy that triggered this log String

policyid The policy ID that triggered this log UINT32 10

poolname The pool name String 36

port port number UINT8

portbegin UINT16 5

portend UINT16 5

probeid UINT32 10

probeproto The protocol String 16

processtime process time for reports String

profile_vd Virtual domain of the profile String 64

Log Reference Guide 93

Fortinet Technologies Inc.
 Event Log System

Log Details
Log Field Log Field Description Data Type Length Value
Name

profilegroup The profile group associated with the firewall policy that traffic used String 4
when the log message was recorded

profiletype The type of profile associated with the firewall policy that traffic String 0
used when the log message was recorded

proto The protocol UINT8

reason The reason why the log was recorded String

received Number of packets received String

recv-minor String

red String 32

remote remote IP address IP Address 39

repeat UINT16 5

reporttype report type ENUM

saddr source address ip. use 'srcip' String 80

scanned The number of scanned messages UINT32 10

sensor sensor name String 36

serial The serial number of the log message UINT32

serialno serial number of the device String 16

server server ip address IP Address

service The service of where the activity or event occurred, whether it was String 0
on a web page using HTTP or HTTPs

sess_dur- The duration of the session UINT32 0

ation

94 Log Reference Guide

Fortinet Technologies Inc.
 System Event Log

Log Details
Log Field Log Field Description Data Type Length Value
Name

session_id The session ID UINT32 10

setuprate UNIT64

slot Slot ID UINT8 0

srcip The source IP address IP Address

src_int source interface - use 'srcintf' String 64

src_port source port address UINT16 5

ssl2 ssl session String

status The status of the action the FortiGate unit took when the event String
occurred

submodule submodule name String 32

subtype The subtype of the log message. The possible values of this field String l system
depend on the log type

suspicious The number of suspicious messages UINT32 10

sysconserve System conserve String 32

time Time stamp of the event String 8

to recipient email addresses for notification String 512

total Total IP sessions UINT32 10

totalsession Total IP sessions UINT32 10

trace_id Trace ID String 32

type The log type String 16 l event

ui User Interface String

Log Reference Guide 95

Fortinet Technologies Inc.
 Event Log System

Log Details
Log Field Log Field Description Data Type Length Value
Name

unit UINT32 10

url The URL address of where the file was acquired String 512

used UINT32 10

used_for_ Type of service used UINT16 5

type

user The name of the user creating the traffic String 256

vd Virtual domain String 32

vip Virtual IP address String 64

virus virus name String 128

96 Log Reference Guide

Fortinet Technologies Inc.
 System Event Log

System Log Messages

The following table describes the log message IDs and messages of the System log.

Log Message Details

Message Message Severity
ID

20000 20000 Debug

20001 LOG_ID_CLIENT_DISASSOCIATED Information

20001 LOG_ID_CLIENT_DISASSOCIATED Debug

20002 LOG_ID_DOMAIN_UNRESOLVABLE Notice

20003 LOG_ID_MAIL_SENT_FAIL Notice

20004 LOG_ID_POLICY_TOO_BIG Unknown

20005 LOG_ID_PPP_LINK_UP Information

20006 LOG_ID_PPP_LINK_DOWN Information

20007 20007 Critical

20011 LOG_ID_CLIENT_NEW_ASSOCIATION Information

20012 LOG_ID_CLIENT_WPA_1X Information

20013 LOG_ID_CLIENT_WPA_SSN Information

20015 LOG_ID_IEEE802_NEW_STATION Information

20016 LOG_ID_MODEM_EXCEED_REDIAL_COUNT Information

20020 LOG_ID_MODEM_HOTPLUG Warning

20021 LOG_ID_MAIL_RESENT Information

20025 LOG_ID_REPORTD_REPORT_SUCCESS Notice

20026 LOG_ID_REPORTD_REPORT_FAILURE Error

Log Reference Guide 97

Fortinet Technologies Inc.
 Event Log System

Log Message Details

Message Message Severity
ID

20027 LOG_ID_REPORT_DEL_OLD_REC Warning

20031 LOG_ID_RAD_OUT_OF_MEM Critical

20032 LOG_ID_RAD_NOT_FOUND Critical

20033 LOG_ID_RAD_MOBILE_IPV6 Information

20034 LOG_ID_RAD_IPV6_OUT_OF_RANGE Critical

20035 LOG_ID_RAD_MIN_OUT_OF_RANGE Critical

20036 LOG_ID_RAD_MAX_OUT_OF_RANGE Critical

20037 LOG_ID_RAD_MAX_ADV_OUT_OF_RANGE Critical

20038 LOG_ID_RAD_MTU_OUT_OF_RANGE Critical

20039 LOG_ID_RAD_MTU_TOO_SMALL Critical

20040 LOG_ID_RAD_TIME_TOO_SMALL Critical

20041 LOG_ID_RAD_HOP_OUT_OF_RANGE Critical

20042 LOG_ID_RAD_DFT_HOP_OUT_OF_RANGE Critical

20043 LOG_ID_RAD_AGENT_OUT_OF_RANGE Critical

20044 LOG_ID_RAD_AGENT_FLAG_NOT_SET Critical

20045 LOG_ID_RAD_PREFIX_TOO_LONG Critical

20046 LOG_ID_RAD_PREF_TIME_TOO_SMALL Critical

20047 LOG_ID_RAD_FAIL_IPV6_SOCKET Critical

20048 LOG_ID_RAD_FAIL_OPT_IPV6_PKTINFO Critical

20049 LOG_ID_RAD_FAIL_OPT_IPV6_CHECKSUM Critical

20050 LOG_ID_RAD_FAIL_OPT_IPV6_UNICAST_HOPS Critical

98 Log Reference Guide

Fortinet Technologies Inc.
 System Event Log

Log Message Details

Message Message Severity
ID

20051 LOG_ID_RAD_FAIL_OPT_IPV6_MULTICAST_HOPS Critical

20052 LOG_ID_RAD_FAIL_OPT_IPV6_HOPLIMIT Critical

20053 LOG_ID_RAD_FAIL_OPT_IPPROTO_ICMPV6 Critical

20054 LOG_ID_RAD_EXIT_BY_SIGNAL Information

20055 LOG_ID_RAD_FAIL_CMDB_QUERY Critical

20056 LOG_ID_RAD_FAIL_CMDB_FOR_EACH Critical

20057 LOG_ID_RAD_FAIL_FIND_VIRT_INTF Critical

20058 LOG_ID_RAD_UNLOAD_INTF Information

20059 LOG_ID_RAD_NO_PKT_INFO Warning

20060 LOG_ID_RAD_INV_ICMPV6_LEN Warning

20061 LOG_ID_RAD_INV_ICMPV6_TYPE Critical

20062 LOG_ID_RAD_INV_ICMPV6_RA_LEN Warning

20063 LOG_ID_RAD_ICMPV6_NO_SRC_ADDR Warning

20064 LOG_ID_RAD_INV_ICMPV6_RS_LEN Warning

20065 LOG_ID_RAD_INV_ICMPV6_CODE Warning

20066 LOG_ID_RAD_INV_ICMPV6_HOP Warning

20067 LOG_ID_RAD_MISMATCH_HOP Warning

20068 LOG_ID_RAD_MISMATCH_MGR_FLAG Warning

20069 LOG_ID_RAD_MISMATCH_OTH_FLAG Warning

20071 LOG_ID_RAD_MISMATCH_TIMER Warning

20072 LOG_ID_RAD_EXTRA_DATA Critical

Log Reference Guide 99

Fortinet Technologies Inc.
 Event Log System

Log Message Details

Message Message Severity
ID

20073 LOG_ID_RAD_NO_OPT_DATA Critical

20074 LOG_ID_RAD_INV_OPT_LEN Critical

20075 LOG_ID_RAD_MISMATCH_MTU Warning

20077 LOG_ID_RAD_MISMATCH_PREF_TIME Warning

20078 LOG_ID_RAD_INV_OPT Critical

20079 LOG_ID_RAD_READY Information

20080 LOG_ID_RAD_FAIL_TO_RCV Critical

20081 LOG_ID_RAD_INV_HOP Critical

20082 LOG_ID_RAD_INV_PKTINFO Critical

20083 LOG_ID_RAD_FAIL_TO_CHECK Warning

20084 LOG_ID_RAD_FAIL_TO_SEND Warning

20085 20085 Information

20086 20086 Unknown

20090 LOG_ID_INTF_LINK_STA_CHG Notice

20099 LOG_ID_INTF_STA_CHG Information

20100 20100 Critical

20101 LOG_ID_WEB_LIC_EXPIRE Critical

20102 LOG_ID_SPAM_LIC_EXPIRE Critical

20103 LOG_ID_AV_LIC_EXPIRE Critical

20104 LOG_ID_IPS_LIC_EXPIRE Warning

20105 LOG_ID_LOG_UPLOAD_SKIP Warning

100 Log Reference Guide

Fortinet Technologies Inc.
 System Event Log

Log Message Details

Message Message Severity
ID

20107 LOG_ID_LOG_UPLOAD_ERR Warning

20108 LOG_ID_LOG_UPLOAD_DONE Notice

20110 LOG_ID_HPAPI_ESPD_START Notice

20111 LOG_ID_HPAPI_ESPD_RESET Warning

20200 LOG_ID_FIPS_SELF_TEST Notice

20201 LOG_ID_FIPS_SELF_ALL_TEST Notice

20202 LOG_ID_DISK_FORMAT_ERROR Warning

20203 LOG_ID_DAEMON_SHUTDOWN Information

20204 LOG_ID_DAEMON_START Information

20205 LOG_ID_DISK_FORMAT_REQ Critical

20206 LOG_ID_DISK_SCAN_REQ Warning

22000 LOG_ID_INV_PKT_LEN Warning

22001 LOG_ID_UNSUPPORTED_PROT_VER Warning

22002 LOG_ID_INV_REQ_TYPE Warning

22003 LOG_ID_FAIL_SET_SIG_HANDLER Warning

22004 LOG_ID_FAIL_CREATE_SOCKET Warning

22005 LOG_ID_FAIL_CREATE_SOCKET_RETRY Warning

22006 LOG_ID_FAIL_REG_CMDB_EVENT Warning

22009 LOG_ID_FAIL_FIND_AV_PROFILE Warning

22010 LOG_ID_SENDTO_FAIL Error

22011 22011 Unknown

Log Reference Guide 101

Fortinet Technologies Inc.
 Event Log System

Log Message Details

Message Message Severity
ID

22012 22012 Unknown

22013 22013 Alert

22014 22014 Alert

22015 LOG_ID_EXCEED_VD_RES_LIMIT Notice

22016 22016 Notice

22020 LOG_ID_FAIL_CREATE_HA_SOCKET Warning

22021 LOG_ID_FAIL_CREATE_HA_SOCKET_RETRY Warning

22100 LOG_ID_QUAR_DROP_TRAN_JOB Warning

22101 LOG_ID_QUAR_DROP_TLL_JOB Warning

22102 LOG_ID_LOG_DISK_FAILURE Critical

22104 LOG_ID_POWER_RESTORE Critical

22105 LOG_ID_POWER_FAILURE Critical

22106 LOG_ID_POWER_OPTIONAL_NOT_DETECTED Information

22110 LOG_ID_SPARE_BLOCK_LOW Critical

22200 LOG_ID_AUTO_UPT_CERT Warning

22201 LOG_ID_AUTO_GEN_CERT Warning

22202 LOG_ID_AUTO_UPT_CERT_FAIL Error

22203 LOG_ID_AUTO_GEN_CERT_FAIL Error

22700 LOG_ID_IPS_FAIL_OPEN Critical

22800 LOG_ID_SCAN_SERV_FAIL Critical

22801 LOG_ID_SCAN_LEAVE_CONSERVE_MODE Critical

102 Log Reference Guide

Fortinet Technologies Inc.
 System Event Log

Log Message Details

Message Message Severity
ID

22802 LOG_ID_SYS_ENTER_CONSERVE_MODE Critical

22803 LOG_ID_SYS_LEAVE_CONSERVE_MODE Critical

22804 LOG_ID_LIC_STATUS_CHG Critical

22805 LOG_ID_FAIL_TO_VALIDATE_LIC Warning

22806 LOG_ID_DUP_LIC Warning

22810 LOG_ID_SCAN_ENTER_CONSERVE_MODE Critical

22900 LOG_ID_CAPUTP_SESSION Notice

22901 LOG_ID_FAZ_CON Notice

22902 LOG_ID_FAZ_DISCON Notice

22903 LOG_ID_FAZ_CON_ERR Critical

22916 LOG_ID_FDS_STATUS Notice

22917 LOG_ID_FDS_SMS_QUOTA Notice

22921 LOG_ID_EVENT_ROUTE_INFO_CHANGED Critical

22922 LOG_ID_EVENT_LINK_MONITOR_STATUS Notice

22923 LOG_ID_EVENT_VWL_LQTY_STATUS Notice

22924 LOG_ID_EVENT_VWL_VOLUME_STATUS Notice

26001 LOG_ID_DHCP_MSG Information

26002 LOG_ID_DHCP_NO_SHARE_NET Error

26003 LOG_ID_DHCP_STAT Information

26004 LOG_ID_DHCP_MULT_SUB_NET Error

26005 LOG_ID_DHCP_INV_ADDR_RANGE Error

Log Reference Guide 103

Fortinet Technologies Inc.
 Event Log System

Log Message Details

Message Message Severity
ID

29001 LOG_ID_PPPD_MSG Unknown

29002 LOG_ID_PPPD_AUTH_SUC Notice

29003 LOG_ID_PPPD_AUTH_FAIL Notice

29009 LOG_ID_PPPOE_STATUS_REPORT Notice

29011 LOG_ID_PPPD_FAIL_TO_EXEC Error

29012 LOG_ID_PPP_OPT_ERR Error

29012 LOG_ID_PPP_OPT_ERR Unknown

29013 LOG_ID_PPPD_START Error

29013 LOG_ID_PPPD_START Notice

29013 LOG_ID_PPPD_START Unknown

29014 LOG_ID_PPPD_EXIT Information

29015 LOG_ID_PPP_RCV_BAD_PEER_IP Error

29016 LOG_ID_PPP_RCV_BAD_LOCAL_IP Error

29017 LOG_ID_PPP_OPT_NOTIF Error

29017 LOG_ID_PPP_OPT_NOTIF Unknown

29020 LOG_ID_WIRELESS_SET_FAIL Error

29020 LOG_ID_WIRELESS_SET_FAIL Notice

29020 LOG_ID_WIRELESS_SET_FAIL Unknown

32001 LOG_ID_ADMIN_LOGIN_SUCC Error

32001 LOG_ID_ADMIN_LOGIN_SUCC Notice

32001 LOG_ID_ADMIN_LOGIN_SUCC Information

104 Log Reference Guide

Fortinet Technologies Inc.
 System Event Log

Log Message Details

Message Message Severity
ID

32001 LOG_ID_ADMIN_LOGIN_SUCC Unknown

32002 LOG_ID_ADMIN_LOGIN_FAIL Alert

32003 LOG_ID_ADMIN_LOGOUT Information

32005 LOG_ID_ADMIN_OVERIDE_VDOM Information

32006 LOG_ID_ADMIN_ENTER_VDOM Information

32007 LOG_ID_ADMIN_LEFT_VDOM Information

32008 LOG_ID_VIEW_LOG_FAIL Warning

32009 LOG_ID_SYSTEM_START Information

32010 LOG_ID_DISK_LOG_FULL Emergency

32011 LOG_ID_LOG_ROLL Notice

32012 LOG_ID_FIPS_LEAVE_ERR_MOD Information

32014 LOG_ID_CS_LIC_EXPIRE Warning

32015 LOG_ID_DISK_LOG_USAGE Warning

32018 LOG_ID_FIPS_ENTER_ERR_MOD Emergency

32020 LOG_ID_SSH_CORRPUT_MAC Warning

32021 LOG_ID_ADMIN_LOGIN_DISABLE Alert

32022 LOG_ID_VDOM_ENABLED Notice

32023 LOG_ID_MEM_LOG_FULL Warning

32024 LOG_ID_ADMIN_PASSWD_EXPIRE Notice

32026 LOG_ID_STORE_CONF_FAIL Critical

32027 LOG_ID_VIEW_LOG_SUCC Critical

Log Reference Guide 105

Fortinet Technologies Inc.
 Event Log System

Log Message Details

Message Message Severity
ID

32027 LOG_ID_VIEW_LOG_SUCC Notice

32028 LOG_ID_LOG_DEL_DIR Information

32029 LOG_ID_LOG_DEL_FILE Warning

32030 LOG_ID_SEND_FDS_STAT Notice

32035 LOG_ID_VDOM_DISABLED Notice

32040 LOG_ID_REPORT_DELETED Information

32045 LOG_ID_MGR_LIC_EXPIRE Warning

32048 LOG_ID_SCHEDULE_EXPIRE Warning

32049 LOG_ID_FC_EXPIRE Warning

32051 LOG_ID_LOG_UPLOAD Notice

32086 LOG_ID_ENTER_TRANSPARENT Warning

32087 LOG_ID_ENTER_NAT Warning

32095 LOG_ID_GUI_CHG_SUB_MODULE Warning

32096 LOG_ID_GUI_DOWNLOAD_LOG Warning

32100 LOG_ID_FORTI_TOKEN_SYNC Warning

32101 LOG_ID_LCD_CHG_CONF Notice

32102 LOG_ID_CHG_CONFIG Unknown

32103 LOG_ID_NEW_FIRMWARE Notice

32120 LOG_ID_RPT_ADD_DATASET Notice

32122 LOG_ID_RPT_DEL_DATASET Notice

32125 LOG_ID_RPT_ADD_CHART Notice

106 Log Reference Guide

Fortinet Technologies Inc.
 System Event Log

Log Message Details

Message Message Severity
ID

32126 LOG_ID_RPT_DEL_CHART Notice

32129 LOG_ID_ADD_GUEST Notice

32130 LOG_ID_CHG_USER Notice

32131 LOG_ID_DEL_GUEST Notice

32132 LOG_ID_ADD_USER Notice

32138 LOG_ID_REBOOT Critical

32139 LOG_ID_UPD_SIGN_DB Critical

32140 LOG_ID_NTP_SVR_STAUS_CHG Notice

32142 LOG_ID_BACKUP_CONF Alert

32148 LOG_ID_GET_CRL Notice

32149 LOG_ID_COMMAND_FAIL Notice

32151 LOG_ID_ADD_IP6_LOCAL_POL Notice

32152 LOG_ID_CHG_IP6_LOCAL_POL Notice

32153 LOG_ID_DEL_IP6_LOCAL_POL Notice

32155 LOG_ID_ACT_FTOKEN_REQ Notice

32156 LOG_ID_ACT_FTOKEN_SUCC Notice

32157 LOG_ID_SYNC_FTOKEN_SUCC Notice

32158 LOG_ID_SYNC_FTOKEN_FAIL Notice

32159 LOG_ID_ACT_FTOKEN_FAIL Notice

32168 LOG_ID_REACH_VDOM_LIMIT Notice

32170 LOG_ID_ALARM_MSG Alert

Log Reference Guide 107

Fortinet Technologies Inc.
 Event Log System

Log Message Details

Message Message Severity
ID

32171 LOG_ID_ALARM_ACK Alert

32172 LOG_ID_ADD_IP4_LOCAL_POL Notice

32173 LOG_ID_CHG_IP4_LOCAL_POL Notice

32174 LOG_ID_DEL_IP4_LOCAL_POL Notice

32188 LOG_ID_SSL_PROXY_CA_INIT_FAIL Warning

32188 LOG_ID_SSL_PROXY_CA_INIT_FAIL Notice

32200 LOG_ID_SHUTDOWN Critical

32201 LOG_ID_LOAD_IMG_SUCC Critical

32202 LOG_ID_RESTORE_IMG Critical

32203 LOG_ID_RESTORE_CONF Critical

32204 LOG_ID_RESTORE_FGD_SVR Critical

32205 LOG_ID_RESTORE_VDOM_LIC Critical

32206 LOG_ID_RESTORE_SCRIPT Warning

32207 LOG_ID_RETRIEVE_CONF_LIST Warning

32208 LOG_ID_IMP_PKCS12_CERT Critical

32209 LOG_ID_RESTORE_USR_DEF_IPS Critical

32210 LOG_ID_BACKUP_IMG Notice

32211 LOG_ID_UPLOAD_REVISION Notice

32212 LOG_ID_DEL_REVISION Notice

32213 LOG_ID_RESTORE_TEMPLATE Warning

32214 LOG_ID_RESTORE_FILE Warning

108 Log Reference Guide

Fortinet Technologies Inc.
 System Event Log

Log Message Details

Message Message Severity
ID

32215 LOG_ID_UPT_IMG Critical

32217 LOG_ID_UPD_IPS Warning

32218 LOG_ID_UPD_DLP Warning

32219 LOG_ID_BACKUP_OUTPUT Warning

32220 LOG_ID_BACKUP_COMMAND Warning

32221 LOG_ID_UPD_VDOM_LIC Warning

32222 LOG_ID_GLB_SETTING_CHG Notice

32223 LOG_ID_BACKUP_USER_DEF_IPS Error

32224 LOG_ID_BACKUP_LOG Notice

32225 LOG_ID_DEL_ALL_REVISION Notice

32226 LOG_ID_LOAD_IMG_FAIL Critical

32240 LOG_ID_SYS_USB_MODE Critical

32252 LOG_ID_FACTORY_RESET Critical

32253 LOG_ID_FORMAT_RAID Critical

32254 LOG_ID_ENABLE_RAID Critical

32255 LOG_ID_DISABLE_RAID Critical

32300 LOG_ID_UPLOAD_RPT_IMG Notice

32301 LOG_ID_ADD_VDOM Notice

32302 LOG_ID_DEL_VDOM Notice

32340 LOG_ID_LOG_DISK_UNAVAIL Critical

32400 LOG_ID_CONF_CHG Alert

Log Reference Guide 109

Fortinet Technologies Inc.
 Event Log System

Log Message Details

Message Message Severity
ID

32545 LOG_ID_SYS_RESTART Critical

32546 LOG_ID_APPLICATION_CRASH Warning

35001 LOG_ID_HA_SYNC_VIRDB Notice

35002 LOG_ID_HA_SYNC_ETDB Notice

35003 LOG_ID_HA_SYNC_EXDB Notice

35005 LOG_ID_HA_SYNC_IPS Notice

35007 LOG_ID_HA_SYNC_AV Notice

35008 LOG_ID_HA_SYNC_VCM Notice

35009 LOG_ID_HA_SYNC_CID Notice

35010 LOG_ID_HA_SYNC_FAIL Error

36880 LOG_ID_EVENT_SYSTEM_MAC_HOST_STORE_ Warning

LIMIT

37888 MESGID_HA_GROUP_DELETE Notice

37889 MESGID_VC_DELETE Notice

37890 MESGID_VC_MOVE_VDOM Notice

37891 MESGID_VC_ADD_VDOM Notice

37892 MESGID_VC_MOVE_MEMB_STATE Notice

37893 MESGID_VC_DETECT_MEMB_DEAD Critical

37893 MESGID_VC_DETECT_MEMB_DEAD Notice

37894 MESGID_VC_DETECT_MEMB_JOIN Critical

37895 MESGID_VC_ADD_HADEV Notice

110 Log Reference Guide

Fortinet Technologies Inc.
 System Event Log

Log Message Details

Message Message Severity
ID

37896 MESGID_VC_DEL_HADEV Notice

37897 MESGID_HADEV_READY Notice

37898 MESGID_HADEV_FAIL Warning

37899 MESGID_HADEV_PEERINFO Notice

37900 MESGID_HBDEV_DELETE Notice

37901 MESGID_HBDEV_DOWN Critical

37902 MESGID_HBDEV_UP Information

37903 MESGID_SYNC_STATUS Information

37904 MESGID_HA_ACTIVITY Notice

38400 LOGID_EVENT_NOTIF_SEND_SUCC Notice

38401 LOGID_EVENT_NOTIF_SEND_FAIL Warning

38402 LOGID_EVENT_NOTIF_DNS_FAIL Notice

38403 LOGID_EVENT_NOTIF_INSUFFICIENT_RESOURCE Critical

38404 LOGID_EVENT_NOTIF_HOSTNAME_ERROR Error

38405 LOGID_NOTIF_CODE_SENDTO_SMS_PHONE Notice

38406 LOGID_NOTIF_CODE_SENDTO_SMS_TO Notice

38407 LOGID_NOTIF_CODE_SENDTO_EMAIL Notice

40704 LOG_ID_EVENT_SYS_PERF Notice

41000 LOG_ID_UPD_FGT_SUCC Notice

41001 LOG_ID_UPD_FGT_FAIL Critical

41002 LOG_ID_UPD_SRC_VIS Notice

Log Reference Guide 111

Fortinet Technologies Inc.
 Event Log System

Log Message Details

Message Message Severity
ID

41003 LOG_ID_INVALID_UPD_LIC Critical

41005 LOG_ID_UPD_VCM Notice

43264 LOGID_MMS_STATS Information

43776 LOGID_EVENT_NAC_QUARANTINE Notice

43800 LOG_ID_EVENT_ELBC_BLADE_JOIN Critical

43801 LOG_ID_EVENT_ELBC_BLADE_LEAVE Critical

43802 LOG_ID_EVENT_ELBC_MASTER_BLADE_FOUND Critical

43803 LOG_ID_EVENT_ELBC_MASTER_BLADE_LOST Critical

43804 LOG_ID_EVENT_ELBC_MASTER_BLADE_CHANGE Critical

43805 LOG_ID_EVENT_ELBC_ACTIVE_CHANNEL_FOUND Critical

43806 LOG_ID_EVENT_ELBC_ACTIVE_CHANNEL_LOST Critical

43807 LOG_ID_EVENT_ELBC_ACTIVE_CHANNEL_ Critical

CHANGE

43808 LOG_ID_EVENT_ELBC_CHASSIS_ACTIVE Critical

43809 LOG_ID_EVENT_ELBC_CHASSIS_INACTIVE Critical

44544 LOGID_EVENT_CONFIG_PATH Information

44545 LOGID_EVENT_CONFIG_OBJ Information

44546 LOGID_EVENT_CONFIG_ATTR Information

44547 LOGID_EVENT_CONFIG_OBJATTR Information

45000 LOG_ID_VSD_SSL_RCV_HS Debug

45001 LOG_ID_VSD_SSL_RCV_WRG_HS Error

112 Log Reference Guide

Fortinet Technologies Inc.
 System Event Log

Log Message Details

Message Message Severity
ID

45002 LOG_ID_VSD_SSL_SENT_HS Debug

45003 LOG_ID_VSD_SSL_WRG_HS_LEN Error

45004 LOG_ID_VSD_SSL_RCV_CCS Debug

45005 LOG_ID_VSD_SSL_RSA_DH_FAIL Error

45006 LOG_ID_VSD_SSL_SENT_CCS Debug

45007 LOG_ID_VSD_SSL_BAD_HASH Error

45009 LOG_ID_VSD_SSL_DECRY_FAIL Error

45010 LOG_ID_VSD_SSL_SESSION_CLOSED Debug

45011 LOG_ID_VSD_SSL_LESS_MINOR Error

45012 LOG_ID_VSD_SSL_REACH_MAX_CON Warning

45013 LOG_ID_VSD_SSL_NOT_SUPPORT_CS Error

45016 LOG_ID_VSD_SSL_HS_FIN Debug

45017 LOG_ID_VSD_SSL_HS_TOO_LONG Error

45018 LOG_ID_VSD_SSL_MORE_MINOR Debug

45019 LOG_ID_VSD_SSL_SENT_ALERT_ERR Error

45020 LOG_ID_VSD_SSL_SESSION_EXPIRE Debug

45021 LOG_ID_VSD_SSL_SENT_ALERT Debug

45022 LOG_ID_VSD_SSL_RCV_CH Debug

45023 LOG_ID_VSD_SSL_RCV_SH Debug

45024 LOG_ID_VSD_SSL_SENT_SH Debug

45025 LOG_ID_VSD_SSL_RCV_ALERT Error

Log Reference Guide 113

Fortinet Technologies Inc.
 Event Log System

Log Message Details

Message Message Severity
ID

45027 LOG_ID_VSD_SSL_INVALID_CONT_TYPE Error

45029 LOG_ID_VSD_SSL_BAD_CCS_LEN Error

45031 LOG_ID_VSD_SSL_BAD_DH Error

45032 LOG_ID_VSD_SSL_PUB_KEY_TOO_BIG Error

45033 LOG_ID_VSD_SSL_NOT_SUPPORT_CM Error

45034 LOG_ID_VSD_SSL_SERVER_KEY_HASH_ Error

ALGORITHM_MISMATCH

45035 LOG_ID_VSD_SSL_SERVER_KEY_SIGNATURE_ Error

ALGORITHM_MISMATCH

46000 LOG_ID_VIP_REAL_SVR_ENA Notice

46001 LOG_ID_VIP_REAL_SVR_DISA Alert

46002 LOG_ID_VIP_REAL_SVR_UP Notice

46003 LOG_ID_VIP_REAL_SVR_DOWN Alert

46004 LOG_ID_VIP_REAL_SVR_ENT_HOLDDOWN Notice

46005 LOG_ID_VIP_REAL_SVR_FAIL_HOLDDOWN Alert

46006 LOG_ID_VIP_REAL_SVR_FAIL Debug

46400 LOG_ID_EVENT_EXT_SYS Unknown

46401 LOG_ID_EVENT_EXT_LOCAL Unknown

46402 LOG_ID_EVENT_EXT_REMOTE Unknown

47201 LOG_ID_AMC_ENTER_BYPASS Emergency

47202 LOG_ID_AMC_EXIT_BYPASS Emergency

114 Log Reference Guide

Fortinet Technologies Inc.
 System Event Log

Log Message Details

Message Message Severity
ID

47203 LOG_ID_ENTER_BYPASS Emergency

47204 LOG_ID_EXIT_BYPASS Emergency

Log Reference Guide 115

Fortinet Technologies Inc.
 Event Log User

User

Event-User log messages record what users are configuring on the FortiGate unit, and what is occurring on the
FortiGate unit. For example, memory storage is becoming full.

In the log fields, these logs are defined as: type=event subtype=user.
Log Details
Log Field Log Field Descrip- Data Type Length Value
Name tion

acct_stat Accounting state ENUM 16 l Accounting-Off

(RADIUS) l Accounting-On
l Interim-Update
l start
l stop

action The action the String 32

FortiGate unit
should take for this
firewall policy

adgroup AD Group Name String 128

authproto The protocol that ini- String 64

tiated the authen-
tication

carrier_ep The FortiOS Carrier String 0

end-point iden-
tification

count Number of Packets UINT32 0

date The date the log String 10

event was generated
on the device

devid The serial number of String 16

the device

dstip Destination IP IP Address 39

116 Log Reference Guide

Fortinet Technologies Inc.
 User Event Log

Log Details
Log Field Log Field Descrip- Data Type Length Value
Name tion

duration The duration of the UINT32

interval for item
counts (such as
infected, scanned,
etc) in this log entry.

expiry FortiGuard override String 64

expiry timestamp

group User name group String 64

initiator Original login user String 64

name for Fortiguard
override

level The log priority level String 11

logid A ten-digit number. String 10

The first two digits
represent the log
type and the fol-
lowing two digits rep-
resent the log
subtype. The last
one to five digits are
the message id

msg Explains the activity String 256

or event that the
FortiGate unit recor-
ded

oldwprof Old Web Filter Pro- String 64

file

policyid UINT32 10

Log Reference Guide 117

Fortinet Technologies Inc.
 Event Log User

Log Details
Log Field Log Field Descrip- Data Type Length Value
Name tion

approfile New Web Filter Pro- String 64

file for Fortiguard
override

proto protocol number UINT16 0

reason Explains the reason String 256

why the log mes-
sage was created

rsso_key RADIUS SSO attrib- String 64

ute value

scope String 9

server AD server FQDN or String 64

IP

srcip Source IP IP Address 39

status The status of the String

action the FortiGate
unit took when the
event occurred

subtype The subtype of the String 20 l user

log message. The
possible values of
this field depend on
the log type

time Time stamp of the String 8

event

type The log type String 16 l event

user user name String 256

vd virtual domain name String 32

118 Log Reference Guide

Fortinet Technologies Inc.
 User Event Log

User Log Messages

The following table describes the log message IDs and messages of the User log.

Log Message Details

Message Message Severity
ID

38010 LOG_ID_FIPS_ENCRY_FAIL Alert

38011 LOG_ID_FIPS_DECRY_FAIL Alert

38031 LOG_ID_FSSO_LOGON Notice

38032 LOG_ID_FSSO_LOGOFF Notice

38033 LOG_ID_FSSO_SVR_STATUS Notice

38656 LOGID_EVENT_RAD_RPT_PROTO_ERROR Notice

38657 LOGID_EVENT_RAD_RPT_PROF_NOT_FOUND Notice

38658 LOGID_EVENT_RAD_RPT_CTX_NOT_FOUND Notice

38659 LOGID_EVENT_RAD_RPT_ACCT_STOP_MISSED Notice

38660 LOGID_EVENT_RAD_RPT_ACCT_EVENT Notice

38661 LOGID_EVENT_RAD_RPT_OTHER Notice

38662 LOGID_EVENT_RAD_STAT_PROTO_ERROR Notice

38663 LOGID_EVENT_RAD_STAT_PROF_NOT_FOUND Notice

38665 LOGID_EVENT_RAD_STAT_ACCT_STOP_MISSED Notice

38666 LOGID_EVENT_RAD_STAT_ACCT_EVENT Notice

38667 LOGID_EVENT_RAD_STAT_OTHER Notice

38668 LOGID_EVENT_RAD_STAT_EP_BLK Notice

43011 LOG_ID_EVENT_AUTH_TIME_OUT Notice

Log Reference Guide 119

Fortinet Technologies Inc.
Event Log User

Message Message Severity

ID

43012 LOG_ID_EVENT_AUTH_FSAE_AUTH_SUCCESS Notice

43013 LOG_ID_EVENT_AUTH_FSAE_AUTH_FAIL Notice

43016 LOG_ID_EVENT_AUTH_NTLM_AUTH_SUCCESS Notice

43017 LOG_ID_EVENT_AUTH_NTLM_AUTH_FAIL Notice

43018 LOG_ID_EVENT_AUTH_FGOVRD_FAIL Warning

43020 LOG_ID_EVENT_AUTH_FGOVRD_SUCCESS Notice

43025 LOG_ID_EVENT_AUTH_PROXY_SUCCESS Notice

43026 LOG_ID_EVENT_AUTH_PROXY_FAILED Notice

43027 LOG_ID_EVENT_AUTH_PROXY_TIME_OUT Notice

43028 LOG_ID_EVENT_AUTH_PROXY_AUTHORIZATION_ Notice

FAILED

43029 LOG_ID_EVENT_AUTH_WARNING_SUCCESS Notice

43030 LOG_ID_EVENT_AUTH_WARNING_TBL_FULL Warning

120 Log Reference Guide

Fortinet Technologies Inc.
 VPN Event Log

VPN

Event-VPN log messages record VPN user, administration and session events.

In the log fields, these logs are defined as: type=event subtype=vpn.
Log Details
Log Field Name Log Field Data Type Length Value
Description

assign ip Assigned IP IP Address

address

cert-type Certification type ENUM 6 l CA

l CRL
l Local
l Remote

cookies cookies String 64

date The date the log String 10

event was gen-
erated on the
device

devid The serial num- String 16

ber of the device

dir direction String 8

(inbound or out-
bound)

dst_host destination host String 64

name

Log Reference Guide 121

Fortinet Technologies Inc.
 Event Log VPN

Log Details
Log Field Name Log Field Data Type Length Value
Description

duration The duration of UINT32

the interval for
item counts
(such as infec-
ted, scanned,
etc) in this log
entry

error_reason Text explanation String 48 l invalid certificate

for the error l invalid SA payload
l probable pre-shared key mismatch
l peer SA proposal not match local policy
l peer notification
l not enough key material for tunnel
l encapsulation mode mismatch
l no matching gateway for new request
l aggressive vs main mode mismatch for new
request

espauth ESP authen- String 17 l HMAC_SHA1

tication l HMAC_MD5
l HMAC_SHA256

esptransform ESP tranfrom String 8 l ESP_NULL

value l ESP_DES
l ESP_3DES
l ESP_AES

exch exchange String 12 l NSA_INIT

l AUTH
l CREATE_CHILD

group User name String 64

group

122 Log Reference Guide

Fortinet Technologies Inc.
 VPN Event Log

Log Details
Log Field Name Log Field Data Type Length Value
Description

in_spi Remote SPI in String 16

IPsec VPN con-
figuration

init Interface String 6 l local

l remote

level The log priority String 11

level

locip Local IP IP Address 39

locport Local Port UINT16 5

logdesc Log description String 128

logid A ten-digit num- String 10

ber. The first two
digits represent
the log type and
the following two
digits represent
the log subtype.
The last one to
five digits are the
message id

method The HTTP String 64 l IP

method l Domain

mode Mode String 12 l aggressive

l main
l quick
l xauth
l xauth_client

Log Reference Guide 123

Fortinet Technologies Inc.
 Event Log VPN

Log Details
Log Field Name Log Field Data Type Length Value
Description

msg Explains the String 256

activity or event
that the
FortiGate unit
recorded

nextstat Time interval in UINT32 10

seconds for the
next statistics

out_spi Local SPI in String 16

IPsec VPN con-
figuration

outintf Out interface String 32

124 Log Reference Guide

Fortinet Technologies Inc.
 VPN Event Log

Log Details
Log Field Name Log Field Data Type Length Value
Description

peer_notif Peer Notification String 25 NOT-APPLICABLE

INVALID-PAYLOAD-TYPE

DOI-NOT-SUPPORTED

SITUATION-NOT-SUPPORTED

INVALID-COOKIE

INVALID-MAJOR-VERSION

INVALID-MINOR-VERSION

INVALID-EXCHANGE-TYPE

INVALID-FLAGS

INVALID-MESSAGE-ID

INVALID-PROTOCOL-ID

INVALID-SPI

INVALID-TRANSFORM-ID

ATTRIBUTES-NOT-SUPPORTED

NO-PROPOSAL-CHOSEN

BAD-PROPOSAL-SYNTAX

PAYLOAD-MALFORMED

INVALID-KEY-INFORMATION

INVALID-ID-INFORMATION

INVALID-CERT-ENCODING

INVALID-CERTIFICATE

BAD-CERT-REQUEST-SYNTAX

INVALID-CERT-AUTHORITY

INVALID-HASH-INFORMATION

AUTHENTICATION-FAILED

INVALID-SIGNATURE

ADDRESS-NOTIFICATION

NOTIFY-SA-LIFETIME

CERTIFICATE-UNAVAILABLE

UNSUPPORTED-EXCHANGE-TYPE

UNEQUAL-PAYLOAD-LENGTHS

CONNECTED

Log Reference Guide RESPONDER-LIFETIME

125
Fortinet Technologies Inc.
REPLAY-STATUS
 Event Log VPN

Log Details
Log Field Name Log Field Data Type Length Value
Description

phase2_ IPsec VPN String 128

name Phase 2 name

rcvdbyte Received Bytes UINT64 20

reason The reason this String 256

log was gen-
erated

remip Remote IP IP 39
Address

remport Remote Port UINT16 5

result The result of the String 7 l ERROR

message l OK
l DONE
l PENDING

sentbyte bytes sent UINT64 20

seq Sequence num- String 16

ber

spi IPsec VPN SPI String 16

stage stage UINT8 3

subtype The subtype of String 20 l vpn

the log mes-
sage. The pos-
sible values of
this field depend
on the log type

time Time stamp of String 8

the event

tunnelid Tunnel ID UINT32 10

126 Log Reference Guide

Fortinet Technologies Inc.
 VPN Event Log

Log Details
Log Field Name Log Field Data Type Length Value
Description

tunnelip Tunnel IP IP 39
Address

tunneltype Tunnel type String 64

type The log type String 16 l event

vd Virtual domain String 32

name

version Software version String 64

vpntunnel ipsec vpn tunnel String 128

name

xauthgroup xauth group String 128

name

xauthuser xauth user String 128

Log Reference Guide 127

Fortinet Technologies Inc.
 Event Log VPN

VPN Log Messages

The following table describes the log message IDs and messages of the VPN log.

Log Message Details

Message Message Severity
ID

37124 MESGID_NEG_I_P1_ERROR Error

37125 MESGID_NEG_I_P2_ERROR Error

37126 MESGID_NEG_NO_STATE_ERROR Error

37133 MESGID_INSTALL_SA Notice

37134 MESGID_DELETE_P1_SA Notice

37135 MESGID_DELETE_P2_SA Notice

37136 MESGID_DPD_FAILURE Error

37137 MESGID_CONN_FAILURE Error

37138 MESGID_CONN_UPDOWN Notice

37139 MESGID_P2_UPDOWN Notice

37140 MESGID_AUTO_IPSEC Notice

37141 MESGID_CONN_STATS Notice

37188 MESGID_NEG_I_P1_ERROR_IKEV2 Error

37189 MESGID_NEG_I_P2_ERROR_IKEV2 Error

37190 MESGID_NEG_NO_STATE_ERROR_IKEV2 Error

37197 MESGID_INSTALL_SA_IKEV2 Notice

37198 MESGID_DELETE_P1_SA_IKEV2 Notice

37199 MESGID_DELETE_P2_SA_IKEV2 Notice

128 Log Reference Guide

Fortinet Technologies Inc.
 VPN Event Log

Log Message Details

Message Message Severity
ID

37200 MESGID_DPD_FAILURE_IKEV2 Error

37201 MESGID_CONN_FAILURE_IKEV2 Error

37202 MESGID_CONN_UPDOWN_IKEV2 Notice

37203 MESGID_P2_UPDOWN_IKEV2 Notice

37204 MESGID_CONN_STATS_IKEV2 Notice

40014 LOG_ID_PPTP_REACH_MAX_CON Warning

40016 LOG_ID_L2TPD_SVR_DISCON Warning

40017 LOG_ID_L2TPD_CLIENT_CON_FAIL Warning

40019 LOG_ID_L2TPD_CLIENT_DISCON Information

40021 LOG_ID_PPTP_NOT_CONIG Debug

40022 LOG_ID_PPTP_NO_IP_AVAIL Warning

40024 LOG_ID_PPTP_OUT_MEM Warning

40034 LOG_ID_PPTP_START Notice

40035 LOG_ID_PPTP_START_FAIL Error

40036 LOG_ID_PPTP_EXIT Notice

40037 LOG_ID_PPTPD_SVR_DISCON Information

40038 LOG_ID_PPTPD_CLIENT_CON Information

40039 LOG_ID_PPTPD_CLIENT_DISCON Information

40114 LOG_ID_L2TPD_START Notice

40115 LOG_ID_L2TPD_EXIT Notice

40118 LOG_ID_L2TPD_CLIENT_CON Information

Log Reference Guide 129

Fortinet Technologies Inc.
 Event Log VPN

Log Message Details

Message Message Severity
ID

41984 LOG_ID_EVENT_SSL_VPN_CERT_LOAD Information

41985 LOG_ID_EVENT_SSL_VPN_CERT_REMOVAL Information

41987 LOG_ID_EVENT_SSL_VPN_CERT_UPDATE Information

41988 LOG_ID_EVENT_SSL_VPN_SETTING_UPDATE Information

41989 LOG_ID_EVENT_SSL_VPN_CERT_ERR Information

41990 LOG_ID_EVENT_SSL_VPN_CERT_UPDATE_FAILED Information

130 Log Reference Guide

Fortinet Technologies Inc.
 WAD Event Log

WAD

Event-Wad log messages record WAN optimization events, such as a user adding an WAN optimization rule as well as
web proxy events.

In the log fields, these logs are defined as: type=event subtype=wad.
Log Details
Log Field Log Field Description Data Type Length Value
Name

action The action the FortiGate ENUM

unit should take for this fire-
wall policy

addr_type Address type String 4

alert Alert String

app-type Application type String

authgrp Authenticated group String 36

date The date the log event was String

generated on the device

desc Description String

devid The serial number of the String

device

dstip The destination IP address IP Address

dstport The destination port num- UINT8

ber of the TCP or UDP
traffic. The destination port
is zero for other types of
traffic

fqdn String 256

fwserver_ Firewall server name String 32

name

Log Reference Guide 131

Fortinet Technologies Inc.
 Event Log WAD

Log Details
Log Field Log Field Description Data Type Length Value
Name

handshake Handshake IP address String 32

host The host IP address String 256

ip IP address IP Address

level The log priority level String

local Local IP address IP Address

logid A ten-digit number. The first String 10

two digits represent the log
type and the following two
digits represent the log sub-
type. The last one to five
digits are the message id

msg Explains the activity or String 256

event that the FortiGate
unit recorded

peer Peer IP address String 36

policyid The ID number of the fire- String

wall policy that applies to
the session or packet. Any
policy that is automatically
added by the FortiGate will
have an index number of
zero. For more information,
see the Knowledge Base art-
icle, Firewall policy=0

port Port scanned UINT16 5

remote Remote IP address IP Address

serial The serial number of the log UINT32 10

message

132 Log Reference Guide

Fortinet Technologies Inc.
 WAD Event Log

Log Details
Log Field Log Field Description Data Type Length Value
Name

session_id The session ID String

srcip The source IP address IP Address

srcport The source port of the TCP INT8

or UDP traffic. The source
protocol is zero for other
types of traffic

subtype The subtype of the log mes- String l wad

sage. The possible values
of this field depend on the
log type

time Time stamp of the event String 8

type The log type String l event

vd Virtual domain name String 32

Log Reference Guide 133

Fortinet Technologies Inc.
 Event Log WAD

WAD Log Messages

The following table describes the log message IDs and messages of the WAD log.
Log Message Details
Message Message Severity
ID

40960 LOGID_EVENT_WAD_WEBPROXY_FWD_SRV_ Notice

ERROR

48000 LOG_ID_WAD_SSL_RCV_HS Debug

48001 LOG_ID_WAD_SSL_RCV_WRG_HS Error

48002 LOG_ID_WAD_SSL_SENT_HS Debug

48003 LOG_ID_WAD_SSL_WRG_HS_LEN Error

48004 LOG_ID_WAD_SSL_RCV_CCS Debug

48005 LOG_ID_WAD_SSL_RSA_DH_FAIL Error

48006 LOG_ID_WAD_SSL_SENT_CCS Debug

48007 LOG_ID_WAD_SSL_BAD_HASH Error

48009 LOG_ID_WAD_SSL_DECRY_FAIL Error

48011 LOG_ID_WAD_SSL_LESS_MINOR Error

48013 LOG_ID_WAD_SSL_NOT_SUPPORT_CS Error

48016 LOG_ID_WAD_SSL_HS_FIN Debug

48017 LOG_ID_WAD_SSL_HS_TOO_LONG Error

48019 LOG_ID_WAD_SSL_SENT_ALERT Error

48023 LOG_ID_WAD_SSL_RCV_ALERT Error

48027 LOG_ID_WAD_SSL_INVALID_CONT_TYPE Error

48029 LOG_ID_WAD_SSL_BAD_CCS_LEN Error

134 Log Reference Guide

Fortinet Technologies Inc.
WAD Event Log

Message Message Severity

ID

48031 LOG_ID_WAD_SSL_BAD_DH Error

48032 LOG_ID_WAD_SSL_PUB_KEY_TOO_BIG Error

48100 LOG_ID_WAD_AUTH_FAIL_CERT Error

48101 LOG_ID_WAD_AUTH_FAIL_PSK Error

48102 LOG_ID_WAD_AUTH_FAIL_OTH Error

48300 LOG_ID_WRG_SVR_FGT_CONF Critical

48301 LOG_ID_UNEXP_APP_TYPE Critical

Log Reference Guide 135

Fortinet Technologies Inc.
 Event Log Wireless

Wireless

Event-Wireless log messages record wireless events that occur with FortiGate units that have WiFi capabilities.

In the log fields, these logs are defined as: type=event subtype=wireless.
Log Details
Log Field Name Log Field Descrip- Data Length Value
tion Type

action The action the String 32

FortiGate unit
should take for this
firewall policy

age time in seconds - UINT32 10

time passed since
last seen

ap The physical access String 36

point name

apscan The name of the String 36

AP, which scanned
and detected the
rogue AP

aptype AP Type UINT8 3

bssid Service Set ID String 17

cfgtxpower Config TX power UINT32 10

channel Channel UINT8 3

configcountry Config Country String 4

date The date the log String 10

event was gen-
erated on the
device

136 Log Reference Guide

Fortinet Technologies Inc.
 Wireless Event Log

Log Details
Log Field Name Log Field Descrip- Data Length Value
tion Type

detectionmethod Detection method String 21

devid The serial number String 16

of the device

ds direction with dis- String 8

tribution system

eapolcnt EAPOL packet UINT32 10

count

eapoltype EAPOL packet type ENUM 16

encrypt whether the packet UINT8 3

is encrypted or not

frametype the type of frame String 32

used in traffic

invalidmac the MAC address String 17

with invalid OUI

ip IP address IP 39
Address

level The log priority level String 11

live time in seconds UINT32 10

logid A ten-digit number. String 10

The first two digits
represent the log
type and the fol-
lowing two digits
represent the log
subtype. The last
one to five digits are
the message id

Log Reference Guide 137

Fortinet Technologies Inc.
 Event Log Wireless

Log Details
Log Field Name Log Field Descrip- Data Length Value
tion Type

manuf Manufacturer name String 20

meshmode Mesh mode String 19

mgmtcnt The number of UINT32 10

unauthorized client
flooding man-
agemet frames

msg Explains the activity String 256

or event that the
FortiGate unit recor-
ded

noise Traffic noise INT8 4

onwire A flag to indicate if String 3

the  AP is onwire or
not

opercountry Operating Country String 4

opertxpower Operating TX power UINT32 10

approfile The application pro- String 36

file

radioband Radio band ID String 64

radioid Radio signal ID UINT8 3

radioidclosest Radio ID on the AP UINT8 3

closest the rogue
AP

radioiddetected Radio ID on the AP UINT8 3

which detected the
rogue AP

138 Log Reference Guide

Fortinet Technologies Inc.
 Wireless Event Log

Log Details
Log Field Name Log Field Descrip- Data Length Value
tion Type

rate Traffic rate UINT8 3

reason The reason for String 256

which log was gen-
erated

rssi Received signal UINT8 3

strength indicator

security The wireless secur- String 10 l open

ity l wep64
l wep128
l wpa-psk
l wpa-radius
l wpa
l wpa2
l wpa2-auto

securitymode Security mode String 20

signal Traffic signal INT8 4

snclosest SN of the AP String 36

closest to the rogue
AP

sndetected SN of the AP which String 36

detected the rogue
AP

snmeshparent SN of the mesh par- String 36

ent

ssid Base Service Set ID String 33

stacount Number of sta- UINT32 10

tions/clients

Log Reference Guide 139

Fortinet Technologies Inc.
 Event Log Wireless

Log Details
Log Field Name Log Field Descrip- Data Length Value
tion Type

stamac Station/Client MAC String 17

address

status The status of the UINT8 3

action the FortiGate
unit took when the
event occurred

subtype The subtype of the String 20 l wireless

log message. The
possible values of
this field depend on
the log type

tamac the MAC address of String 17

Transmitter, if
none, then Receiver

threattype WIDS threat type String 64

time Time stamp of the String 8

event

type The log type String 16 l event

vap The virtual access String 36

point name

vd Virtual domain String 32

name

weakwepiv Weak Wep Ini- String 8

tiation Vector

140 Log Reference Guide

Fortinet Technologies Inc.
 Wireless Event Log

Wireless Log Messages

The following table describes the log message IDs and messages of the Wireless log.
Log Message Details
Message Message Severity
ID

43520 LOG_ID_EVENT_WIRELESS_SYS Notice

43521 LOG_ID_EVENT_WIRELESS_ROGUE Unknown

43522 LOG_ID_EVENT_WIRELESS_WTP Notice

43524 LOG_ID_EVENT_WIRELESS_STA Notice

43525 LOG_ID_EVENT_WIRELESS_ONWIRE Unknown

43526 LOG_ID_EVENT_WIRELESS_WTPR Notice

43527 LOG_ID_EVENT_WIRELESS_ROGUE_CFG Notice

43528 LOG_ID_EVENT_WIRELESS_WTPR_ERROR Unknown

43529 LOG_ID_EVENT_WIRELESS_CLB Notice

43530 LOG_ID_EVENT_WIRELESS_WIDS_WL_BRIDGE Notice

43531 LOG_ID_EVENT_WIRELESS_WIDS_BR_DEAUTH Notice

43532 LOG_ID_EVENT_WIRELESS_WIDS_NL_PBRESP Notice

43533 LOG_ID_EVENT_WIRELESS_WIDS_MAC_OUI Notice

43534 LOG_ID_EVENT_WIRELESS_WIDS_LONG_DUR Notice

43535 LOG_ID_EVENT_WIRELESS_WIDS_WEP_IV Notice

43542 LOG_ID_EVENT_WIRELESS_WIDS_EAPOL_FLOOD Notice

43544 LOG_ID_EVENT_WIRELESS_WIDS_MGMT_FLOOD Notice

43546 LOG_ID_EVENT_WIRELESS_WIDS_SPOOF_DEAUTH Notice

Log Reference Guide 141

Fortinet Technologies Inc.
Event Log Wireless

142 Log Reference Guide

Fortinet Technologies Inc.
Copyright© 2014 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and
other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective
owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network
variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet
disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that
expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance
metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet
reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.