FortiOS Log Reference

VERSION 5.2.3
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com

FORTINET VIDEO GUIDE

http://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTIGATE COOKBOOK
http://cookbook.fortinet.com

FORTINET TRAINING SERVICES

http://www.fortinet.com/training

FORTIGUARD CENTER
http://www.fortiguard.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

January 27, 2017

FortiOS 5.2.3 Log Reference

01-523-262694-20170127
TABLE OF CONTENTS

Change Log 5
Introduction 6
Before You Begin 7
How This Reference is Organized 7
Overview 8
Managing and Understanding Logs 9
Log Types and Sub Types 10
Type 10
Subtype 10
Priority Level 11
Log Message Format 11
Log Field Format 12
Log Schema Structure 13
Header and Body Fields 13
Log ID Numbers 16
Log ID Definitions 17
Traffic Log 20
Traffic Log Messages 28
Security Log 29
Application Control 30
Application Control Log Messages 34
AntiVirus 35
AntiVirus Log Messages 41
DLP 43
Email Filter 48
Email Filter Log Messages 52
IPS 54
IPS Log Messages 58
Anomaly 59
Anomaly Log Messages 62
Web Filter 63
Web Filter Log Messages 68
Event Log 70
 Endpoint Control 71
Endpoint Log Messages 74
GTP 75
GTP Log Messages 83
High Availability 85
High Availability Log Messages 88
Router 90
Router Log Messages 92
System 93
System Log Messages 102
User 124
User Log Messages 128
VPN 131
VPN Log Messages 137
WAD 143
WAD Log Messages 146
Wireless 148
Wireless Log Messages 154
Other Logs 156
VOIP 157
VOIP Log Messages 160
NetScan 161
NetScan Log Messages 165
Appendix A: Log field diff - 5.2.2 and 5.2.3 166
Security (UTM) 166
Antivirus 166
Application 166
Anomaly 166
DLP 167
Email 167
IPS 167
WebFilter 167
Event 167
Endpoint 168
System 168
Other logs 168
VOIP 169
Change Log

Date Change Description

2015-08-25 Updated for version 5.2.3.

2016-03-29 Updated log ID 32010

2017-01-27 Removed encrypt-kickout and kickout values.

5 Log Reference
Fortinet Technologies Inc.
Introduction

This document provides information about all the log messages applicable to the FortiGate devices running FortiOS
version 5.2.0 or higher. The logs are intended for administrators to be used as reference for more information about a
specific log entry and message that is generated.

This chapter includes the following topics:

Before You Begin 7

How This Reference is Organized 7

6 Log Reference
Fortinet Technologies Inc.
Before You Begin

Before you begin using this reference, read the following notes:

The information in this document applies to all FortiGate units currently running FortiGate 5.2.0 or higher.

l Ensure that you have enabled logging for FortiGate unit. For more information, see the Logging and Reporting
chapter in the FortiGate handbook.
l Each log message is displayed in RAW format in the Log View of the web-based manager.
l Each log message is documented similar to how it appears in the log viewer table based on the RAW format. For
more information, see the Logging and Reporting chapter in the FortiGate Handbook.

NOTE: This reference contains detailed information for each log type and sub type; however, this reference contains
only information gathered at publication and, as a result, not every log message field contains detailed information.

How This Reference is Organized

The following sections are grouped by log type with the exception of Event and Security log types which are grouped by
sub types, for example; Security->AntiVirus and Event->System, due to the large number of sub types associated
with the security and event logs.

7 Log Reference
Fortinet Technologies Inc.
Overview

The log types described in this document report traffic, security, and event log information useful for system
administrators when recording, monitoring, and tracing the operation of a FortiGate device running FortiOS. The logs
provide information regarding the following:

l Firewall attacks
l Configuration changes
l Successful and unsuccessful system operations

Managing and Understanding Logs 9

8 Log Reference
Fortinet Technologies Inc.
Managing and Understanding Logs

This document is organized by log types and sub types which provide quick access to messages related to specific logs
and filters the messages into meaningful sections in the database.

It provides administrators with a comprehensive list of all the log messages that the FortiGate generates with
explanations of what the messages mean and what possible actions you might take upon receiving them. The
document is organized by log type and sub types. In each section, the log entry messages are listed by their log type
ID numbers. See, the Log Types and Sub Types section for more information about the Log ID numbering format.

9 Log Reference
Fortinet Technologies Inc.
Log Types and Sub Types

FortiGate devices can record the following types and sub types of log entry information:
Log Details
Type Description Sub Type

Traffic Records traffic flow information, such as an HTTP/HTTPS request and l Local
its response, if any.
l Forward
l Multicast
l Sniffer

Security Records virus attack and intrusion attempts. l AntiVirus

(UTM)
l Application Control
l Data Leak Prevention (DLP)
l Intrusion Prevention (IPS)
l Email Filter
l Web Filter

Event Records system and administrative events, such as downloading a l System

backup copy of the configuration, or daemon activities.
l High Availability
l Router
l Endpoint Control
l GTP
l Virtual Private Network (VPN)
l WAD
l Wireless
l User

Type

Each log entry contains a Type (type) field that indicates its log type, and in which log file it is stored.

Subtype

Each log entry might also contain a Sub Type (subtype) field within a log type, based on the feature associated with
the cause of the log entry.

For example:

10 Log Reference
Fortinet Technologies Inc.
 Log Types and Sub Types

l In event logs, some log entries have a subtype of user, system, or other sub types.
l In security (UTM) logs, some log entries have a subtype of DLP, Web Filter, Email or other sub types.
l In traffic logs, the sub types are: local, forward, multicast, and sniffer.

Priority Level

Each log entry contains a Level (pri) field that indicates the estimated severity of the event that caused the log entry,
such as pri=warning, and therefore how high a priority it is likely to be. Level (pri) associations with the descriptions
below are not always uniform. They also may not correspond with your own definitions of how severe each event is. If
you require notification when a specific event occurs, either configure SNMP traps or alert email by administrator-
defined Severity Level (severity_level) or ID (log_id), not by Level (pri).
Priority Levels
Level (0 is Name Description
highest)

0 Emergency The system is unusable or not responding.

1 Alert Immediate action required. Used in security logs.

2 Critical Funcationality is affected.

3 Error An error exists and funcationality could be affected.

4 Warning Funcationality could be affected.

5 Notification Information about normal events.

6 Information General information about system operations. Used in event logs to record con-
figuration changes.

For each location where the FortiGate device can store log files (disk, memory, Syslog or FortiAnalyzer), you can
define a severity threshold. The FortiGate stores all log messages equal to or exceeding the log severity level
selected. For example, if you select Error, FortiGate will store log messages whose log severity level is Error, Critical,
Alert, and Emergency.

Log Message Format

For documentation purposes, all log types and sub types follow this generic table format to present the log message
entry and severity information.

Example: Log Message Details

Message ID Message Severity

2 LOG_ID_TRAFFIC_ALLOW Notice

Log Reference 11
Fortinet Technologies Inc.
 Log Types and Sub Types

Log Field Format

The following table describes the standard format in which each log type is described in this document. For
documentation purposes, all log types and sub types follow this generic table format to present the log entry
information.
Example: Log Entry Information
Log Field Log Field Description Data Type Length Value(s)

appact The security action from app control ENUM 16 l block

l monitor
l pass
l reject
l reset

12 Log Reference
Fortinet Technologies Inc.
 Log Schema Structure

Log Schema Structure

This section describes the schema of the FortiGate log entries.

Header and Body Fields

Each log entry consists of several fields and values. In the web-based manager, the logs are displayed in a Formatted
table view or Raw format. You can download the logs in the raw format for further analysis.

l Header - Contains the date and time the log originated, log identifier, message identifier, administrative domain
(ADOM), the log caategory, severity level, and where the log originated. These fields are common to all log types.
l Body - Describes the reason why the log was created and actions taken by the FortiGate device to address it. These
fields vary by log type.

Following is an example of traffic log entry in raw format. The body fields are highlighted in Bold.
date=2014-07-04 time=14:26:59 logid=0001000014 type=traffic subtype=local
level=notice vd=vdom1 srcip=10.6.30.254 srcport=54705 srcintf="mgmt1"
dstip=10.6.30.1 dstport=80 dstintf="vdom1" sessionid=350696 status=close
policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service=HTTP
proto=6 app="Web Management" duration=13 sentbyte=1948 rcvdbyte=3553 sentpkt=9

Log Reference 13
Fortinet Technologies Inc.
 Log Schema Structure

rcvdpkt=9 devtype="Fortinet Device" osname="Fortinet OS"

mastersrcmac=00:09:0f:67:6c:31 srcmac=00:09:0f:67:6c:31

The following table describes each possible header and body field, according to its name as it appears in the
Formatted or Raw view.
Example: Traffic Log (Raw Format)
Field Name Field Exists in Log Type Example Field - Value (raw format)
(Raw format Description
view in
parentheses)

Traffic Event Security

Header

Date (date) The day, month, √ √ √ date=2014-07-04

and year when the
log message was
reported.

Time (time) The hour clock √ √ √ time=14:26:59

when the log mes-
sage was recorded.

ID (log_id) See Log ID √ √ √ logid=0001000014

MSG (msg) See Message IDs √ √ √ msg=000100000012

Type (type) See Type √ √ √ type=traffic

Sub Type See Sub Type √ √ √ subtype=local

(subtype)

VDOM (vd) The virtual domain √ √ √ vd=vdom1

in which the log
message was recor-
ded.

Level (pri) Priority level √ √ √ level=notice

Body

Protocol (proto) tcp: The protocl √ √ √ proto=6

used by web traffic
(tcp by default)

14 Log Reference
Fortinet Technologies Inc.
 Log Schema Structure

Example: Traffic Log (Raw Format)

Field Name Field Exists in Log Type Example Field - Value (raw format)
(Raw format Description
view in
parentheses)

Source IP The IP address of √ √ √ srcip=10.6.30.254

(srcip) the traffic’s origin.
The source varies
by the direction:

• In HTTP
requests, this
is the web
browser or
other client.

• In HTTP
responses,
this is the
physical
server.

Source Port The port number of √ √ √ srcport=54705

(srcport) the traffic's origin.

Source Inter- The interface of the √ √ √ srcintf="mgmt1"

face(srcintf) traffic's origin.

Destination IP The destination √ √ √ dstip=10.6.30.1

(dstip) IP address for the
web.

Destination The port number of √ √ √ dstport=80

Port(dstport) the traffic's des-
tination.

Destination The interface of the √ √ √ dstintf="vdom1"

Interface traffic's destination.
(dstintf)

Session ID (ses- The session num- √ √ √ sessionid=350696

sionid) ber for the traffic
connection

Status (status) The status of the √ √ √ status=close

session

Log Reference 15
Fortinet Technologies Inc.
 Log Schema Structure Log ID Numbers

Example: Traffic Log (Raw Format)

Field Name Field Exists in Log Type Example Field - Value (raw format)
(Raw format Description
view in
parentheses)

Policy (policyid) The name of the √ √ √ policyid=0

server policy gov-
erning the traffic
which caused the
log message.

Service (ser- http or https The √ √ √ service=HTTP

vice) name of the applic-
ation-layer protocol
used by the traffic.
By definition, for
FortiWeb, this is
always HTTP or
HTTPS.

User (user) The daemon or √ √ √ user=admin

name of the admin-
istrator account
that performed the
action that caused
the log message.

Log ID Numbers

The ID (log_id) is a 10-digit field located in the header, immediately following the time and date fields. It is a unique
identifier for that specific log and includes the following information about the log entry.

Log ID number components Description Examples

Log Type Represented by the l Traffic log IDs begin with "00".
first two digits of the l Event log IDs begin with "01".
log ID.

Sub Type or Event Type Represented by the l VPN log subtype is

second two digits of represented with "01" which
the log ID. belongs to the Event log type
that is represented with "01".

Therefore, all VPN related

Event log IDs will begin with the
0101 log ID series.

16 Log Reference
Fortinet Technologies Inc.
 Log ID Numbers Log Schema Structure

Log ID number components Description Examples

Message ID The last six digits of l An administrator account

the log ID represent always has the log ID
the message ID. 0000003401.

The log_id field is a number assigned to all permutations of the same message. It classifies a log entry by the nature
of the cause of the log message, such as administrator authentication failures or traffic. Other log messages that
share the same cause will share the same log_id.

Log ID Definitions

Following are the definitions for the log type IDs and sub type IDs applicable to FortiOS version 5.2.1 and later.

Log Type IDs Sub Type IDs

traffic:0 l forward:0
l local:1
l multicast:2
l sniffer:4

event:1 l system:0
l vpn:1
l user:2
l router:3
l wireless:4
l wad:5
l gtp:6
l endpoint:7
l ha:8

antivirus: 2 l virus:2
l suspicious:0
l analytics:1
l botnet:2
l infected:11
l filename:12
l oversize:13
l scanerror:62
l switchproto:63

Log Reference 17
Fortinet Technologies Inc.
Log Schema Structure Log ID Numbers

Log Type IDs Sub Type IDs

webfilter:3 l content:14
l urlfilter:15
l ftgd_blk:16
l ftgd_allow:17
l ftgd_err:18
l activexfilter:35
l cookiefilter:36
l appletfilter:37
l ftgd_quota_counting:38
l ftgd_quota_expired:39
l ftgd_quota:40
l scriptfilter:41
l webfilter_command_block:43

ips:4 l signature:19

spam: 5 l msn-hotmail:5
l yahoo-mail:6
l gmail:7
l smtp:8
l pop3:9
l imap:10
l mapi:11
l carrier-endpoint-filter:
l 47 mass-mms:52

contentlog: 6 l HTTP:24
l FTP:25
l SMTP:26
l POP3:27
l IMAP:28
l HTTPS:30
l im-all:31
l NNTP:39
l VOIP:40
l SMTPS:55
l POP3S:56
l IMAPS:57
l MM1:48
l MM3:49
l MM4:50
l MM7:51

18 Log Reference
Fortinet Technologies Inc.
Log ID Numbers Log Schema Structure

Log Type IDs Sub Type IDs

anomaly: 7 l anomaly: 20

voip: 8 l viop: 14

dlp: 9 l dlp:54
l dlp-docsource:55

app-ctrl-all: 10 l app-ctrl-all:59

netscan: 11 l discovery:0
l vulnerability:1

UTM l virus:2
l webfilter:3
l ips:4
l spam:5
l contentlog:6
l voip:8
l dlp:9
l app-ctrl:10

Log Reference 19
Fortinet Technologies Inc.
Traffic Log

Traffic log messages record network traffic passing through the FortiGate unit.

Traffic logs include the following log sub types.

l Forward
l Multicast
l Local
l Sniffer

The following table describes the log fields of the Traffic log.

NOTE: In the policyid field of traffic log messages, the number may be zero because any policy that is automatically
added by the FortiGate unit is indexed as zero. For more information, see the Fortinet Knowledge Base article, Firewall
policy=0.

Log Field Name Log Field Descrip- Data Type Length Value
tion

action The status of the String 16 l close

session. Uses fol- l deny
lowing definition: l dns
l ip-conn
- Deny = blocked by
firewall policy. l start
l timeout
- Start = session
start log (special
option to enable log-
ging at start of a
session). This
means firewall
allowed.

- All Others =
allowed by Firewall
Policy and the
status indicates
how it was closed.

app The application String 96

name.

20 Log Reference
Fortinet Technologies Inc.
 Traffic Log

Log Field Name Log Field Descrip- Data Type Length Value
tion

appact The security action String 16 l block

from app control. l monitor
l pass
l reject
l reset

appcat The application cat- String 64

egory.

appid The application ID. UINT32 10

applist The application con- String 64

trol profile (name).

apprisk The application risk String 16 l critical

level. l elevated
l high
l low
l medium

collectedemail The email address String 66

from email col-
lection captive
portal.

countapp The number of UINT32 10

appplication control
logs associated with
the session.

countav The number of UINT32 10

AntiVirus logs asso-
ciated with the ses-
sion.

countdlp The number of the UINT32 10

DLP logs asso-
ciated with the ses-
sion.

countemail The number of the UINT32 10

email logs asso-
ciated with the ses-
sion.

Log Reference 21
Fortinet Technologies Inc.
Traffic Log

Log Field Name Log Field Descrip- Data Type Length Value
tion

countips The number of the UINT32 10

IPS logs associated
with the session.

countweb The number of the UINT32 10

Web Filter logs
associated with the
session.

craction The action per- UINT32 10

formed by client
reputation.

crlevel The client repu- String 10

tation level.

crscore The client repu- UINT32 10

tation score.

custom The custom field. Custom

date The date the log String 10

event was gen-
erated on the
device.

devid The device serial String 16

number.

devtype The device type. String 32

dstcountry The country name String 64

for the destination
IP.

dstintf The destination String 32

interface.

dstip The destination IP IP Address 39

address.

dstname The destination String 66

name.

dstport The destination UINT16 5

port.

22 Log Reference
Fortinet Technologies Inc.
 Traffic Log

Log Field Name Log Field Descrip- Data Type Length Value
tion

dstssid The destination String 33

SSID.

dstuuid The UUID of the String 37

destination IP
address.

duration The duration of the UINT32 10

session.

group The group name. String 64

lanin The local area net- UINT64 20

work incoming
traffic in bytes.

lanout The local area net- UINT64 20

work outgoing
traffic in bytes.

level The log priority String 11

level.

logid A ten-digit number. String 10

The first two digits
represent the log
type and the fol-
lowing two digits
represent the log
subtype. The last
one to five digits are
the message ID.

mastersrcmac The master MAC String 17

address for a host
that has multiple
network interfaces.

msg The activity or event String 64

that the FortiGate
unit recorded.

osname The name of the String 66

operating system.

osversion The version of the String 66

operating system.

Log Reference 23
Fortinet Technologies Inc.
Traffic Log

Log Field Name Log Field Descrip- Data Type Length Value
tion

policyid The firewall policy UINT32 10

ID.

poluuid The UUID of the String 37

firewall policy.

proto The protocol num- UINT8 3

ber.

rcvdbyte The number of UINT64 20

bytes received.

rcvdpkt The number of pack- UINT32 10

ets received.

sentbyte The number of UINT64 20

bytes sent.

sentpkt The number of pack- UINT32 10

ets sent.

service The name of ser- String 36

vice.

sessionid The session ID. UINT32 10

shaperdroprcvdbyte The number of UINT32 10

received bytes
dropped by shaper.

shaperdropsentbyte The number of sent UINT32 10

bytes dropped by
shaper.

shaperperipdropbyte The number of UINT32 10

dropped bytes per
IP by shaper.

shaperperipname The traffic shaper String 36

name (per IP).

shaperrcvdname The traffic shaper String 36

name for received
traffic.

24 Log Reference
Fortinet Technologies Inc.
 Traffic Log

Log Field Name Log Field Descrip- Data Type Length Value
tion

shapersentname The traffic shaper String 36

name for sent
traffic.

srccountry The country name String 64

for source IP.

srcintf The source inter- String 32

face name.

srcip The source IP IP Address 39

address.

srcmac The MAC address String 17

associated with the
Source IP.

srcname The source name. String 66

srcport The source port UINT16 5

number.

srcssid The source SSID. String 33

srcuuid The UUID of the String 37

source IP address.

subtype The subtype of the String 20

traffic.

time The time stamp of String 8

the event.

trandisp The NAT translation String 16 l dnat

type. l noop
l snat
l snat+dnat

tranip The NAT des- IP Address 39

tination IP.

tranport The NAT des- UINT16 5

tination port.

transip The NAT source IP IP Address 39

address.

Log Reference 25
Fortinet Technologies Inc.
Traffic Log

Log Field Name Log Field Descrip- Data Type Length Value
tion

transport The NAT source UINT16 5

port.

type The log type. String 16

unauthuser The unau- String 66

thenticated user
name.

unauthusersource The method used to String 66

detect unau-
thenticated user
name.

user The user name. String 256

utmaction The security action String 32 l allow

performed by UTM. l block
l n/a
l reset
l traffic-shape

vd The virtual domain String 32

name.

vpn The name of the String 32

VPN tunnel.

vpntype The type of the VPN String 14 l ipsec-ddns

tunnel. l ipsec-dynamic
l ipsec-static
l sslvpn

wanin The WAN incoming UINT32 10

traffic in bytes.

wanoptapptype The WAN optim- String 9 l cifs

ization application l ftp
type. l ftp-proxy
l http
l mapi
l tcp
l web-cache
l web-proxy

26 Log Reference
Fortinet Technologies Inc.
 Traffic Log

Log Field Name Log Field Descrip- Data Type Length Value
tion

wanout The WAN outgoing UINT32 10

traffic in bytes.

Log Reference 27
Fortinet Technologies Inc.
Traffic Log Messages

The following table describes the log message IDs and messages of the Traffic log.

Message ID Message Severity

2 LOG_ID_TRAFFIC_ALLOW Notice

3 LOG_ID_TRAFFIC_DENY Warning

4 LOG_ID_TRAFFIC_OTHER_START Notice

5 LOG_ID_TRAFFIC_OTHER_ICMP_ALLOW Notice

6 LOG_ID_TRAFFIC_OTHER_ICMP_DENY Warning

7 LOG_ID_TRAFFIC_OTHER_INVALID Warning

8 LOG_ID_TRAFFIC_WANOPT Notice

9 LOG_ID_TRAFFIC_WEBCACHE Notice

10 LOG_ID_TRAFFIC_EXPLICIT_PROXY Notice

11 LOG_ID_TRAFFIC_FAIL_CONN Warning

12 LOG_ID_TRAFFIC_MULTICAST Notice

13 LOG_ID_TRAFFIC_END_FORWARD Notice

14 LOG_ID_TRAFFIC_END_LOCAL Notice

15 LOG_ID_TRAFFIC_START_FORWARD Notice

16 LOG_ID_TRAFFIC_START_LOCAL Notice

17 LOG_ID_TRAFFIC_SNIFFER Notice

28 Log Reference
Fortinet Technologies Inc.
 Security Log

Security Log

The following sections provide information about the different types of logs recorded under the Security log type.

In FortiOS 5.0 and previous versions, the logs were displayed under the UTM log type. In FortiOS
5.2.0 and later versions, the UTM logs are displayed under the Security log type. All logs grouped
in the security log include the log field type=utm.

Application Control 30
Application Control Log Messages 34
AntiVirus 35
AntiVirus Log Messages 41
DLP 43
Email Filter 48
Email Filter Log Messages 52
IPS 54
IPS Log Messages 58
Anomaly 59
Anomaly Log Messages 62
Web Filter 63
Web Filter Log Messages 68

Log Reference 29
Fortinet Technologies Inc.
Application Control

Application Control log messages record application control protocols and events.

In the log fields, these logs are defined as: type=utm; subtype=app-ctrl.

Log Field Log Field Descrip- Data Type Length Value

Name tion

action The security action String 16 l block

performed by Applic- l monitor
ation Control. l pass
l reject
l reset

app The application String 96

name.

appcat The application cat- String 64

egory name.

appid The application ID. UINT32 10

applist The application con- String 64

trol profile name.

apprisk The application risk String 16 l critical

level. l elevated
l high
l low
l medium

cloudaction The action per- String 32

formed by cloud
application.

clouduser The user login ID String 256

detected by the
Deep Application
Control feature.

30 Log Reference
Fortinet Technologies Inc.
Application Control Security Log

Log Field Log Field Descrip- Data Type Length Value

Name tion

crlevel The client reputation String 10

level.

crscore The client reputation UINT32 10

score.

date The date the log String 10

event was generated
on the device.

devid The device serial String 16

number.

direction The direction of the String 8 l incoming

packets. l N/A
l outgoing

dstip The destination IP IP Address 39

address.

dstname The destination String 64

name.

dstport The destination port. UINT16 5

dstintf The destination inter- String

face.

eventtype The application con- String 32

trol event type.

filename The file name. String 256

filesize The file size in bytes. UINT64 10

group The user group String 64

name.

hostname The host name of a String 256

URL.

level The log priority level. String 11

Log Reference 31
Fortinet Technologies Inc.
Security Log Application Control

Log Field Log Field Descrip- Data Type Length Value

Name tion

logid A ten-digit number. String 10

The first two digits
represent the log
type and the fol-
lowing two digits rep-
resent the log
subtype. The last
one to five digits are
the message id.

msg The activity or event String 512

that the FortiGate
unit recorded.

profile The application con- String 36

trol profile name.

profiletype The application con- String 36

trol profile type.

proto The protocol num- UINT8 3

ber.

rcvdbyte The number of bytes UINT64 20

received.

sentbyte The number of bytes UINT64 20

sent.

service The service name. String 36

sessionid The session ID. UINT32 10

srcip The IP Address 39

source IP address.

srcname The source name. String 64

srcport The source port. UINT16 5

srcintf The source interface. String

subtype The subtype of the String 20

log message. The
possible values of
this field depend on
the log type.

32 Log Reference
Fortinet Technologies Inc.
Application Control Security Log

Log Field Log Field Descrip- Data Type Length Value

Name tion

time The time stamp of String 8

the event.

type The log type. String 16

url The URL address. String 512

user The user name. String 256

vd The virtual domain String 32

name.

Log Reference 33
Fortinet Technologies Inc.
Application Control Log Messages

The following table describes the log message IDs and messages of the Application Control log.

Message ID Message Severity

28672 LOGID_APP_CTRL_IM_BASIC Information

28673 LOGID_APP_CTRL_IM_BASIC_WITH_ Information

STATUS

28674 LOGID_APP_CTRL_IM_BASIC_WITH_ Information

COUNT

28675 LOGID_APP_CTRL_IM_FILE Information

28676 LOGID_APP_CTRL_IM_CHAT Information

28677 LOGID_APP_CTRL_IM_CHAT_BLOCK Information

28678 LOGID_APP_CTRL_IM_BLOCK Information

28704 LOGID_APP_CTRL_IPS_PASS Information

28705 LOGID_APP_CTRL_IPS_BLOCK Warning

28706 LOGID_APP_CTRL_IPS_RESET Warning

28720 LOGID_APP_CTRL_SSH_PASS Information

28721 LOGID_APP_CTRL_SSH_BLOCK Warning

34 Log Reference
Fortinet Technologies Inc.
AntiVirus

AntiVirus log messages record actual viruses that are contained in an email as well as anything that appears to be
similar to a virus or suspicious, such as in a file or in an email.

In the log fields, these logs are defined as: type=utm; subtype=virus.

Log Field Name Log Field Description Data Type Length Value

action The security action performed String 11 l analytics

by antivirus profile. l blocked
l monitored
l pass through

agent The user agent String 64

- eg. agent="Mozilla/5.0".

analyticscksum The checksum of the file sub- String 64

mitted for analytics.

analyticssubmit The flag for analytic sub- String 10 l false

mission. l true

checksum The file checksum. String 16

command The protocol specific command, String 16

such as “POST” and “GET” for
HTTP, “MODE” and “REST” for
FTP.

crlevel The client reputation level. String 10

crscore The client reputation score. UINT32 10

date The date the log event was gen- String 10

erated on the device.

devid The device serial number. String 16

direction The direction of packets. String 8 l incoming

l N/A
l outgoing

35 Log Reference
Fortinet Technologies Inc.
AntiVirus Security Log

Log Field Name Log Field Description Data Type Length Value

dstip The destination IP address. IP Address 39

dstport The destination port. UINT16 5

dstintf The destination interface. String

dtype The data type for virus category. String 32

eventtype The event type of antivirus. String 32

filefilter The filter used to identify the String 12 • none

affected file.
• file pattern

• file type

filename The file name. String 256

Log Reference 36
Fortinet Technologies Inc.
Security Log AntiVirus

Log Field Name Log Field Description Data Type Length Value

filetype The file type. String 16 l arj

l cab
l lzh
l rar
l tar
l zip
l bzip
l gzip
l bzip2
l bat
l msc
l uue
l mime
l base64
l binhex
l com
l elf
l exe
l hta
l html
l jad
l class
l cod
l javascript
l msoffice
l fsg
l upx
l petite
l aspack
l prc
l sis
l hlp
l activemime
l jpeg
l gif
l tiff
l png
l bmp
l ignored
l unknown

from The email address from the String 128

Email Headers
(IMAP/POP3/SMTP).

37 Log Reference
Fortinet Technologies Inc.
AntiVirus Security Log

Log Field Name Log Field Description Data Type Length Value

group The user group name. String 64

level The log priority level. String 11

logid A ten-digit number. The first two String 10

digits represent the log type and
the following two digits rep-
resent the log subtype. The last
one to five digits are the mes-
sage ID.

msg The activity or event that the String

FortiGate unit recorded.

profile The name of the profile that String 64

was used to detect and take
action.

proto The protocol number. UINT8 3

quarskip The quarantine skip explan- String 46 l File-was-

ation. notquarantined

l No-quarantine-
for- HTTP-GET-
filepattern-
block
l No-quarantine-
foroversized-
files
l No-skip

recipient The email addresses received String 512

from the SMTP envelope.

ref The URL of the FortiGuard IPS String 512

database entry for the attack.

sender The email address sent from String 128

the SMTP envelope.

Log Reference 38
Fortinet Technologies Inc.
Security Log AntiVirus

Log Field Name Log Field Description Data Type Length Value

service The service name. String 5 l ftp

l ftps
l http
l https
l im
l imap
l imaps
l mapi
l mm1
l mm3
l mm4
l mm7
l nntp
l pop3
l pop3s
l smb
l smtp
l smtps
l ssl

sessionid The session ID. UINT32 10

srcip The source IP address. IP Address 39

srcport The source port. UINT16 5

subtype The subtype of the log mes- String 20

sage. The possible values of
this field depend on the log
type.

switchproto The protocol change inform- String 128

ation.

time The time stamp of the event. String 8

to The email address(es) from the String 512

Email Headers
(IMAP/POP3/SMTP.

type The log type. String 16

url The URL address String 512

user The user name. String 256

39 Log Reference
Fortinet Technologies Inc.
AntiVirus Security Log

Log Field Name Log Field Description Data Type Length Value

vd The virual domain name. String 32

virus The name of the virus. String 128

virusid The virus ID. UINT32 10

Log Reference 40
Fortinet Technologies Inc.
AntiVirus Log Messages

The following table describes the log message IDs and messages of the Anti Virus log.

Message ID Message Severity

8192 MESGID_INFECT_WARNING Warning

8193 MESGID_INFECT_NOTIF Notice

8194 MESGID_INFECT_MIME_WARNING Warning

8195 MESGID_INFECT_MIME_NOTIF Notice

8196 MESGID_WORM_WARNING Warning

8197 MESGID_WORM_NOTIF Notice

8198 MESGID_WORM_MIME_WARNING Warning

8199 MESGID_WORM_MIME_NOTIF Notice

8448 MESGID_BLOCK_WARNING Warning

8449 MESGID_BLOCK_NOTIF Notice

8450 MESGID_BLOCK_MIME_WARNING Warning

8451 MESGID_BLOCK_MIME_NOTIF Notice

8452 MESGID_BLOCK_COMMAND Warning

8453 MESGID_INTERCEPT Notice

8454 MESGID_INTERCEPT_MIME Notice

8455 MESGID_EXEMPT Notice

8456 MESGID_EXEMPT_MIME Notice

8457 MESGID_MMS_CHECKSUM Warning

8458 MESGID_MMS_CHECKSUM_NOTIF Notice

8704 MESGID_OVERSIZE_WARNING Warning

8705 MESGID_OVERSIZE_NOTIF Notice

41 Log Reference
Fortinet Technologies Inc.
AntiVirus Security Log

Message ID Message Severity

8706 MESGID_OVERSIZE_MIME_WARNING Warning

8707 MESGID_OVERSIZE_MIME_NOTIF Notice

8720 MESGID_SWITCH_PROTO_WARNING Warning

8721 MESGID_SWITCH_PROTO_NOTIF Notice

8960 MESGID_SCAN_UNCOMPNESTLIMIT Notice

8961 MESGID_SCAN_UNCOMPSIZELIMIT Notice

8962 MESGID_SCAN_ARCHIVE_ENCRYPTED_ Warning

WARNING

8963 MESGID_SCAN_ARCHIVE_ENCRYPTED_NOTIF Notice

8964 MESGID_SCAN_ARCHIVE_CORRUPTED_ Warning

WARNING

8965 MESGID_SCAN_ARCHIVE_CORRUPTED_ Notice

NOTIF

8966 MESGID_SCAN_ARCHIVE_MULTIPART_ Warning

WARNING

8967 MESGID_SCAN_ARCHIVE_MULTIPART_NOTIF Notice

8968 MESGID_SCAN_ARCHIVE_NESTED_WARNING Warning

8969 MESGID_SCAN_ARCHIVE_NESTED_NOTIF Notice

8970 MESGID_SCAN_ARCHIVE_OVERSIZE_ Warning

WARNING

8971 MESGID_SCAN_ARCHIVE_OVERSIZE_NOTIF Notice

8972 MESGID_SCAN_ARCHIVE_UNHANDLED_ Warning

WARNING

8973 MESGID_SCAN_ARCHIVE_UNHANDLED_ Notice

NOTIF

9233 MESGID_ANALYTICS_SUBMITTED Notice

9248 MESGID_BOTNET_WARNING Warning

9249 MESGID_BOTNET_NOTIF Notice

Log Reference 42
Fortinet Technologies Inc.
DLP

Data Leak Protection (DLP) log messages record data leaks. These logs provide additional information to help
administrators better analyze and detect data leaks.

In the log fields, these logs are defined as: type=utm; subtype=dlp.

Log Field Name Log Field Description Data Type Length Value

action The security action per- String 20 l ban

formed by DLP. l ban-sender
l block
l exempt
l log-only
l quarantine-
interface
l quarantine-ip

agent The user agent - eg. agent- String 64

t="Mozilla/5.0".

date The date the log event was String 10

generated on the device.

devid The device serial number. String 16

direction The direction of packets. String 8 l incoming

l N/A
l outgoing

dlpextra The DLP extra information. String 256

docsource The document source. String 515

dstip The destination IP address. IP Address 39

dstport The destination port. UINT16 5

dstintf The destination interface. String

epoch The Epoch used for locating UINT32 10

file.

43 Log Reference
Fortinet Technologies Inc.
DLP Security Log

Log Field Name Log Field Description Data Type Length Value

eventid The serial number of the UINT32 10

dlparchive file in the same
epoch.

eventtype The DLP event type. String 32

filename The file name. String 256

filesize The file size in bytes. UINT64 10

filetype The file type. String 23

filtercat The DLP filter category. String 8

filteridx The DLP filter ID. UINT32 10

filtername The DLP filter name. String 128

filtertype The DLP filter type. String 23 l file

l message
l none
l credit-card
l encrypted
l file-size
l file-type
l fingerprint
l none
l regexp
l ssn
l watermark

from The email address from the String 128

Email Headers
(IMAP/POP3/SMTP).

group The user group name. String 64

hostname The host name of a URL. String 256

level The log priority level. String 11

logid A ten-digit number. The first String 10

two digits represent the log
type and the following two
digits represent the log sub-
type. The last one to five
digits are the message id.

Log Reference 44
Fortinet Technologies Inc.
Security Log DLP

Log Field Name Log Field Description Data Type Length Value

mmsdir String 3

msg The activity or event that the String 512

FortiGate unit recorded.

profile The DLP profile name String 64

proto The protocol number UINT8 3

rcvdbyte The number of bytes UINT64 20

received.

recipient The email addresses String 512

received from the SMTP
envelope.

sender The email address sent from String 128

the SMTP envelope.

sensitivity The sensitivity for document String 36

fingerprint.

sentbyte The number of bytes sent. UINT64 20

service The service name. String 36 l ftp

l ftps
l http
l https
l im
l imap
l imaps
l mapi
l mm1
l mm3
l mm4
l mm7
l nntp
l pop3
l pop3s
l smtp
l smtps
l ssl

sessionid The session ID. UINT32 10

45 Log Reference
Fortinet Technologies Inc.
DLP Security Log

Log Field Name Log Field Description Data Type Length Value

severity The severity level of a DLP String 8

rule.

srcip The source IP address. IP Address 39

srcport The source port. UINT16 5

srcintf The source interface. String

subject The subject title of the email String 128

message.

subtype The subtype of the log mes- String 20

sage. The possible values of
this field depend on the log
type.

time The time stamp of the event. String 8

to The email address(es) to the String 512

Email Headers
(IMAP/POP3/SMTP).

type The log type. String 16

url The URL address. String 512

user The user name. String 256

vd The virtual domain name. String 32

Log Reference 46
Fortinet Technologies Inc.
Security Log DLP

DLP Log Messages

The following table describes the log message IDs and messages of the Data Leak Protection log.

Message ID Message Severity

24576 LOG_ID_DLP_WARN Warning

24577 LOG_ID_DLP_NOTIF Notice

24578 LOG_ID_DLP_DOC_SOURCE Notice

24579 LOG_ID_DLP_DOC_SOURCE_ERROR Warning

47 Log Reference
Fortinet Technologies Inc.
Email Filter

Email filter log messages record email protocols, such as SMTP, POP3 and IMAP.

In the log fields, these logs are defined as: type=utm; subtype=emailfilter.

Log Field Name Log Field Description Data Type Length Value

action The security action of String 8 l blocked

the email filter. l detected
l exempted

agent The user agent - eg. String 64

agent="Mozilla/5.0".

attachment The flag for email String 3 l No

attachment. l yes

banword The banned word. String 128

cc The email address(es) String

from the Email Headers
(IMAP/POP3/SMTP).

date The date the log event String 10

was generated on the
device.

devid The device serial num- String 16

ber.

direction The direction of pack- String 8 l incoming

ets. l N/A
l outgoing

dstip The destination IP IP Address 39

address.

dstport The destination port. UINT16 5

dstintf The destination inter- String

face.

48 Log Reference
Fortinet Technologies Inc.
Email Filter Security Log

Log Field Name Log Field Description Data Type Length Value

eventtype The email filter event String 32

type.

from The Email address(es) String 128

from the Email Headers
(IMAP/POP3/SMTP).

group The group name. String 64

level The log priority level. String 11

logid A ten-digit number. The String 10

first two digits represent
the log type and the fol-
lowing two digits rep-
resent the log subtype.
The last one to five
digits are the message
id.

msg The activity or event String 512

that the FortiGate unit
recorded.

profile The email filter profile String 64

name.

proto The protocol number. UINT8 3

rcvdbyte The number of bytes UINT64 20

received.

recipient The email addresses String 512

received from the SMTP
envelope.

sender The email addresses String 128

sent from the SMTP
envelope.

sentbyte The number of bytes UINT64 20

sent.

Log Reference 49
Fortinet Technologies Inc.
Security Log Email Filter

Log Field Name Log Field Description Data Type Length Value

service The service name. String 36 l ftp

l ftps
l http
l https
l im
l imap
l imaps
l mapi
l mm1
l mm3
l mm4
l mm7
l nntp
l pop3
l pop3s
l smtp
l smtps
l ssl

sessionid The session ID. UINT32 10

size The email size in bytes. String 16

srcip The source IP address. IP Address 39

srcport The source port. UINT16 5

srcintf The source interface.

subject The subject title of the String 256

email message.

subtype The subtype of the log String 20

message. The possible
values of this field
depend on the log type.

time The time stamp of the String 8

event.

to The email address(es) String 512

from the Email Headers
(IMAP/POP3/SMTP).

type The log type. String 16

50 Log Reference
Fortinet Technologies Inc.
Email Filter Security Log

Log Field Name Log Field Description Data Type Length Value

user The user name. String 256

vd The virtual domain String 12

name.

Log Reference 51
Fortinet Technologies Inc.
Email Filter Log Messages

The following table describes the log message IDs and messages of the Email log.

Message ID Message Severity

20480 LOGID_ANTISPAM_EMAIL_SMTP_NOTIF Notice

20481 LOGID_ANTISPAM_EMAIL_SMTP_ Notice

BWORD_NOTIF

20487 LOGID_ANTISPAM_ENDPOINT_MM7_ Warning

WARNING

20488 LOGID_ANTISPAM_ENDPOINT_MM7_ Notice

NOTIF

20489 LOGID_ANTISPAM_ENDPOINT_MM1_ Warning

WARNING

20490 LOGID_ANTISPAM_ENDPOINT_MM1_ Notice

NOTIF

20491 LOGID_ANTISPAM_EMAIL_IMAP_ Notice

BWORD_NOTIF

20492 LOGID_ANTISPAM_MM1_FLOOD_ Warning

WARNING

20493 LOGID_ANTISPAM_MM1_FLOOD_NOTIF Notice

20494 LOGID_ANTISPAM_MM4_FLOOD_ Warning

WARNING

20495 LOGID_ANTISPAM_MM4_FLOOD_NOTIF Notice

20496 LOGID_ANTISPAM_MM1_DUPE_ Warning

WARNING

20497 LOGID_ANTISPAM_MM1_DUPE_NOTIF Notice

20498 LOGID_ANTISPAM_MM4_DUPE_ Warning

WARNING

20499 LOGID_ANTISPAM_MM4_DUPE_NOTIF Notice

20500 LOGID_ANTISPAM_EMAIL_MSN_NOTIF Information

52 Log Reference
Fortinet Technologies Inc.
Email Filter Security Log

Message ID Message Severity

20501 LOGID_ANTISPAM_EMAIL_YAHOO_NOTIF Information

20502 LOGID_ANTISPAM_EMAIL_GOOGLE_ Information

NOTIF

20503 LOGID_EMAIL_SMTP_GENERAL_NOTIF Information

20504 LOGID_EMAIL_POP3_GENERAL_NOTIF Information

20505 LOGID_EMAIL_IMAP_GENERAL_NOTIF Information

20506 LOGID_EMAIL_MAPI_GENERAL_NOTIF Information

20507 LOGID_ANTISPAM_EMAIL_MAPI_ Notice

BWORD_NOTIF

20508 LOGID_ANTISPAM_EMAIL_MAPI_NOTIF Notice

Log Reference 53
Fortinet Technologies Inc.
IPS

Intrusion logs record security logs for protocols, such as ICMP and virus attacks. The IPS logs also provide additional
log details, such as the anomaly logs. The "anomaly" logs are generated from the kernel without signatures. (e.g.TCP
SYN flood etc.).

In the log fields, these logs are defined as: type=utm; subtype= ips.

Log Field Name Log Field Descrip- Data Type Length Value
tion

action The security action per- String 16 l clear_session

formed by IPS. l detected
l drop_session
l dropped
l pass_session
l reset
l reset_client
l reset_server

agent The sser agent String 66

- eg. agent-
t="Mozilla/5.0".

attack The attack name. String 256

attackcontext The trigger patterns String 2040

and the packetdata
with base64 encoding.

attackcontextid The attack context ID. String 10

attackid The attack ID. UINT32 10

count The repeat count for UINT32 10

an attack event.

craction The action performed UINT32 10

by client reputation
level.

54 Log Reference
Fortinet Technologies Inc.
IPS Security Log

Log Field Name Log Field Descrip- Data Type Length Value
tion

crlevel The client reputation String 10

level.

crscore The client reputation UINT32 10

score.

date The date the log event String 10

was generated on the
device.

devid The device serial num- String 16

ber.

direction The direction of pack- UINT32 10 l incoming

ets. l N/A
l outgoing

dstintf The destination inter- String 64

face.

dstip The destination IP Address 39

IP address.

dstport The destination port. UINT16 5

eventtype The IPS event type. String 32

group The group name. String 64

icmpcode The destination port of String 6

the ICMP message.

icmpid The source port of the String 8

ICMP message.

icmptype The type of ICMP mes- String 6

sage.

incidentserialno The incident serial UINT32 10

number.

hostname The host name. String

level The log priority level. String 11

Log Reference 55
Fortinet Technologies Inc.
Security Log IPS

Log Field Name Log Field Descrip- Data Type Length Value
tion

logid A ten-digit number. String 10

The first two digits rep-
resent the log type and
the following two digits
represent the log sub-
type. The last one to
five digits are the mes-
sage ID.

msg The log message for String 518

the attack.

profile The profile name for String 64

IPS.

profiletype The profile type. String 64

proto The protocol number. UINT8 3

ref The URL of the String

FortiGuard IPS data-
base entry for the
attack.

service The service name. String 36

sessionid The session ID. UINT32 10

severity The severity of the String 8 l critical

attack. l high
l info
l low
l medium

srcintf The source interface. String 64

srcip The source IP address. IP Address 39

srcport The source port. UINT16 5

subtype The subtype of the log String 20

message. The pos-
sible values of this
field depend on the log
type.

56 Log Reference
Fortinet Technologies Inc.
IPS Security Log

Log Field Name Log Field Descrip- Data Type Length Value
tion

time The time stamp of the String 8

event.

type The log type. String 16

user The user name. String 256

vd The virtual domain String 32

name.

Log Reference 57
Fortinet Technologies Inc.
IPS Log Messages

The following table describes the log message IDs and messages of the IPS log.

Message ID Message Severity

16384 LOGID_ATTCK_SIGNATURE_TCP_UDP Alert

16385 LOGID_ATTCK_SIGNATURE_ICMP Alert

16386 LOGID_ATTCK_SIGNATURE_OTHERS Alert

18432 LOGID_ATTCK_ANOMALY_TCP_UDP Alert

18433 LOGID_ATTCK_ANOMALY_ICMP Alert

18434 LOGID_ATTCK_ANOMALY_OTHERS Alert

58 Log Reference
Fortinet Technologies Inc.
Anomaly

Anomaly logs are associated with IPS log events.

In the log fields, these logs are defined as: type=utm; subtype= anomaly.

Log Field Name Log Field Description Data Type Length Value

action The security action performed String 16

by FortiGate for the event.

agent The user agent String 66

- eg. agent="Mozilla/5.0".

attack The attack name. String 256

attackcontext The trigger patterns and the String 2040

packet data with base64
encoding.

attackcontextid The attack context ID. String 10

attackid The attack ID. UINT32 10

count The repeat count for an attack UINT32 10

event.

craction The action performed by cli- UINT32 10

ent reputation.

crlevel The client reputation level. String 10

crscore The client reputation score. UINT32 10

date The date the log event was String 10

generated on the device.

devid The device serial number. String 16

direction The direction of the packets. UINT32 10

dstintf The destination interface. String 64

59 Log Reference
Fortinet Technologies Inc.
Anomaly Security Log

Log Field Name Log Field Description Data Type Length Value

dstip The destination IP address. IP Address 39

dstport The destination port. UINT16 5

eventtype The event type. String 32

group The user group name. String 64

hostname The host name. String 256

icmpcode The ICMP code. String 6

icmpid The ICMP message ID. String 8

icmptype The ICMP message type. String 6

incidentserialno The incident serial number. UINT32 10

level The log priority level. String 11

logid A ten-digit number. The first String 10

two digits represent the log
type and the following two
digits represent the log sub-
type. The last one to five
digits are the message id.

msg The event or activity that the String 518

FortiGate unit recorded.

profile The profile name. String 64

profiletype The profile type. String 64

proto The protocol name. UINT8 3

ref String

service The service name. String 36

sessionid The session ID. UINT32 10

severity String 8

srcintf The source interface. String 64

srcip The source IP address. IP Address 39

Log Reference 60
Fortinet Technologies Inc.
Security Log Anomaly

Log Field Name Log Field Description Data Type Length Value

srcport The source port. UINT16 5

subtype The subtype of the log mes- String 20

sage. The possible values of
this field depend on the log
type.

time The time stamp of the event. String 8

type The log type. String 16

user The name of the user creating String 256

the traffic.

vd The virtual domain name. String 32

61 Log Reference
Fortinet Technologies Inc.
Anomaly Log Messages

The following table describes the log message IDs and messages of the Anomaly log.

Message ID Message Severity

18432 LOGID_ATTCK_ANOMALY_TCP_UDP Alert

18433 LOGID_ATTCK_ANOMALY_ICMP Alert

18434 LOGID_ATTCK_ANOMALY_OTHERS Alert

62 Log Reference
Fortinet Technologies Inc.
Web Filter

Web filter log messages record URL activity as well as filters, such as a blocked URL as it is found in the URL black list.

In the log fields, these logs are defined as: type=utm; subtype= webfilter.

Log Field Name Log Field Description Data Type Length Value

action The security action per- String 11 l allowed

formed by the web filter. l blocked
l DLP
l exempted
l filtered
l pass through

agent The user agent String 64

- eg. agent="Mozilla/5.0".

banword The banned word. String 128

cat The web category ID. UINT8 3

catdesc The web category descrip- String 64

tion.

contenttype The content type from String 64

HTTP header.

crlevel The client reputation level. String 10

crscore The client reputation score. UINT32 10

date The date the log event was String 10

generated on the device.

devid The device serial number. String 16

direction The direction of the web String 8 l incoming

traffic. l N/A
l outgoing

dstip The destination IP address. IP Address 39

63 Log Reference
Fortinet Technologies Inc.
Web Filter Security Log

Log Field Name Log Field Description Data Type Length Value

dstport The destination port. UINT16 5

dstintf The destination interface. String

error The URL rating error mes- String 256

sage.

eventtype The web filter event type. String 32

filtertype The script filter type. String 10 l javascript

l jscript
l n/a
l unknown
l vbscript

from The MMS-only - From/To String 128

headers from the email.

group The group name. String 64

hostname The host name of a URL. String 256

initiator The initiator user for over- String 64

rid.

keyword The keyword used for String 512

search.

level The log priority level. String 11

logid A ten-digit number. The first String 10

two digits represent the log
type and the following two
digits represent the log sub-
type. The last one to five
digits are the message id.

method The rating override method String 6 l Domain

by URL domain name or IP l ip
address.

mode The rating override mode. String 32

msg The activity or event that String 512

the FortiGate unit recorded.

ovrdid The URL rating override ID. UINT32 10

Log Reference 64
Fortinet Technologies Inc.
Security Log Web Filter

Log Field Name Log Field Description Data Type Length Value

ovrdtbl The rating override table. String 128

profile The web filter profile name. String 64

proto The protocol number. UINT8 3

quotaexceeded The quota has exceeded. String 3 l no

l yes

quotamax The maximum quota UINT64 20

allowed
- in seconds if time-based
- in bytes if traffic-based

quotatype The quota type. String 16 l time

l traffic

quotaused The quota used UINT64 20

- in seconds if time-based
- in bytes if traffic-based).

rcvdbyte The number of bytes UINT64 20

received.

reqtype The request type. String 8 l direct

l referral

ruledata The rule date. String 512

ruletype The rule type. String 9 l directory

l domain
l rating

sentbyte The number of bytes sent. UINT64 20

65 Log Reference
Fortinet Technologies Inc.
Web Filter Security Log

Log Field Name Log Field Description Data Type Length Value

service The service name. String 36 l dns

l ftp
l ftps
l http
l https
l im
l imap
l imaps
l mm1
l mm3
l mm4
l mm7
l nntp
l pop3
l pop3s
l smtp
l smtps
l ssl

sessionid The session ID. UINT32 10

srcip The souurce IP address. IP Address 39

srcport The source port. UINT16 5

srcinft The source interface. String

subtype The subtype of the log mes- String 20

sage. The possible values
of this field depend on the
log type.

time The time stamp of the String 8

event.

to The MMS-only - From/To String 512

headers from the email.

type The log type. String 16

url The URL address. String 512

urlfilteridx The URL filter ID. UINT32 10

urlfilterlist The URL filter list. String 64

Log Reference 66
Fortinet Technologies Inc.
Security Log Web Filter

Log Field Name Log Field Description Data Type Length Value

urltype The URL filter type. String 8 l ftp

l http
l https
l mail
l phishing
l telnet

user The user name. String 256

vd The virtual domain name. String 32

67 Log Reference
Fortinet Technologies Inc.
Web Filter Log Messages

The following table describes the log message IDs and messages of the Web log.

Message ID Message Severity

12288 LOG_ID_WEB_CONTENT_BANWORD Warning

12289 LOG_ID_WEB_CONTENT_MMS_BANWORD Warning

12290 LOG_ID_WEB_CONTENT_EXEMPTWORD Notice

12291 LOG_ID_WEB_CONTENT_MMS_ Notice

EXEMPTWORD

12292 LOG_ID_WEB_CONTENT_KEYWORD Notice

12293 LOG_ID_WEB_CONTENT_SEARCH Notice

12305 LOG_ID_WEB_CONTENT_BANWORD_NOTIF Notice

12544 LOG_ID_URL_FILTER_BLOCK Warning

12545 LOG_ID_URL_FILTER_EXEMPT Information

12546 LOG_ID_URL_FILTER_ALLOW Information

12547 LOG_ID_URL_FILTER_INVALID_ Notice

HOSTNAME_HTTP_BLK

12548 LOG_ID_URL_FILTER_INVALID_ Notice

HOSTNAME_HTTPS_BLK

12549 LOG_ID_URL_FILTER_INVALID_ Information

HOSTNAME_HTTP_PASS

12550 LOG_ID_URL_FILTER_INVALID_ Information

HOSTNAME_HTTPS_PASS

12551 LOG_ID_URL_FILTER_INVALID_ Notice

HOSTNAME_SNI_BLK

12552 LOG_ID_URL_FILTER_INVALID_ Information

HOSTNAME_SNI_PASS

12553 LOG_ID_URL_FILTER_INVALID_CERT Notice

12554 LOG_ID_URL_FILTER_INVALID_SESSION Notice

68 Log Reference
Fortinet Technologies Inc.
Web Filter Security Log

Message ID Message Severity

12555 LOG_ID_URL_FILTER_SRV_CERT_ERR_BLK Notice

12556 LOG_ID_URL_FILTER_SRV_CERT_ERR_ Notice

PASS

12557 LOG_ID_URL_FILTER_FAMS_NOT_ACTIVE Critical

12558 LOG_ID_URL_FILTER_RATING_ERR Information

12559 LOG_ID_URL_FILTER_PASS Information

12800 LOG_ID_WEB_FTGD_ERR Error

12801 LOG_ID_WEB_FTGD_WARNING Warning

12802 LOG_ID_WEB_FTGD_QUOTA Information

13056 LOG_ID_WEB_FTGD_CAT_BLK Warning

13057 LOG_ID_WEB_FTGD_CAT_WARN Warning

13312 LOG_ID_WEB_FTGD_CAT_ALLOW Notice

13313 LOG_ID_WEB_FTGD_RULE_ALLOW Notice

13314 LOG_ID_WEB_FTGD_OFF_SITE_ALLOW Information

13315 LOG_ID_WEB_FTGD_QUOTA_COUNTING Notice

13316 LOG_ID_WEB_FTGD_QUOTA_EXPIRED Warning

13317 LOG_ID_WEB_URL Notice

13568 LOG_ID_WEB_SCRIPTFILTER_ACTIVEX Notice

13573 LOG_ID_WEB_SCRIPTFILTER_COOKIE Notice

13584 LOG_ID_WEB_SCRIPTFILTER_APPLET Notice

13600 LOG_ID_WEB_SCRIPTFILTER_OTHER Notice

13601 LOG_ID_WEB_WF_COOKIE Notice

13602 LOG_ID_WEB_WF_REFERER Notice

13603 LOG_ID_WEB_WF_COMMAND_BLOCK Warning

13616 LOG_ID_CONTENT_TYPE_BLOCK Warning

Log Reference 69
Fortinet Technologies Inc.
Event Log

Event Log

The following sections provide information about the different types of logs recorded under the Event log type.

Event log include the following log subtypes:

l Endpoint Control
l GTP
l High Availability
l System
l Router
l VPN
l USer
l WAD
l Wireless

In the log field, these logs are defined as: type=event; subtypes=endpoint control, gtp, vpn, user, wad, system, router,
wireless, high availability.

Endpoint Control 71
Endpoint Log Messages 74
GTP 75
GTP Log Messages 83
High Availability 85
High Availability Log Messages 88
Router 90
Router Log Messages 92
System 93
System Log Messages 102
User 124
User Log Messages 128
VPN 131
VPN Log Messages 137
WAD 143
WAD Log Messages 146
Wireless 148
Wireless Log Messages 154

70 Log Reference
Fortinet Technologies Inc.
Endpoint Control

Following are the log details for the events generated for Endpoint control logs.

In the log fields, these logs are defined as: type=event; subtype= endpoint.

Log Field Log Field Data Type Length Value

Name Description

action The action the String 32

FortiGate unit
should take for
this firewall
policy.

connection_ The FortiClient String 6

type connection type.

count The number of UINT32 10

dropped SIP
packets.

date The date the log String 10

event was gen-
erated on the
device.

devid The serial num- String 16

ber of the device.

forticlient_id The FortiClient String 33

uuid.

hostname The host name. String 128

interface The interface String 32

name.

ip The IP address. IP Address 39

level The log priority String 11

level.

71 Log Reference
Fortinet Technologies Inc.
EndpointControl Event Log

Log Field Log Field Data Type Length Value

Name Description

license_limit The number of String 32

limited licenses.

license_ The number of UINT16 5

used licenses used.

logdesc The log field String

description.

logid A ten-digit num- String 10

ber. The first two
digits represent
the log type and
the following two
digits represent
the log subtype.
The last one to
five digits are the
message ID.

msg The activity or String

event that the
FortiGate unit
recorded.

name String 128

reason The reason this String 256

log was gen-
erated.

repeat UINT16 5

Log Reference 72
Fortinet Technologies Inc.
Event Log EndpointControl

Log Field Log Field Data Type Length Value

Name Description

status The status of the String 23 l ipsec

action the l success
FortiGate unit l failure
took when the l negotiate_error
event occurred.
l esp_error
l dpd_failure
l subtype voip
l start
l end
l timeout
l blocked
l succeeded
l failed
l authentication-required
l sub type gtp
l forwarded
l prohibited
l rate-limited
l state-invalid
l tunnel-limited
l traffic-count
l user-data

subtype The subtype of String 20 l endpoint

the log message.
The possible val-
ues of this field
depend on the
log type.

time The time stamp String 8

of the event.

type The log type. String 16 l event

ui The user inter- String 64

face.

used_for_ UINT16 5
type

user The user name. String 256

vd The virtual String 32

domain name.

73 Log Reference
Fortinet Technologies Inc.
Endpoint Log Messages

The following table describes the log message IDs and messages of the Endpoint log.

Message Message Description Severity

ID

45056 LOG_ID_FCC_EXCEED FortiClient license maxed out Notice

45057 LOG_ID_FCC_ADD FortiClient connection added Information

45058 LOG_ID_FCC_CLOSE FortiClient closed Information

45059 LOG_ID_FCC_UPGRADE_ FortiClient license is upgraded Notice

SUCC

45060 LOG_ID_FCC_UPGRADE_FAIL FortiClient license failed to Error

upgrade

45100 LOG_ID_EC_REG_FAIL FortiClient registration failed Warning

45101 LOG_ID_EC_REG_SUCCEED FortiClient registration suc- Notice

ceeded

45102 LOG_ID_EC_REG_RENEWED FortiClient registration Notice

renewed

45103 LOG_ID_EC_REG_BLOCK FortiClient registration blocked Notice

45104 LOG_ID_EC_REG_UNBLOCK FortiClient registration Notice

unblocked

45105 LOG_ID_EC_REG_DEREG FortiClient deregistered Notice

45106 LOG_ID_EC_REG_LIC_ FortiClient registration license Notice

UPGRADED upgraded

45107 LOG_ID_EC_CONF_ FortiClient configuration dis- Notice

DISTRIBUTED tributed

45108 LOG_ID_EC_FTCL_UNREG FortiClient unregistered Notice

45109 LOG_ID_EC_FTCL_LOGOFF FortiClient logged off Notice

45110 LOG_ID_EC_FTCL_ENABLE_ FortiClient sync with FortiGate Notice

NOTSYNC disabled

45111 LOG_ID_EC_REG_SYNC_FAIL FortiClient registration sync Warning

failed

74 Log Reference
Fortinet Technologies Inc.
GTP

Event-GTP log messages record GTP activity. These messages are recorded only when running FortiGate Carrier
firmware.

In the log fields, these logs are defined as: type=event; subtype= gtp.

Log Field Log Field Descrip- Data Type Length Value

Name tion

apn The access point String 128

name.

c-bytes The number of bytes UINT64 20

for signaling.

c-ggsn The control plane IP Address 39

GGSN IP address for
GTP signaling.

c-ggsn-teid The control plane for UINT32 10

GGSN TEID (Tunnel
endpoint identifier) for
signaling.

c-gsn The control plane IP Address 39

GSN IP address for
GTP signaling.

cpaddr The control plane IP Address 39

address (either down-
link or uplink).

cpdladdr The control plane IP Address 39

downlink IP address.

cpdlisraddr The control plane ISR IP Address 39

downlink IP address.

cpdlisrteid The control plane ISR UINT32 10

downlink teid.

75 Log Reference
Fortinet Technologies Inc.
GTP Event Log

Log Field Log Field Descrip- Data Type Length Value

Name tion

cpdlteid The control plane UINT32 10

downlink teid.

c-pkts The number of pack- UINT64 20

ets for signaling.

cpteid The control plane teid UINT32 10

(either downlink or
uplink).

cpuladdr The control plane IP Address 39

uplink IP address.

cpulteid The control plane UINT32 10

uplink teid.

c-sgsn The control plane IP Address 39

SGSN IP address for
GTP signaling.

c-sgsn-teid The control plane for UINT32 10

SGSN TEID (Tunnel
endpoint identifier) for
signaling.

date The date the log String 10

event was generated
on the device.

Log Reference 76
Fortinet Technologies Inc.
Event Log GTP

Log Field Log Field Descrip- Data Type Length Value

Name tion

deny_cause String 25 l adv-policy-filter

l apn-filter
l ggsn-not-authorized
l gtp-in-gtp
l imsi-filter
l invalid-ie-length
l invalid-msg-length
l invalid-reserved-field invalid-
state
l ip-policy
l miss-mandatory-ie
l msg-filter
l non-ip-policy
l out-state-ie
l out-state-msg
l packet-sanity
l rate-limited
l reserved-ie
l reserved-msg
l response-without-request
l sgsn-no-handover
l sgsn-not-authorized
l spoof
l unknown-gtp-version

devid The device serial num- String 16

ber.

dstport The destination port. UINT16 5

77 Log Reference
Fortinet Technologies Inc.
GTP Event Log

Log Field Log Field Descrip- Data Type Length Value

Name tion

dtlexp String 64 l cant-have-both-ebi-and-lbi

cant-have-both-hteid-and-
cteid
l cause-value-should-be-isr-
deactivation
l expired-create-bearer-
response
l expired-create-indirect- tunnel-
response
l expired-create-response
l expired-create-session-
response
l expired-delete-beaerer-
response
l expired-delete-indirect- tunnel-
response
l expired-delete-response
expired-delete-session-
response
l expired-echo-response
expired-modified-bearer-
response
l expired-release-access-
bearer-response
l expired-update-bearer-
response
l expired-update-response fteid-
shouldnt-exist
l header-seq-num-is-missing
l hteid-is-zero
l ie-is-missing
l imsi-shouldnt-exist
l invalid-eps-bearer-id
l invalid-ie-length
l invalid-mcc-mnc
l invalid-tid
l malformed-extension-header
l malformed-p-flag
l malformed-piggybacked-msg
l malformed-t-flag
l neither-hteid-nor-cteidexists
l no-tunnel-exists
l none
l payload-teid-is-zero
l response-hteid-doesnt-
matchrequest

Log Reference 78
Fortinet Technologies Inc.
Event Log GTP

Log Field Log Field Descrip- Data Type Length Value

Name tion

duration The GTP tunnel dur- UINT32 10

ation.

end-usr- The end user The IP address. 39

address address.

from The Email address String 128

(es) from the Email
Headers
(IMAP/POP3/SMTP).

headerteid The Header (Tunnel UINT32 10

endpoint identifier).

ietype The Malformed GTP UINT8 3

IE number.

imei-sv International Mobile String 32

Equipment Identity or
IMEI is a number, usu-
ally unique, to identify
GSM, WCDMA, and
iDEN mobile phones,
as well as some satel-
lite phones

imsi The International String 16

mobile subscriber ID.

level The log priority level. String 11

linked-nsapi The linked Network UINT8 3

Service Access Point
identifier.

logdesc The log field descrip- String

tion.

logid A ten-digit number. String 10

The first two digits
represent the log type
and the following two
digits represent the
log subtype. The last
one to five digits are
the message Id.

79 Log Reference
Fortinet Technologies Inc.
GTP Event Log

Log Field Log Field Descrip- Data Type Length Value

Name tion

msg The activity or event String

that the FortiGate
unit recorded.

msg-type The message type. UINT8 3

msisdn The Mobile Sub- String 16

scriber Integrated Ser-
vices Digital Network-
Number (telephone #
to a SIM card).

nsapi The Network Service UINT8 3

Access Point Iden-
tifier, an identifier
used in cellular data
networks.

profile The profile name. String 64

rai The Routing area String 32

identification.

rat-type The type of router String 7

audit tool.

selection The access point String 14

selection.

seqnum The GTP packet UINT32 10

sequence number.

snetwork The source Network, String 64

it's a IE type in GTPv2
packet.

srcport The source port. UINT16 5

status The status of the String 23 l tunnel-limited

action the FortiGate l tunnel-limited-monitor
unit took when the l user-data
event occurred.

Log Reference 80
Fortinet Technologies Inc.
Event Log GTP

Log Field Log Field Descrip- Data Type Length Value

Name tion

subtype The subtype of the String 20

log message. The
possible values of this
field depend on the
log type.

time The time stamp of the String 8

event.

to The email address String 512

(es) to the Email
Headers
(IMAP/POP3/SMTP).

tunnel-idx The VPN tunnel UINT32 10

index.

type The log type. String 16

u-bytes The number of bytes UINT64 20

used for traffic.

u-ggsn The user plane GGSN IP Address. 39

IP address for GTP
user traffic.

u-ggsn-teid The user plane for UINT32 10

GGSN TEID (Tunnel
endpoint identifier) for
signaling.

u-gsn The user plane GSN IP Address 39

IP address for GTP
user traffic.

uli The user Location String 32

Information.

u-pkts The number of pack- UINT64 20

ets used for traffic.

user_data The user traffic con- String 256

tent inside gtp-u tun-
nel.

81 Log Reference
Fortinet Technologies Inc.
GTP Event Log

Log Field Log Field Descrip- Data Type Length Value

Name tion

u-sgsn The user plane SGSN IP Address 39

IP address for GTP
signalling.

u-sgsn-teid The user plane for UINT32 10

SGSN TEID (Tunnel
endpoint identifier) for
signaling.

vd The virtual domain String 32

name.

version The software version. String 64

Log Reference 82
Fortinet Technologies Inc.
GTP Log Messages

The following table describes the log message IDs and messages of the GTP log.

Message Message Description Severity

ID

41216 LOGID_GTP_FORWARD Information

41217 LOGID_GTP_DENY Information

41218 LOGID_GTP_RATE_LIMIT Information

41219 LOGID_GTP_STATE_ Information

INVALID

41220 LOGID_GTP_TUNNEL_ Information

LIMIT

41221 LOGID_GTP_TRAFFIC_ Information

COUNT

41222 LOGID_GTP_USER_DATA Information

41223 LOGID_GTPV2_FORWARD Information

41224 LOGID_GTPV2_DENY Information

41225 LOGID_GTPV2_RATE_LIMIT Information

41226 LOGID_GTPV2_STATE_ Information

INVALID

41227 LOGID_GTPV2_TUNNEL_ Information

LIMIT

41228 LOGID_GTPV2_TRAFFIC_ Information

COUNT

41229 LOGID_GTPU_FORWARD Information

41230 LOGID_GTPU_DENY Information

83 Log Reference
Fortinet Technologies Inc.
GTP Event Log

Log Reference 84
Fortinet Technologies Inc.
High Availability

Event-HA log messages are recorded when FortiGate units are in high availability mode. These log messages describe
changes in cluster unit status. The changes in status occur if a cluster unit fails or starts up, or if a link fails or is
restored. Each of these messages includes the serial number of the cluster unit reporting the message. You can use
the serial number to determine the status of cluster unit that has changed.

In the log fields, these logs are defined as: type=event; subtype= ha.

Log Field Name Log Field Data Length Value

Description Type

activity The high avail- String 128

ability activity
message.

date The date the log String 10

event was gen-
erated on the
device.

devid The device serial String 16

number.

devintfname The high avail- String 32

ability device
interface name.

from_vcluster The source virtual UINT32 10

cluster number.

ha_group The high avail- UINT8 3

ability HA group
number - can be
1 - 256.

ha_role The high avail- String 6 l Master

ability role in the l slave
cluster.

ha-prio The high avail- UINT8 3

ability priority.

85 Log Reference
Fortinet Technologies Inc.
High Availability Event Log

Log Field Name Log Field Data Length Value

Description Type

hbdn_reason The heartbeat String 18 l Link fail

down reason. l neighbor-info-lost

ip The IP address. IP 39
Address

level The log priority String 11

level.

logdesc The log descrip- String

tion.

logid A ten-digit num- String 10

ber. The first two
digits represent
the log type and
the following two
digits represent
the log subtype.
The last one to
five digits are the
message id.

msg The activity or String

event that the
FortiGate unit
recorded.

sn String 64

subtype The subtype of String 20

the log message.
The possible val-
ues of this field
depend on the
log type.

sync_status The sync status String 11 l in-sync

with the master. l out-of-sync

sync_type The sync type String 14 l Configurations

with the master. l external-files

time The time stamp String 8

of the event.

Log Reference 86
Fortinet Technologies Inc.
Event Log High Availability

Log Field Name Log Field Data Length Value

Description Type

to_vcluster The destination UINT32 10

virtual cluster
number.

type The log type. String 16

vcluster The virtual cluster UINT32 10

ID.

vcluster_member The virtual cluster UINT32 10

member ID.

vcluster_state The virtual cluster String 7 l helo

state. l init
l standby
l work

vd The virtual String 32

domain

vdname The virtual String 16

domain name.

87 Log Reference
Fortinet Technologies Inc.
High Availability Log Messages

The following table describes the log message IDs and messages of the HA log.

Message ID Message Description Severity

35001 LOG_ID_HA_SYNC_ HA slave sync Virus database Notice

VIRDB message

35002 LOG_ID_HA_SYNC_ETDB HA slave sync Extended data- Notice

base message

35003 LOG_ID_HA_SYNC_EXDB HA slave sync Extended data- Notice

base message

35005 LOG_ID_HA_SYNC_IPS HA slave sync IDS package Notice

message

35007 LOG_ID_HA_SYNC_AV HA slave sync AntiVirus pack- Notice

age message

35008 LOG_ID_HA_SYNC_VCM HA slave sync VCM package Notice

message

35009 LOG_ID_HA_SYNC_CID HA slave sync CID package Notice

message

35010 LOG_ID_HA_SYNC_FAIL HA slave sync failed message Error

37888 MESGID_HA_GROUP_ HA group deleted Notice

DELETE

37889 MESGID_VC_DELETE Virtual cluster deleted Notice

37890 MESGID_VC_MOVE_ Virtual cluster VDOM moved Notice

VDOM

37891 MESGID_VC_ADD_VDOM Virtual cluster VDOM added Notice

37892 MESGID_VC_MOVE_ Virtual cluster member state Notice

MEMB_STATE moved

37893 MESGID_VC_DETECT_ Virtual cluster detect member Critical

MEMB_DEAD dead

37894 MESGID_VC_DETECT_ Virtual cluster detect member Critical

MEMB_JOIN joined

88 Log Reference
Fortinet Technologies Inc.
High Availability Event Log

Message ID Message Description Severity

37895 MESGID_VC_ADD_ Virtual cluster added HA device Notice

HADEV interface

37896 MESGID_VC_DEL_HADEV Virtual cluster deleted HA Notice

device interface

37897 MESGID_HADEV_READY HA device interface is ready Notice

37898 MESGID_HADEV_FAIL HA device interface failed Warning

37899 MESGID_HADEV_ HA device interface peer Notice

PEERINFO information

37900 MESGID_HBDEV_DELETE Heartbeat device interface Notice

deleted

37901 MESGID_HBDEV_DOWN Heartbeat device interface is Critical

down

37902 MESGID_HBDEV_UP Heartbeat device interface is Information

up

37903 MESGID_SYNC_STATUS The synchronization status Information

with the master is displayed

37904 MESGID_HA_ACTIVITY Administrator enabled current Notice

device as HA master

37904 MESGID_HA_ACTIVITY Administrator enabled current Information

device as HA master

Log Reference 89
Fortinet Technologies Inc.
Router

Event-Router log messages record events that occur on the FortiGate network interfaces.

In the log fields, these logs are defined as: type=event; subtype= router.

Log Log Field Description Data Type Length Value

Field
Name

action The action the FortiGate String 32

unit should take for routing
traffic.

date The date the log event was String 10

generated on the device

devid The serial number of the String 16

device.

dhcp_ The DHCP message. String

msg

dns_ip The DNS IP address. IP Address 39

dns_ The DNS name. String 64

name

dst_int The destination interface. String 64

interface The interface name. String 32

lease The lease IP address range. UINT32 10

level The log priority level. String 11

logdesc The log description. String

logid A ten-digit number. The first String 10

two digits represent the log
type and the following two
digits represent the log sub-
type. The last one to five
digits are the message id.

90 Log Reference
Fortinet Technologies Inc.
Router Event Log

Log Log Field Description Data Type Length Value

Field
Name

mac The MAC address. String 17

msg The activity or event that the String

FortiGate unit recorded.

service The service name. String 64

src_int The source interface. String 64

subtype The subtype of the log mes- String 20

sage. The possible values of
this field depend on the log
type.

time The time stamp of the String 8

event.

type The log type. String 16

vd The virtual domain name. String 32

Log Reference 91
Fortinet Technologies Inc.
Router Log Messages

The following table describes the log message IDs and messages of the Router log.

Message Message Description Severity

ID

20300 LOG_ID_BGP_NB_STAT_ BGP neighbor status changed Unknown

CHG

27001 LOG_ID_VRRP_STATE_CHG VRRP state changed Information

51000 51000 MAC address neighbor table Information

changed

92 Log Reference
Fortinet Technologies Inc.
System

Event-System log messages record events that occur in the FortiGatesystem, such as administrators logging in and
out, or events occurring on the interfaces.

In the log fields, these logs are defined as: type=event; subtype= system.

Log Field Name Log Field Description Data Type Length Value

acktime The acknowledgment time. String 24

act The accounting state. String 16

action The action the FortiGate unit String 32

should take for this firewall
policy.

addr The address. String 80

alarmid The alarm ID. UINT32 10

assigned The assigned IP address. IP Address 39

bandwidth The bandwidth of the traffic. String 42

banned_rule The banned rule or reason. String 36

banned_src The banned source. String 16 l ips

l dos
l dlp-rule
l dlp-compound
l av

blocked The number of blocked mes- UINT32 10

sages.

cert The certificate. String 36

cfgattr The configuration attribute. String

cfgobj The configuration object. String 256

93 Log Reference
Fortinet Technologies Inc.
System Event Log

Log Field Name Log Field Description Data Type Length Value

cfgpath The configuration path. String 128

cfgtid The configuration transaction UINT32 10

id.

chassisid The chassis ID. UINT8

checksum The number of content check- UINT32 10

sum blocked messages.

cipher UINT16

community String 36

conserve The flag for conserve mode. String 32

count The number of dropped SIP UINT32 10

packets.

cpu The CPU usage for per- UINT8 3

formance.

created String 64

crl String

daddr The destination address String 80

'dstip'.

daemon The daemon name. String 32

datarange The data range for reports. String 50

date The date the log event was String 10

generated on the device.

desc The description of the event. String 128

devid The serial number of the String 16

device.

dhcp_msg The DHCP message. String

dintf The device interface. String 36

dir String 8

disk UINT8 3

Log Reference 94
Fortinet Technologies Inc.
Event Log System

Log Field Name Log Field Description Data Type Length Value

disklograte The disk log rate. UINT64 20

dns_ip The DNS IP address. IP Address 39

dns_name The DNS name. String 64

dst_int The interface where the String 64

through traffic goes to the
public or Internet. For incom-
ing traffic to the firewall, it is
“unknown”.

dstip The destination IP address. IP Address 39

dstport The destination port. UINT16 5

duration The duration of the interval UINT32 10

for item counts (such as infec-
ted, scanned, etc) in this log
entry.

encryption

entermargin The enter margin. UINT32 10

error The error reason for log String 256

upload to FortiCloud.

exitmargin The exit margin. UINT32 10

expectedhandshake The expected handshake.

expectedsignature The expected signature.

fams_pause UINT32 10

fazlograte The FortiAnalyzer log rate. UINT64 20

field The field name. String 32

file The file name for a generated String 256

report.

filesize The report file size in bytes. UINT32

free String 32

from The sender email address for String 128

notification.

95 Log Reference
Fortinet Technologies Inc.
System Event Log

Log Field Name Log Field Description Data Type Length Value

gateway The gateway IP address for IP Address 39

PPPoE status report.

green String 32

group The user group name. String 64

groupid The user group IID. UINT32 10

handshake The handshake session ID. String 32

hash A character. String 32

hostname The host name. String 128

identidx The identity index number. UINT32 10

infected The number of infected mes- UINT32 10

sages.

informationsource The information source. String

intercepted The number of intercepted UINT32 10

messages.

interface The interface name or ID. String 32

intf The interface. String 16

ip The IP address. IP Address 39

iptype The IP protocol type. String 16

lease The lease IP address range. UINT32 10

len UINT32 10

level The log priority level. String 11

limit UINT32 10

local The local IP address. IP Address 39

log The log type. String 32

logdesc The log description. String

Log Reference 96
Fortinet Technologies Inc.
Event Log System

Log Field Name Log Field Description Data Type Length Value

logid A ten-digit number. The first String 10

two digits represent the log
type and the following two
digits represent the log sub-
type. The last one to five
digits are the message id.

mac The MAC address. String 17

major The major priority level. UINT8

max The maximum value. UINT8

maxminor The maximum priority value. UINT8

mem The memory usage for per- UINT8 3

formance.

min The minimum value. UINT8

minminor The minimum priority value. UINT8

minor The minor priority level. UINT8

mode The mode. String 12

module The module name. String 32

monitor-name The monitor name. String 32

monitor-type The monitor type. String 32

msg The activity or event that the String

FortiGate unit recorded.

msgproto The message protocol. String 16

mtu The maximum transmission UINT32 10

unit.

name The user or host name. String 128

nat The network address trans- IP Address 39

lation.

new_status The latest status. String 512

new_value The new virtual domain String 128

name.

97 Log Reference
Fortinet Technologies Inc.
System Event Log

Log Field Name Log Field Description Data Type Length Value

newchannel UINT8

newchassisid UINT8

newslot UINT8

nf_type The notification type. String 14 • bword

• file_block

• carrier_ep_bwl

• flood

• dupe

• alert

• mms_checksum

• virus

old_status The archived status. String 512

old_value The original virtual domain String 16

name.

oldchannel UINT8

oldchassisid UINT8

oldslot UINT8

passwd The password. String 20

pid The policy ID. UINT32 10

policyid The policy ID that triggered UINT32 10

this log.

poolname The pool name. String 36

port The port number. UINT16 5

portbegin UINT16 5

portend UINT16 5

probeproto String 16

process String

Log Reference 98
Fortinet Technologies Inc.
Event Log System

Log Field Name Log Field Description Data Type Length Value

processtime The process time for reports. UINT32

profile The profile name. String 64

profile_vd The virtual domain of the pro- String 64

file.

profilegroup The profile group associated String 4

with the firewall policy that
traffic used when the log mes-
sage was recorded.

profiletype The type of profile associated String 64

with the firewall policy that
traffic used when the log mes-
sage was recorded.

proto The protocol used. UINT8 3

reason The reason why the log was String 256

recorded.

received The number of packets UINT8

received.

receivedsignature The number of signatures

received.

receivedhandshake The number of handshakes

received.

recvminor The maximum number of UINT8

packets received.

red String 32

remote The remote IP address. IP Address 39

reporttype The report type. String 20

saddr The source address ip. use String 80

'srcip'.

scanned The number of scanned mes- UINT32 10

sages.

sensor The sensor name. String 36

99 Log Reference
Fortinet Technologies Inc.
System Event Log

Log Field Name Log Field Description Data Type Length Value

serial The serial number of the log UINT32 10

message.

serialno The sserial number of the String 16

device.

server The server IP addres. String 64

service The service of where the activ- String 64

ity or event occurred, whether
it was on a web page using
HTTP or HTTPs.

sess_duration The duration of the session. UINT32 10

session_id The session ID. UINT32 10

setuprate UINT64 20

slot UINT8

sn String 64

src_int The source interface - use String 64

'srcintf'.

srcip The source IP address. IP Address 39

ssl2 The ssl session. UINT8

state String 64

status The status of the action the String 23

FortiGate unit took when the
event occurred.

submodule The name of the submodule. String 32

subtype The subtype of the log mes- String 20

sage. The possible values of
this field depend on the log
type.

suspicious The number of suspicious UINT32 10

messages.

sysconserve The system conserve mode. String 32

Log Reference 100

Fortinet Technologies Inc.
Event Log System

Log Field Name Log Field Description Data Type Length Value

time The time stamp of the event. String 8

to The recipient email addres for String 512

notification.

total The total number of UINT32 10

IP sessions.

totalsession The total number of sessions. UINT32 10

trace_id The trace ID. String 32

type The log type. String 16

ui The user interface. String 64

unit UINT32 10

url The URL address. String 512

used UINT32 10

user The name of the user cre- String 256

ating the traffic.

vd The virtual domain name. String 32

version The software version. String 64

vip The virtual IP address. String 64

virus The name of virus. String 128

101 Log Reference

Fortinet Technologies Inc.
System Log Messages

The following table describes the log message IDs and messages of the System log.

Message Message Description Severity

ID

20000 20000 Debug

20001 LOG_ID_CLIENT_ Client is disassociated Information

DISASSOCIATED

20001 LOG_ID_CLIENT_ Client is disassociated Debug

DISASSOCIATED

20002 LOG_ID_DOMAIN_ Domain name IP address of the Notice

UNRESOLVABLE sender is not resolvable

20003 LOG_ID_MAIL_SENT_FAIL Alert email send status failed Notice

20004 LOG_ID_POLICY_TOO_BIG Policy is too big for the system Unknown

20005 LOG_ID_PPP_LINK_UP Modem PPP link is up Information

20006 LOG_ID_PPP_LINK_DOWN Modem PPP link is down Information

20007 20007 Kernel status failed due to Critical

exhausted NAT port

20011 LOG_ID_CLIENT_NEW_ Client is associated Information

ASSOCIATION

20012 LOG_ID_CLIENT_WPA_1X Client supports 1X Information

20013 LOG_ID_CLIENT_WPA_SSN Client supports WPA authentication Information

20015 LOG_ID_IEEE802_NEW_ WPAD: Client supports 801.1x Information

STATION authentication

20016 LOG_ID_MODEM_EXCEED_ Modem exceeded redial limit Information

REDIAL_COUNT

20017 LOG_ID_MODEM_FAIL_TO_ Modem failed to open Information

OPEN

20020 LOG_ID_MODEM_HOTPLUG USB modem is removed or deleted Warning

20020 LOG_ID_MODEM_HOTPLUG USB modem is removed or deleted Information

102 Log Reference

Fortinet Technologies Inc.
System Event Log

Message Message Description Severity

ID

20021 LOG_ID_MAIL_RESENT Alert email resend status is suc- Information

cessful

20025 LOG_ID_REPORTD_REPORT_ Report generated successfully Notice

SUCCESS

20026 LOG_ID_REPORTD_REPORT_ Report generation failed Error

FAILURE

20027 LOG_ID_REPORT_DEL_OLD_ Delete report with outdated data- Warning

REC base records

20031 LOG_ID_RAD_OUT_OF_MEM Interface is out of memory Critical

20032 LOG_ID_RAD_NOT_FOUND Interface is not found Critical

20033 LOG_ID_RAD_MOBILE_IPV6 Interface is using Mobile IPv6 exten- Information

sions

20034 LOG_ID_RAD_IPV6_OUT_OF_ Interface "MinRtrAdvInterval" using Critical

RANGE Mobile IPv6 extension is out of
range

20035 LOG_ID_RAD_MIN_OUT_OF_ Interface "MinRtrAdvInterval" is out Critical

RANGE of range

20036 LOG_ID_RAD_MAX_OUT_OF_ Interface "MaxRtrAdvInterval" using Critical

RANGE Mobile IPv6 extension is out of
range

20037 LOG_ID_RAD_MAX_ADV_ Interface "MaxRtrAdvInterval" is out Critical

OUT_OF_RANGE of range

20038 LOG_ID_RAD_MTU_OUT_OF_ Interface "AdvLinkMTU" is out of Critical

RANGE range

20039 LOG_ID_RAD_MTU_TOO_ Interface "AdvLinkMTU" is small Critical

SMALL

20040 LOG_ID_RAD_TIME_TOO_ Interface "AdvReachableTime" is Critical

SMALL small

20041 LOG_ID_RAD_HOP_OUT_OF_ Interface "AdvCurHopLimit" in router Critical

RANGE advertisement packet is too big

20042 LOG_ID_RAD_DFT_HOP_ Interface "AdvCurHopLimit" in router Critical

OUT_OF_RANGE advertisement packet is out of range

Log Reference 103

Fortinet Technologies Inc.
Event Log System

Message Message Description Severity

ID

20043 LOG_ID_RAD_AGENT_OUT_ Interface "HomeAgentLifetime" in Critical

OF_RANGE router advertisement packet is out
of range

20044 LOG_ID_RAD_AGENT_FLAG_ Interface "AdvHomeAgentFlag Critical

NOT_SET HomeAgentLifetime" in router
advertisement packet must be set
with HomeAgentInfo

20045 LOG_ID_RAD_PREFIX_TOO_ Invalid prefix length Critical

LONG

20046 LOG_ID_RAD_PREF_TIME_ Interface "AdvValidLifetime" is less Critical

TOO_SMALL than "AdvPreferredLifetime"

20047 LOG_ID_RAD_FAIL_IPV6_ IPv6 RADVD failed to create an IPv6 Critical

SOCKET socket

20048 LOG_ID_RAD_FAIL_OPT_ IPv6 RADVD failed to set IPV6_ Critical

IPV6_PKTINFO PKTINFO option

20049 LOG_ID_RAD_FAIL_OPT_ IPv6 RADVD failed to set IPV6_ Critical

IPV6_CHECKSUM CHECKSUM option

20050 LOG_ID_RAD_FAIL_OPT_ IPv6 RADVD failed to set IPV6_ Critical

IPV6_UNICAST_HOPS UNICAST_HOPS option

20051 LOG_ID_RAD_FAIL_OPT_ IPv6 RADVD failed to set IPV6_ Critical

IPV6_MULTICAST_HOPS MULTICAST_HOPS option

20052 LOG_ID_RAD_FAIL_OPT_ IPv6 RADVD failed to set IPV6_ Critical

IPV6_HOPLIMIT HOPLIMIT option

20053 LOG_ID_RAD_FAIL_OPT_ IPv6 RADVD failed to set ICMPV6_ Critical

IPPROTO_ICMPV6 FILTER option

20054 LOG_ID_RAD_EXIT_BY_ IPv6 RADVD exits due to a signal Information

SIGNAL

20055 LOG_ID_RAD_FAIL_CMDB_ IPv6 RADVD cannot create cmf_ Critical

QUERY query_create() query to the interface

20056 LOG_ID_RAD_FAIL_CMDB_ IPv6 RADVD internal error occurs Critical

FOR_EACH when cmf_query_for_each() query is
used

104 Log Reference

Fortinet Technologies Inc.
System Event Log

Message Message Description Severity

ID

20057 LOG_ID_RAD_FAIL_FIND_ IPv6 RADVD failed to find a virtual Critical

VIRT_INTF interface with the interface index

20058 LOG_ID_RAD_UNLOAD_INTF IPv6 RADVD reloads a specific inter- Information

face

20059 LOG_ID_RAD_NO_PKT_INFO IPv6 RADVD received a packet with Warning

no pkt_info

20060 LOG_ID_RAD_INV_ICMPV6_ IPv6 RADVD received an ICMPv6 Warning

LEN packet with invalid length

20061 LOG_ID_RAD_INV_ICMPV6_ IPv6 RADVD received an unwanted Critical

TYPE type of ICMPv6 packet

20062 LOG_ID_RAD_INV_ICMPV6_ IPv6 RADVD received ICMPv6 RA Warning

RA_LEN packet with invalid length

20063 LOG_ID_RAD_ICMPV6_NO_ IPv6 RADVD received ICMPv6 RA Warning

SRC_ADDR packet with non-linklocal source
address

20064 LOG_ID_RAD_INV_ICMPV6_ IPv6 RADVD received ICMPv6 RS Warning

RS_LEN packet with invalid length

20065 LOG_ID_RAD_INV_ICMPV6_ IPv6 RADVD received ICMPv6 Warning

CODE RS/RA packet with invalid code

20066 LOG_ID_RAD_INV_ICMPV6_ IPv6 RADVD received ICMPv6 Warning

HOP RS/RA packet with wrong hoplimit

20067 LOG_ID_RAD_MISMATCH_ Interface "AdvCurHopLimit" on local Warning

HOP interface does not agree with a
remote site

20068 LOG_ID_RAD_MISMATCH_ Interface "AdvManagedFlag" on Warning

MGR_FLAG local interface does not agree with a
remote site

20069 LOG_ID_RAD_MISMATCH_ Interface "AdvOtherConfigFlag" on Warning

OTH_FLAG local interface does not agree with a
remote site

20070 LOG_ID_RAD_MISMATCH_ Interface "AdvReachableTime" on Warning

TIME local interface does not agree with a
remote site

Log Reference 105

Fortinet Technologies Inc.
Event Log System

Message Message Description Severity

ID

20071 LOG_ID_RAD_MISMATCH_ Interface "AdvRetransTimer" on Warning

TIMER local interface does not agree with a
remote site

20072 LOG_ID_RAD_EXTRA_DATA IPv6 RADVD finds extra data in RA Critical

packet

20073 LOG_ID_RAD_NO_OPT_DATA IPv6 RADVD finds a RA packet with Critical

no option data

20074 LOG_ID_RAD_INV_OPT_LEN Option length is greater than RA Critical

packet total length

20075 LOG_ID_RAD_MISMATCH_ Interface "AdvLinkMTU" on local Warning

MTU interface does not agree with a
remote site

20077 LOG_ID_RAD_MISMATCH_ Interface "AdvPreferredLifetime" on Warning

PREF_TIME our interface does not agree with a
remote site

20078 LOG_ID_RAD_INV_OPT IPv6 RADVD finds an invalid option Critical

in RA packet from a remote site

20079 LOG_ID_RAD_READY IPv6 RADVD daemon has started Information

20080 LOG_ID_RAD_FAIL_TO_RCV Recvmsg() in IPv6 RADVD failed Critical

20081 LOG_ID_RAD_INV_HOP IPv6 RADVD received a packet with Critical

a wrong IPV6_HOPLIMIT

20082 LOG_ID_RAD_INV_PKTINFO IPv6 RADVD received a packet with Critical

a wrong IPV6_PKTINFO

20083 LOG_ID_RAD_FAIL_TO_ IPv6 RADVD failed to check all- Warning

CHECK routers multicast group membership

20084 LOG_ID_RAD_FAIL_TO_SEND IPv6 RADVD failed to send Warning

sendmsg ()

20085 20085 Session status Information

20086 20086 FMC XH0 crashed Unknown

20090 LOG_ID_INTF_LINK_STA_ Interface link status changed Notice

CHG

106 Log Reference

Fortinet Technologies Inc.
System Event Log

Message Message Description Severity

ID

20099 LOG_ID_INTF_STA_CHG Interface status changed Information

20100 20100 Critical

20101 LOG_ID_WEB_LIC_EXPIRE FortiGuard Web Filter license is Critical

expired

20101 LOG_ID_WEB_LIC_EXPIRE FortiGuard Web Filter license is Warning

expired

20102 LOG_ID_SPAM_LIC_EXPIRE FortiGuard AntiSpam license is Critical

expired

20102 LOG_ID_SPAM_LIC_EXPIRE FortiGuard AntiSpam license is Warning

expired

20103 LOG_ID_AV_LIC_EXPIRE FortiGuard AntiVirus license is Critical

expired

20103 LOG_ID_AV_LIC_EXPIRE FortiGuard AntiVirus license is Warning

expired

20104 LOG_ID_IPS_LIC_EXPIRE FortiGuard IPS license is expired Warning

20105 LOG_ID_LOG_UPLOAD_SKIP Log upload to FortiCloud skipped Warning

20107 LOG_ID_LOG_UPLOAD_ERR Log upload error Warning

20108 LOG_ID_LOG_UPLOAD_DONE Log upload completed Notice

20110 LOG_ID_HPAPI_ESPD_START Connection to ESPD has been ini- Notice

tialized

20111 LOG_ID_HPAPI_ESPD_RESET Connection to ESPD has been reset Warning

20113 LOG_ID_IPSA_DOWNLOAD_ Failed to download IPSA database Error

FAIL

20114 LOG_ID_IPSA_SELFTEST_ IPSA self test failed. IPSA disabled Error

FAIL

20115 LOG_ID_IPSA_STATUSUPD_ Failed to update IPSA drive Error

FAIL

20200 LOG_ID_FIPS_SELF_TEST A FIPS CC admistrator has initiated Notice

self test

Log Reference 107

Fortinet Technologies Inc.
Event Log System

Message Message Description Severity

ID

20201 LOG_ID_FIPS_SELF_ALL_ A FIPS CC admistrator has initiated Notice

TEST all self tests.

20202 LOG_ID_DISK_FORMAT_ Error in disk partitioning or format- Warning

ERROR ting

20203 LOG_ID_DAEMON_ Daemon shutdown Information

SHUTDOWN

20204 LOG_ID_DAEMON_START Daemon started Information

20205 LOG_ID_DISK_FORMAT_REQ Request to format disk Critical

20206 LOG_ID_DISK_SCAN_REQ Request to scan disk Warning

22000 LOG_ID_INV_PKT_LEN Packet length does not match the Warning

specified length in the request
header

22001 LOG_ID_UNSUPPORTED_ Unsupported protocol version Warning

PROT_VER

22002 LOG_ID_INV_REQ_TYPE Request type is not supported Warning

22003 LOG_ID_FAIL_SET_SIG_ Failed to set up a signal handler Warning

HANDLER

22004 LOG_ID_FAIL_CREATE_ Failed to create a socket Warning

SOCKET

22005 LOG_ID_FAIL_CREATE_ Failed to create a UDP socket to Warning

SOCKET_RETRY receive URL request

22006 LOG_ID_FAIL_REG_CMDB_ Failed to register for CMDB events Warning

EVENT

22009 LOG_ID_FAIL_FIND_AV_ Failed to find AntiVirus profile by ID Warning

PROFILE

22009 LOG_ID_FAIL_FIND_AV_ Failed to find AntiVirus profile by ID Debug

PROFILE

22010 LOG_ID_SENDTO_FAIL Failed to send URL filter packet Error

22011 22011 Kernel enters conserve mode Unknown

22012 22012 Kernel leaves conserve mode Unknown

108 Log Reference

Fortinet Technologies Inc.
System Event Log

Message Message Description Severity

ID

22013 22013 IP pool PBA block exhaust Alert

22014 22014 IP pool PBA NATIP exhaust Alert

22014 22014 IP pool PBA NATIP exhaust Notice

22015 LOG_ID_EXCEED_VD_RES_ Exceeded VDOM resource limit Notice

LIMIT

22016 22016 Deallocate IP pool PBA Notice

22020 LOG_ID_FAIL_CREATE_HA_ Failed to create URL filter con- Warning

SOCKET nection for HA slaves

22021 LOG_ID_FAIL_CREATE_HA_ Failed to create URL filter con- Warning

SOCKET_RETRY nection to HA master

22100 LOG_ID_QUAR_DROP_TRAN_ Transfer failed, files dropped by Warning

JOB quarantine daemon

22101 LOG_ID_QUAR_DROP_TLL_ Transfer failed, poor network con- Warning

JOB nection

22102 LOG_ID_LOG_DISK_FAILURE Log disk failure is imminent Critical

22103 LOG_ID_QUAR_DAILY_LIMIT_ FortiCloud sandbox daily limit Warning

REACHED reaced

22104 LOG_ID_POWER_RESTORE Power supply restored Critical

22104 LOG_ID_POWER_RESTORE Power supply restored Notice

22105 LOG_ID_POWER_FAILURE Power supply failed Critical

22105 LOG_ID_POWER_FAILURE Power supply failed Warning

22106 LOG_ID_POWER_OPTIONAL_ Power supply not detected Information

NOT_DETECTED

22106 LOG_ID_POWER_OPTIONAL_ Power supply not detected Warning

NOT_DETECTED

22107 LOG_ID_VOLT_ANOM Warning

22108 LOG_ID_FAN_ANOM Warning

22109 LOG_ID_TEMP_TOO_HIGH Temperature too high Warning

Log Reference 109

Fortinet Technologies Inc.
Event Log System

Message Message Description Severity

ID

22110 LOG_ID_SPARE_BLOCK_LOW Available spare blocks of boot Critical

device is low

22150 LOG_ID_VOLT_NOM Notice

22151 LOG_ID_FAN_NOM Notice

22152 LOG_ID_TEMP_TOO_LOW Warning

22153 LOG_ID_TEMP_NORM Notice

22200 LOG_ID_AUTO_UPT_CERT Certificate will be auto-updated Warning

22201 LOG_ID_AUTO_GEN_CERT Certificate will be auto-regenerated Warning

22201 LOG_ID_AUTO_GEN_CERT Certificate will be auto-regenerated Information

22202 LOG_ID_AUTO_UPT_CERT_ Certificate failed to auto-update Error

FAIL

22203 LOG_ID_AUTO_GEN_CERT_ Certificate failed to auto-generate Error

FAIL

22700 LOG_ID_IPS_FAIL_OPEN IPS session scan resumed Critical

22800 LOG_ID_SCAN_SERV_FAIL System scan services session failed Critical

22801 LOG_ID_SCAN_LEAVE_ System scan services exited con- Critical

CONSERVE_MODE serve mode

22802 LOG_ID_SYS_ENTER_ System entered conserve mode Critical

CONSERVE_MODE

22803 LOG_ID_SYS_LEAVE_ System exited conserve mode Critical

CONSERVE_MODE

22804 LOG_ID_LIC_STATUS_CHG License has changed Critical

22805 LOG_ID_FAIL_TO_VALIDATE_ License cannot be validated Warning

LIC

22806 LOG_ID_DUP_LIC Detected duplicate license Warning

22810 LOG_ID_SCAN_ENTER_ System scan services entered con- Critical

CONSERVE_MODE serve mode

22900 LOG_ID_CAPUTP_SESSION CAPUTP session status Notice

110 Log Reference

Fortinet Technologies Inc.
System Event Log

Message Message Description Severity

ID

22901 LOG_ID_FAZ_CON Connected to FortiAnalyzer Notice

22902 LOG_ID_FAZ_DISCON Disconnected from FortiAnalyzer Notice

22903 LOG_ID_FAZ_CON_ERR Failed to connect to FortiAnalyzer Critical

22916 LOG_ID_FDS_STATUS FortiGuard Message Service status Notice

22917 LOG_ID_FDS_SMS_QUOTA SMS quota is reached Notice

22921 LOG_ID_EVENT_ROUTE_ Routing information is changed Critical

INFO_CHANGED because link monitor entry changes
its configuration or status

22922 LOG_ID_EVENT_LINK_ Link Monitor status Notice

MONITOR_STATUS

22923 LOG_ID_EVENT_VWL_LQTY_ Virtual WAN Link status Notice

STATUS

22924 LOG_ID_EVENT_VWL_ Virtual WAN Link volume status Notice

VOLUME_STATUS

26001 LOG_ID_DHCP_MSG DHCP request and response log Information

26001 LOG_ID_DHCP_MSG DHCP request and response log Unknown

26002 LOG_ID_DHCP_NO_SHARE_ No shared network found Error

NET

26003 LOG_ID_DHCP_STAT DHCP statistics status Information

26004 LOG_ID_DHCP_MULT_SUB_ Address range spans multiple sub- Error

NET nets

26005 LOG_ID_DHCP_INV_ADDR_ Address range does not belong to Error

RANGE the network

26006 LOG_ID_DHCP_LEASE_ DHCP lease usage Warning

USAGE

29001 LOG_ID_PPPD_MSG PPPD status message Unknown

29002 LOG_ID_PPPD_AUTH_SUC PPPD authentication success Notice

29002 LOG_ID_PPPD_AUTH_SUC PPPD authentication success Debug

Log Reference 111

Fortinet Technologies Inc.
Event Log System

Message Message Description Severity

ID

29003 LOG_ID_PPPD_AUTH_FAIL PPPD authentication failure Notice

29009 LOG_ID_PPPOE_STATUS_ PPPoE status report Notice

REPORT

29011 LOG_ID_PPPD_FAIL_TO_ PPPD cannot execute a program Error

EXEC

29012 LOG_ID_PPP_OPT_ERR PPP has received incorrect options Unknown

29013 LOG_ID_PPPD_START PPPD is started Notice

29014 LOG_ID_PPPD_EXIT PPPD is exiting Information

29015 LOG_ID_PPP_RCV_BAD_ PPP has received incorrect peer IP Error

PEER_IP address

29016 LOG_ID_PPP_RCV_BAD_ PPP has received incorrect local IP Error

LOCAL_IP address

29017 LOG_ID_PPP_OPT_NOTIF PPP has received incorrect noti- Unknown

fications

29020 LOG_ID_WIRELESS_SET_ Wireless set command failed Notice

FAIL

29020 LOG_ID_WIRELESS_SET_ Wireless set command failed Unknown

FAIL

29021 LOG_ID_EVENT_AUTH_ Failed SNMP query Warning

SNMP_QUERY_FAILED

32001 LOG_ID_ADMIN_LOGIN_ Administrator logged in successfully Information

SUCC

32002 LOG_ID_ADMIN_LOGIN_FAIL Failed administrator login attempt Alert

32003 LOG_ID_ADMIN_LOGOUT Administrator logged out Information

32005 LOG_ID_ADMIN_OVERIDE_ Administrator overrode VDOM suc- Information

VDOM cessfully

32006 LOG_ID_ADMIN_ENTER_ A super admin has entered this Information

VDOM VDOM

32007 LOG_ID_ADMIN_LEFT_VDOM A super admin has left the current Information

VDOM

112 Log Reference

Fortinet Technologies Inc.
System Event Log

Message Message Description Severity

ID

32008 LOG_ID_VIEW_LOG_FAIL Failed to view log Warning

32009 LOG_ID_SYSTEM_START FortiGate started Information

32010 LOG_ID_DISK_LOG_FULL Log disk is full Warning

32011 LOG_ID_LOG_ROLL Disk log rotation Notice

32012 LOG_ID_FIPS_LEAVE_ERR_ FIPS CC exiting error mode Information

MOD

32014 LOG_ID_CS_LIC_EXPIRE FortiGuard customer support Warning

license expiring

32015 LOG_ID_DISK_LOG_USAGE Alert email log full Warning

32018 LOG_ID_FIPS_ENTER_ERR_ FIPS CC error mode Emergency

MOD

32020 LOG_ID_SSH_CORRPUT_ Corrupted MAC address detected Warning

MAC

32021 LOG_ID_ADMIN_LOGIN_ Administrator login is disabled Alert

DISABLE

32022 LOG_ID_VDOM_ENABLED VDOM enabled Notice

32023 LOG_ID_MEM_LOG_FULL Memory log full Warning

32023 LOG_ID_MEM_LOG_FULL Memory log full Information

32024 LOG_ID_ADMIN_PASSWD_ Administrator password has expired Notice

EXPIRE

32026 LOG_ID_STORE_CONF_FAIL Cannot store configuration due to Critical

first line error

32027 LOG_ID_VIEW_LOG_SUCC View disk logs Notice

32028 LOG_ID_LOG_DEL_DIR Disk log directory deleted Information

32029 LOG_ID_LOG_DEL_FILE Disk log file deleted Warning

32030 LOG_ID_SEND_FDS_STAT Sent FDS statistics status Notice

32035 LOG_ID_VDOM_DISABLED VDOM disabled Notice

Log Reference 113

Fortinet Technologies Inc.
Event Log System

Message Message Description Severity

ID

32040 LOG_ID_REPORT_DELETED Report deleted Information

32045 LOG_ID_MGR_LIC_EXPIRE FortiGuard management service Warning

license is expiring

32048 LOG_ID_SCHEDULE_EXPIRE One time schedule is expiring Warning

32049 LOG_ID_FC_EXPIRE FortiCloud license is expiring Warning

32051 LOG_ID_LOG_UPLOAD Start uploading disk logs from Notice

VDOM

32086 LOG_ID_ENTER_ System has been changed to trans- Warning

TRANSPARENT parent mode via LCD

32087 LOG_ID_ENTER_NAT System has been changed to NAT Warning

mode via LCD

32095 LOG_ID_GUI_CHG_SUB_ An administrator has performed an Warning

MODULE action on the firewall via GUI

32096 LOG_ID_GUI_DOWNLOAD_ An administrator has downloaded a Warning

LOG log file from the firewall via GUI

32100 LOG_ID_FORTI_TOKEN_ FortiToken synchronization Warning

SYNC

32101 LOG_ID_LCD_CHG_CONF An administrator has changed con- Notice

figuration from LCD

32102 LOG_ID_CHG_CONFIG An administrator has changed the Unknown

configuration

32103 LOG_ID_NEW_FIRMWARE A new firmware image is available Notice

on FortiGuard

32120 LOG_ID_RPT_ADD_DATASET Report dataset added Notice

32122 LOG_ID_RPT_DEL_DATASET Report dataset deleted Notice

32125 LOG_ID_RPT_ADD_CHART Report chart widget added Notice

32126 LOG_ID_RPT_DEL_CHART Report chart widget deleted Notice

32129 LOG_ID_ADD_GUEST New guest user added Notice

32130 LOG_ID_CHG_USER A local user's setting changed Notice

114 Log Reference

Fortinet Technologies Inc.
System Event Log

Message Message Description Severity

ID

32131 LOG_ID_DEL_GUEST Guest user deleted Notice

32132 LOG_ID_ADD_USER A new local user is added Notice

32138 LOG_ID_REBOOT Device rebooted Critical

32139 LOG_ID_UPD_SIGN_DB Updated GeoIP object Critical

32139 LOG_ID_UPD_SIGN_DB Updated GeoIP object Warning

32139 LOG_ID_UPD_SIGN_DB Updated GeoIP object Notice

32140 LOG_ID_NTP_SVR_STAUS_ NTP server status has changed Notice

CHG

32142 LOG_ID_BACKUP_CONF Backup system configuration Alert

32142 LOG_ID_BACKUP_CONF Backup system configuration Warning

32142 LOG_ID_BACKUP_CONF Backup system configuration Error

32142 LOG_ID_BACKUP_CONF Backup system configuration Notice

32148 LOG_ID_GET_CRL User requested a CRL update Notice

32149 LOG_ID_COMMAND_FAIL Command failed Notice

32151 LOG_ID_ADD_IP6_LOCAL_ A new IPv6 firewall local in policy is Notice

POL added

32152 LOG_ID_CHG_IP6_LOCAL_ A IPv6 firewall local in policy setting Notice

POL has changed

32153 LOG_ID_DEL_IP6_LOCAL_ A IPv6 firewall local in policy is Notice

POL deleted

32155 LOG_ID_ACT_FTOKEN_REQ FortiToken request to activate Notice

32156 LOG_ID_ACT_FTOKEN_SUCC FortiToken activation successful Notice

32157 LOG_ID_SYNC_FTOKEN_ Successfully synchronized Notice

SUCC FortiToken

32158 LOG_ID_SYNC_FTOKEN_FAIL Failed to synchronize FortiToken Notice

32159 LOG_ID_ACT_FTOKEN_FAIL FortiToken activation failed Notice

Log Reference 115

Fortinet Technologies Inc.
Event Log System

Message Message Description Severity

ID

32168 LOG_ID_REACH_VDOM_ Failed to add a new entry - VDOM Notice

LIMIT limit reached

32170 LOG_ID_ALARM_MSG Alarm message is created Alert

32171 LOG_ID_ALARM_ACK Alarm is acknowledged Alert

32172 LOG_ID_ADD_IP4_LOCAL_ A new IPv4 firewall local in policy is Notice

POL added

32173 LOG_ID_CHG_IP4_LOCAL_ An IPv4 firewall local in policy's set- Notice

POL ting has changed

32174 LOG_ID_DEL_IP4_LOCAL_ An IPv4 firewall local in policy is Notice

POL deleted

32188 LOG_ID_SSL_PROXY_CA_ SSL Proxy CA initialization failed Warning

INIT_FAIL

32188 LOG_ID_SSL_PROXY_CA_ SSL Proxy CA initialization failed Notice

INIT_FAIL

32200 LOG_ID_SHUTDOWN Device shutdown Critical

32201 LOG_ID_LOAD_IMG_SUCC Loaded image does not support Critical

FIPS CC mode

32202 LOG_ID_RESTORE_IMG Image restored Critical

32203 LOG_ID_RESTORE_CONF Configuration restored Critical

32203 LOG_ID_RESTORE_CONF Configuration restored Warning

32203 LOG_ID_RESTORE_CONF Configuration restored Notice

32204 LOG_ID_RESTORE_FGD_SVR FortiGuard service restored Critical

32204 LOG_ID_RESTORE_FGD_SVR FortiGuard service restored Notice

32205 LOG_ID_RESTORE_VDOM_ VM license restored Critical

LIC

32205 LOG_ID_RESTORE_VDOM_ VM license restored Notice

LIC

32206 LOG_ID_RESTORE_SCRIPT Script restored Warning

116 Log Reference

Fortinet Technologies Inc.
System Event Log

Message Message Description Severity

ID

32207 LOG_ID_RETRIEVE_CONF_ Failed to retrieve configuration list Warning

LIST

32208 LOG_ID_IMP_PKCS12_CERT Imported "PKCS12" certificate Critical

32209 LOG_ID_RESTORE_USR_ Restored the user defined IPS sig- Critical

DEF_IPS natures

32209 LOG_ID_RESTORE_USR_ Restored the user defined IPS sig- Notice

DEF_IPS natures

32210 LOG_ID_BACKUP_IMG Firmware image successfully Notice

backed up

32211 LOG_ID_UPLOAD_REVISION Upload to flash disk successful Notice

32212 LOG_ID_DEL_REVISION Revision database deleted suc- Notice

cessfully

32213 LOG_ID_RESTORE_ Template restored Warning

TEMPLATE

32214 LOG_ID_RESTORE_FILE System failed to restore Warning

32215 LOG_ID_UPT_IMG An administator loaded a wrong Critical

image

32217 LOG_ID_UPD_IPS An administator updated the IPS Warning

package via SCP

32217 LOG_ID_UPD_IPS An administator updated the IPS Notice

package via SCP

32218 LOG_ID_UPD_DLP An administator failed to update the Warning

DLP fingerprint database via SCP

32219 LOG_ID_BACKUP_OUTPUT An administator backed up the res- Warning

ult of standardized error output via
SCP

32220 LOG_ID_BACKUP_COMMAND An administator backed up the res- Warning

ult of batch mode commands via
SCP

32221 LOG_ID_UPD_VDOM_LIC An administator installed the VM Warning

license via SCP

Log Reference 117

Fortinet Technologies Inc.
Event Log System

Message Message Description Severity

ID

32222 LOG_ID_GLB_SETTING_CHG An administator changed a global Notice

setting

32223 LOG_ID_BACKUP_USER_ Failed to backup user defined IPS Error

DEF_IPS signatures

32223 LOG_ID_BACKUP_USER_ Failed to backup user defined IPS Notice

DEF_IPS signatures

32224 LOG_ID_BACKUP_LOG Disk logs backed up Notice

32225 LOG_ID_DEL_ALL_REVISION Revision database corruption detec- Notice

ted. Database is reset

32226 LOG_ID_LOAD_IMG_FAIL Failed to load image Critical

32240 LOG_ID_SYS_USB_MODE System is operating in USB mode Critical

32252 LOG_ID_FACTORY_RESET An administator reset factory set- Critical

tings

32253 LOG_ID_FORMAT_RAID An administrator formatted the Critical

RAID disk

32254 LOG_ID_ENABLE_RAID An administator enabled RAID Critical

32255 LOG_ID_DISABLE_RAID An administator disabled RAID Critical

32300 LOG_ID_UPLOAD_RPT_IMG Upload the report image file Notice

32301 LOG_ID_ADD_VDOM VDOM added Notice

32302 LOG_ID_DEL_VDOM VDOM deleted Notice

32340 LOG_ID_LOG_DISK_UNAVAIL Disk is unavailable Critical

32340 LOG_ID_LOG_DISK_UNAVAIL Disk is unavailable Warning

32341 LOG_ID_LOG_DISK_ Disk log status has changed Notice

DEFAULT_DISABLED

32400 LOG_ID_CONF_CHG Configuration has changed Alert

32545 LOG_ID_SYS_RESTART System is rebooted due to sched- Critical

uled daily restart action

118 Log Reference

Fortinet Technologies Inc.
System Event Log

Message Message Description Severity

ID

32546 LOG_ID_APPLICATION_ Application crashed Warning

CRASH

36880 LOG_ID_EVENT_SYSTEM_ Number of detected devices Warning

MAC_HOST_STORE_LIMIT exceeds limit that can be per-
sistently stored

38400 LOGID_EVENT_NOTIF_SEND_ The system successfully sent a noti- Notice

SUCC fication message

38401 LOGID_EVENT_NOTIF_SEND_ The system was unable to send a Warning

FAIL notification message

38402 LOGID_EVENT_NOTIF_DNS_ The system was unable to resolve Notice

FAIL an MMSC hostname

38403 LOGID_EVENT_NOTIF_ Insufficient system resource noti- Critical

INSUFFICIENT_RESOURCE fication

38404 LOGID_EVENT_NOTIF_ Unable to resolve FortiGuard host- Error

HOSTNAME_ERROR name

38405 LOGID_NOTIF_CODE_ Sent token activation code noti- Notice

SENDTO_SMS_PHONE fication for phone

38406 LOGID_NOTIF_CODE_ Sent token activation code noti- Notice

SENDTO_SMS_TO fication for SMS

38407 LOGID_NOTIF_CODE_ Sent token activation code noti- Notice

SENDTO_EMAIL fication for email

40704 LOG_ID_EVENT_SYS_PERF System performance statistics Notice

41000 LOG_ID_UPD_FGT_SUCC An administrator has updated the Notice

FortiGate successfully

41001 LOG_ID_UPD_FGT_FAIL An administrator has failed to Critical

update the FortiGate

41002 LOG_ID_UPD_SRC_VIS The source visibility signature pack- Notice

age is updated

41003 LOG_ID_INVALID_UPD_LIC Invalid update license Critical

41005 LOG_ID_UPD_VCM An administrator has updated the Notice

VCM plugin successfully

Log Reference 119

Fortinet Technologies Inc.
Event Log System

Message Message Description Severity

ID

43264 LOGID_MMS_STATS MMS statistics Information

43776 LOGID_EVENT_NAC_ NAC anomaly quarantine Notice

QUARANTINE

43800 LOG_ID_EVENT_ELBC_ Blade ready to process traffic Critical

BLADE_JOIN

43801 LOG_ID_EVENT_ELBC_ Blade is not ready to process traffic Critical

BLADE_LEAVE

43802 LOG_ID_EVENT_ELBC_ Master blade found Critical

MASTER_BLADE_FOUND

43803 LOG_ID_EVENT_ELBC_ Master blade lost Critical

MASTER_BLADE_LOST

43804 LOG_ID_EVENT_ELBC_ Master blade changed Critical

MASTER_BLADE_CHANGE

43805 LOG_ID_EVENT_ELBC_ ELBC channel is active Critical

ACTIVE_CHANNEL_FOUND

43806 LOG_ID_EVENT_ELBC_ ELBC channel is inactive Critical

ACTIVE_CHANNEL_LOST

43807 LOG_ID_EVENT_ELBC_ ELBC channel failover Critical

ACTIVE_CHANNEL_CHANGE

43808 LOG_ID_EVENT_ELBC_ ELBC chassis is active Critical

CHASSIS_ACTIVE

43809 LOG_ID_EVENT_ELBC_ ELBC chassis is inactive Critical

CHASSIS_INACTIVE

44544 LOGID_EVENT_CONFIG_ Configured path Information

PATH

44545 LOGID_EVENT_CONFIG_OBJ Configured object Information

44546 LOGID_EVENT_CONFIG_ Configured attribute Information

ATTR

44547 LOGID_EVENT_CONFIG_ Object attribute configured Information

OBJATTR

45000 LOG_ID_VSD_SSL_RCV_HS SSL handshake received Debug

120 Log Reference

Fortinet Technologies Inc.
System Event Log

Message Message Description Severity

ID

45001 LOG_ID_VSD_SSL_RCV_ SSL received incorrect handshake Error

WRG_HS message

45002 LOG_ID_VSD_SSL_SENT_HS SSL handshake sent Debug

45003 LOG_ID_VSD_SSL_WRG_HS_ SSL handshake has invalid length Error

LEN

45004 LOG_ID_VSD_SSL_RCV_CCS SSL ChangeCipherSpec received Debug

45005 LOG_ID_VSD_SSL_RSA_DH_ Verification of Diffie-Hellman para- Error

FAIL meters failed

45006 LOG_ID_VSD_SSL_SENT_CCS SSL ChangeCipherSpec sent Debug

45007 LOG_ID_VSD_SSL_BAD_HASH Hash in SSL Finished does not Error

match calculated hash

45009 LOG_ID_VSD_SSL_DECRY_ SSL decryption failed Error

FAIL

45010 LOG_ID_VSD_SSL_SESSION_ SSL session closed Debug

CLOSED

45011 LOG_ID_VSD_SSL_LESS_ SSL minor version is less than con- Error

MINOR figured minimum value

45012 LOG_ID_VSD_SSL_REACH_ SSL maximum connection limit Warning

MAX_CON reached

45013 LOG_ID_VSD_SSL_NOT_ SSL CipherSuites not supported Error

SUPPORT_CS

45016 LOG_ID_VSD_SSL_HS_FIN SSL handshake complete Debug

45017 LOG_ID_VSD_SSL_HS_TOO_ SSL handshake is too long Error

LONG

45018 LOG_ID_VSD_SSL_MORE_ SSL minor version larger than con- Debug

MINOR figured maximum value

45019 LOG_ID_VSD_SSL_SENT_ SSL alert error sent Error

ALERT_ERR

45020 LOG_ID_VSD_SSL_SESSION_ SSL session state expired Debug

EXPIRE

Log Reference 121

Fortinet Technologies Inc.
Event Log System

Message Message Description Severity

ID

45021 LOG_ID_VSD_SSL_SENT_ SSL alert sent Debug

ALERT

45022 LOG_ID_VSD_SSL_RCV_CH SSL Client Hello received Debug

45023 LOG_ID_VSD_SSL_RCV_SH SSL Server Hello received Debug

45024 LOG_ID_VSD_SSL_SENT_SH SSL Server Hello sent Debug

45025 LOG_ID_VSD_SSL_RCV_ SSL alert received Error

ALERT

45025 LOG_ID_VSD_SSL_RCV_ SSL alert received Debug

ALERT

45027 LOG_ID_VSD_SSL_INVALID_ Invalid SSL Content Type Error

CONT_TYPE

45029 LOG_ID_VSD_SSL_BAD_CCS_ SSL ChangeCipherSpec has incor- Error

LEN rect length

45031 LOG_ID_VSD_SSL_BAD_DH SSL Diffie-Hellman has incorrect Error

value

45032 LOG_ID_VSD_SSL_PUB_KEY_ SSL certificate public key is too big Error

TOO_BIG for SSL offloading

45033 LOG_ID_VSD_SSL_NOT_ SSL Compression Methods are not Error

SUPPORT_CM supported

45034 LOG_ID_VSD_SSL_SERVER_ Server Key Exchange hash Error

KEY_HASH_ALGORITHM_ algorithm mismatch
MISMATCH

45035 LOG_ID_VSD_SSL_SERVER_ Server Key Exchange signature Error

KEY_SIGNATURE_ algorithm mismatch
ALGORITHM_MISMATCH

46000 LOG_ID_VIP_REAL_SVR_ENA VIP real server has been enabled Notice

46001 LOG_ID_VIP_REAL_SVR_DISA VIP real server has been disabled Alert

46002 LOG_ID_VIP_REAL_SVR_UP VIP real server is active Notice

46003 LOG_ID_VIP_REAL_SVR_ VIP real server is down Alert

DOWN

122 Log Reference

Fortinet Technologies Inc.
System Event Log

Message Message Description Severity

ID

46004 LOG_ID_VIP_REAL_SVR_ VIP real server has started hold- Notice

ENT_HOLDDOWN down period

46005 LOG_ID_VIP_REAL_SVR_ VIP real server has failed during Alert

FAIL_HOLDDOWN hold-down period

46006 LOG_ID_VIP_REAL_SVR_FAIL Health monitor has detected VIP Debug

real server health problem

46400 LOG_ID_EVENT_EXT_SYS FortiExtender system activity Unknown

46401 LOG_ID_EVENT_EXT_LOCAL FortiExtender AC activity Unknown

46402 LOG_ID_EVENT_EXT_ Remote FortiExtender activity Unknown

REMOTE

47201 LOG_ID_AMC_ENTER_ AMC card entered bypass mode Emergency

BYPASS

47202 LOG_ID_AMC_EXIT_BYPASS AMC card exited bypass mode Emergency

47203 LOG_ID_ENTER_BYPASS Bypass ports pair entered bypass Emergency

mode

47204 LOG_ID_EXIT_BYPASS Bypass ports pair exited bypass Emergency

mode

Log Reference 123

Fortinet Technologies Inc.
User

Event-User log messages record what users are configuring on the FortiGate unit, and what is occurring on the
FortiGate unit. For example, memory storage is becoming full.

In the log fields, these logs are defined as: type=event; subtype= user.

Log Field Name Log Field Data Type Length Value

Description

acct_stat The accounting String 14 l Accounting-Off

state (RADIUS). l Accounting-On
l Interim-Update
l start
l stop

action The action the String 32

FortiGate unit
should take for this
policy.

adgroup The active dir- String 128

ectory group
name.

authproto The protocol that String 64

initiated the
authentication.

carrier_ep The FortiOS Car- String 64

rier end-point iden-
tification.

category The log category. UINT32 10

count UINT32 10

date The date the log String 10

event was gen-
erated on the
device.

124 Log Reference

Fortinet Technologies Inc.
User Event Log

Log Field Name Log Field Data Type Length Value

Description

devid The device serial String 16

number.

dstip The destination IP IP Address 39

address.

duration The duration of the UINT32 10

interval for item
counts (such as
infected, scanned,
etc) in this log
entry.

expiry The FortiGuard String 64

override expiry
timestamp.

group The user name String 64

group.

initiator The original login String 64

user name for For-
tiguard override.

level The log priority String 11

level.

logdesc The log descrip- String

tion.

logid A ten-digit number. String 10

The first two digits
represent the log
type and the fol-
lowing two digits
represent the log
subtype. The last
one to five digits
are the message
id.

msg The activity or String

event that the
FortiGate unit
recorded.

Log Reference 125

Fortinet Technologies Inc.
Event Log User

Log Field Name Log Field Data Type Length Value

Description

oldwprof The old Web Filter String 64

profile.

policyid The policy ID that UINT32 10

triggered this log.

poolname The pool name. String 36

portbegin UINT16 5

portend UINT16 5

proto The protocol UINT8 3

name.

reason The reason why String 256

the log was recor-
ded.

rsso_key String 64

scope String 16

server String 64

srcip The source IP IP Address 39

address.

status The status of the String 23

action the
FortiGate unit took
when the event
occurred.

subtype The subtype of the String 20

log message. The
possible values of
this field depend
on the log type.

time The time stamp of String 8

the event.

type The log type. String 16

ui The user interface. String 64

126 Log Reference

Fortinet Technologies Inc.
User Event Log

Log Field Name Log Field Data Type Length Value

Description

user The name of the String 256

user creating the
traffic.

vd The virtual domain String 32

name.

Log Reference 127

Fortinet Technologies Inc.
User Log Messages

The following table describes the log message IDs and messages of the User log.

Message Message Description Severity

ID

38010 LOG_ID_FIPS_ENCRY_FAIL FIPS CC encryption failed Alert

38011 LOG_ID_FIPS_DECRY_FAIL FIPS CC decryption failed Alert

38031 LOG_ID_FSSO_LOGON FSSO logon authentication status Notice

38032 LOG_ID_FSSO_LOGOFF FSSO logoff authentication status Notice

38033 LOG_ID_FSSO_SVR_STATUS FSSO Active Directory server Notice

authentication status

38656 LOGID_EVENT_RAD_RPT_ RADIUS protocol/profile error miss- Notice

PROTO_ERROR ing packet

38657 LOGID_EVENT_RAD_RPT_ RADIUS protocol/profile not found Notice

PROF_NOT_FOUND

38658 LOGID_EVENT_RAD_RPT_CTX_ RADIUS protocol/profile CTX not Notice

NOT_FOUND found

38659 LOGID_EVENT_RAD_RPT_ RADIUS protocol/profile account Notice

ACCT_STOP_MISSED stopped

38660 LOGID_EVENT_RAD_RPT_ RADIUS protocol/profile error miss- Notice

ACCT_EVENT ing stop packet

38661 LOGID_EVENT_RAD_RPT_ RADIUS protocol/profile error, miss- Notice

OTHER ing stop packet, accounting or
other report

38662 LOGID_EVENT_RAD_STAT_ RADIUS protocol errors Notice

PROTO_ERROR

38663 LOGID_EVENT_RAD_STAT_ RADIUS start or interim-update Notice

PROF_NOT_FOUND packet received with missing or
invalid profile specified

38665 LOGID_EVENT_RAD_STAT_ RADIUS stop packet was missed Notice

ACCT_STOP_MISSED

38666 LOGID_EVENT_RAD_STAT_ RADIUS accounting event Notice

ACCT_EVENT

128 Log Reference

Fortinet Technologies Inc.
User Event Log

Message Message Description Severity

ID

38667 LOGID_EVENT_RAD_STAT_ RADIUS other accounting event Notice

OTHER

38668 LOGID_EVENT_RAD_STAT_EP_ RADIUS endpoint block event Notice

BLK

43011 LOG_ID_EVENT_AUTH_TIME_ Authentication timed out Notice

OUT

43012 LOG_ID_EVENT_AUTH_FSAE_ FSSO authentication successful Notice

AUTH_SUCCESS

43013 LOG_ID_EVENT_AUTH_FSAE_ FSSO authentication failed Notice

AUTH_FAIL

43014 LOG_ID_EVENT_AUTH_FSAE_ FSSO logon authentication status Notice

LOGON

43015 LOG_ID_EVENT_AUTH_FSAE_ FSSO logoff authentication status Notice

LOGOFF

43016 LOG_ID_EVENT_AUTH_NTLM_ NTLM authentication successful Notice

AUTH_SUCCESS

43017 LOG_ID_EVENT_AUTH_NTLM_ NTLM authentication failed Notice

AUTH_FAIL

43018 LOG_ID_EVENT_AUTH_ FortiGuard override failed Warning

FGOVRD_FAIL

43020 LOG_ID_EVENT_AUTH_ FortiGuard override successful Notice

FGOVRD_SUCCESS

43025 LOG_ID_EVENT_AUTH_PROXY_ WADauthentication HTTP proxy Notice

SUCCESS successful

43026 LOG_ID_EVENT_AUTH_PROXY_ WAD authentication FTP proxy Notice

FAILED failed

43027 LOG_ID_EVENT_AUTH_PROXY_ WAD authentication proxy timed Notice

TIME_OUT out

43028 LOG_ID_EVENT_AUTH_PROXY_ WAD authentication HTTP proxy Notice

AUTHORIZATION_FAILED authorization failed

43029 LOG_ID_EVENT_AUTH_ FortiGuard authentication override Notice

WARNING_SUCCESS successful

Log Reference 129

Fortinet Technologies Inc.
Event Log User

Message Message Description Severity

ID

43030 LOG_ID_EVENT_AUTH_ FortiGuard authentication override Warning

WARNING_TBL_FULL failed

43040 LOG_ID_EVENT_AUTH_LOGOUT FortiGuard authentication status Notice

130 Log Reference

Fortinet Technologies Inc.
VPN

Event-VPN log messages record VPN user, administration and session events.

In the log fields, these logs are defined as: type=event; subtype= vpn.

Log Field Log Field Data Type Length Value

Name Description

action The action the String 32

FortiGate unit
should take for this
firewall policy.

assignip The assigned IP IP Address 39

address.

cert-type The certification String 6 l CA

type. l CRL
l Local
l Remote

cookies The cookies stored String 64

during the log
event.

date The date the log String 10

event was gen-
erated on the
device.

devid The serial number String 16

of the device.

dir The direction String 8

(inbound or out-
bound) of packets.

dst_host The destination String 64

host name.

131 Log Reference

Fortinet Technologies Inc.
VPN Event Log

Log Field Log Field Data Type Length Value

Name Description

duration The duration of the UINT32 10

interval for item
counts (such as
infected, scanned,
etc) in this log
entry.

error_num The error number. UINT 32

espauth The ESP authen- String 17 • HMAC_SHA1

tication.
• HMAC_MD5

• HMAC_SHA256

esptransform The ESP tranfrom String 8 • ESP_NULL

value.
• ESP_DES

• ESP_3DES

• ESP_AES

exch The exchange String 12 • NSA_INIT

name.
• AUTH

• CREATE_CHILD

group The user name String 64

group.

in_spi The remote SPI in String 16

IPsec VPN con-
figuration.

init The interface String 6 • local

name.
• remote

level The log priority String 11

level.

locip The local IP IP Address 39

address.

locport The local port. UINT16 5

logdesc The log descrip- String

tion.

Log Reference 132

Fortinet Technologies Inc.
Event Log VPN

Log Field Log Field Data Type Length Value

Name Description

logid A ten-digit num- String 10

ber. The first two
digits represent
the log type and
the following two
digits represent
the log subtype.
The last one to five
digits are the mes-
sage id.

method The HTTP String 64 l IP

method. l Domain

mode The mode. String 12 • aggressive

• main

• quick

• xauth

• xauth_client

msg The activity or String

event that the
FortiGate unit
recorded.

name String 128

nextstat The time interval UINT32 10

in seconds for the
next statistics.

out_spi The local SPI in String 16

IPsec VPN con-
figuration.

outintf The out interface. String 32

133 Log Reference

Fortinet Technologies Inc.
VPN Event Log

Log Field Log Field Data Type Length Value

Name Description

peer_notif The peer noti- String 25 • NOT-APPLICABLE

fication.
• INVALID-PAYLOAD-TYPE

• DOI-NOT-SUPPORTED

• SITUATION-NOT-SUPPORTED

• INVALID-COOKIE

• INVALID-MAJOR-VERSION

• INVALID-MINOR-VERSION

• INVALID-EXCHANGE-TYPE

• INVALID-FLAGS

• INVALID-MESSAGE-ID

• INVALID-PROTOCOL-ID

• INVALID-SPI • INVALID-TRANSFORM-ID

• ATTRIBUTES-NOT-SUPPORTED

• NO-PROPOSAL-CHOSEN

• BAD-PROPOSAL-SYNTAX

• PAYLOAD-MALFORMED

• INVALID-KEY-INFORMATION

• INVALID-ID-INFORMATION

• INVALID-CERT-ENCODING

• INVALID-CERTIFICATE

• BAD-CERT-REQUEST-SYNTAX

• INVALID-CERT-AUTHORITY

• INVALID-HASH-INFORMATION

• AUTHENTICATION-FAILED

• INVALID-SIGNATURE

• ADDRESS-NOTIFICATION

• NOTIFY-SA-LIFETIME

• CERTIFICATE-UNAVAILABLE

• UNSUPPORTED-EXCHANGE-TYPE

• UNEQUAL-PAYLOAD-LENGTHS

• CONNECTED

• RESPONDER-LIFETIME

• REPLAY-STATUS
Log Reference 134
Fortinet Technologies Inc. • INITIAL-CONTACT

• R-U-THERE
Event Log VPN

Log Field Log Field Data Type Length Value

Name Description

phase2_name The IPsec VPN String 128

Phase 2 name.

rcvdbyte The number of UINT64 20

bytes received.

reason The reason this log String 256

was generated.

remip The remote IP IP Address 39

address.

remport The remote port. UINT16 5

result The result of the String 31 • ERROR

message.
• OK

• DONE

• PENDING

role String 9

sentbyte The number of UINT64 20

bytes sent.

seq The sequence String 16

number.

spi The IPsec VPN String 16

SPI.

stage UINT8 3

status String 23

subtype The subtype of String 20

thelog message.
Thepossible val-
ues ofthis field
dependon the log
type.

time The time stamp of String 8

the event.

tunnelid The tunnel ID. UINT32 10

135 Log Reference

Fortinet Technologies Inc.
VPN Event Log

Log Field Log Field Data Type Length Value

Name Description

tunnelip The tunnel IP IP Address 39

address.

tunneltype The tunnel type. String 64

type The log type. String 16

ui The user interface. String 64

user The name of the String 256

user creating the
traffic.

vd The virtual domain String 32

name.

vpntunnel The IPSec VPN String 128

tunnel name.

xauthgroup The xauth group String 128

name.

xauthuser The xauth user. String 128

Log Reference 136

Fortinet Technologies Inc.
VPN Log Messages

The following table describes the log message IDs and messages of the VPN log.

Message Message Description Value

ID

37120 MESGID_NEG_GENERIC_P1_ Unknown

NOTIF

37121 MESGID_NEG_GENERIC_P1_ Unknown

ERROR

37122 MESGID_NEG_GENERIC_P2_ Unknown

NOTIF

37123 MESGID_NEG_GENERIC_P2_ Unknown

ERROR

37124 MESGID_NEG_I_P1_ERROR IPsec phase 1 error Error

37125 MESGID_NEG_I_P2_ERROR IPsec phase 2 error Error

37126 MESGID_NEG_NO_STATE_ IPsec no state error Error

ERROR

37127 MESGID_NEG_PROGRESS_P1_ Unknown

NOTIF

37128 MESGID_NEG_PROGRESS_P1_ Unknown

ERROR

37129 MESGID_NEG_PROGRESS_P2_ Unknown

NOTIF

37130 MESGID_NEG_PROGRESS_P2_ Unknown

ERROR

37131 MESGID_ESP_ERROR Unknown

37132 MESGID_ESP_CRITICAL Unknown

37133 MESGID_INSTALL_SA Installed IPsec SA Notice

37134 MESGID_DELETE_P1_SA Deleted IPsec phase 1 SA Notice

37135 MESGID_DELETE_P2_SA Deleted IPsec phase 2 SA Notice

137 Log Reference

Fortinet Technologies Inc.
VPN Event Log

Message Message Description Value

ID

37136 MESGID_DPD_FAILURE IPsec DPD failed Error

37137 MESGID_CONN_FAILURE IPsec connection failed Error

37138 MESGID_CONN_UPDOWN IPsec connection status changed Notice

37139 MESGID_P2_UPDOWN IPsec phase 2 status changed Notice

37140 MESGID_AUTO_IPSEC Auto IPsec status Notice

37141 MESGID_CONN_STATS IPsec tunnel statistics Notice

37184 MESGID_NEG_GENERIC_P1_ Unknown

NOTIF_IKEV2

37185 MESGID_NEG_GENERIC_P1_ Unknown

ERROR_IKEV2

37186 MESGID_NEG_GENERIC_P2_ Unknown

NOTIF_IKEV2

37187 MESGID_NEG_GENERIC_P2_ Unknown

ERROR_IKEV2

37188 MESGID_NEG_I_P1_ERROR_ IPsec phase 1 error Error

IKEV2

37189 MESGID_NEG_I_P2_ERROR_ IPsec phase 2 error Error

IKEV2

37190 MESGID_NEG_NO_STATE_ IPsec no state error Error

ERROR_IKEV2

37191 MESGID_NEG_PROGRESS_P1_ Unknown

NOTIF_IKEV2

37192 MESGID_NEG_PROGRESS_P1_ Unknown

ERROR_IKEV2

37193 MESGID_NEG_PROGRESS_P2_ Unknown

NOTIF_IKEV2

37194 MESGID_NEG_PROGRESS_P2_ Unknown

ERROR_IKEV2

37195 MESGID_ESP_ERROR_IKEV2 Unknown

37196 MESGID_ESP_CRITICAL_IKEV2 Unknown

Log Reference 138

Fortinet Technologies Inc.
Event Log VPN

Message Message Description Value

ID

37197 MESGID_INSTALL_SA_IKEV2 Installed IPsec SA Notice

37198 MESGID_DELETE_P1_SA_IKEV2 Deleted IPsec phase 1 SA Notice

37199 MESGID_DELETE_P2_SA_IKEV2 Deleted IPsec phase 2 SA Notice

37200 MESGID_DPD_FAILURE_IKEV2 IPsec DPD failed Error

37201 MESGID_CONN_FAILURE_IKEV2 IPsec connection failed Error

37202 MESGID_CONN_UPDOWN_IKEV2 IPsec connection status changed Notice

37203 MESGID_P2_UPDOWN_IKEV2 IPsec phase 2 status changed Notice

37204 MESGID_CONN_STATS_IKEV2 IPsec tunnel statistics Notice

39424 LOG_ID_EVENT_SSL_VPN_ Unknown

USER_TUNNEL_UP

39425 LOG_ID_EVENT_SSL_VPN_ Unknown

USER_TUNNEL_DOWN

39426 LOG_ID_EVENT_SSL_VPN_ Unknown

USER_SSL_LOGIN_FAIL

39936 LOG_ID_EVENT_SSL_VPN_ Unknown

SESSION_WEB_TUNNEL_STATS

39937 LOG_ID_EVENT_SSL_VPN_ Unknown

SESSION_WEBAPP_DENY

39938 LOG_ID_EVENT_SSL_VPN_ Unknown

SESSION_WEBAPP_PASS

39939 LOG_ID_EVENT_SSL_VPN_ Unknown

SESSION_WEBAPP_TIMEOUT

39940 LOG_ID_EVENT_SSL_VPN_ Unknown

SESSION_WEBAPP_CLOSE

39941 LOG_ID_EVENT_SSL_VPN_ Unknown

SESSION_SYS_BUSY

39942 LOG_ID_EVENT_SSL_VPN_ Unknown

SESSION_CERT_OK

39943 LOG_ID_EVENT_SSL_VPN_ Unknown

SESSION_NEW_CON

139 Log Reference

Fortinet Technologies Inc.
VPN Event Log

Message Message Description Value

ID

39944 LOG_ID_EVENT_SSL_VPN_ Unknown

SESSION_ALERT

39945 LOG_ID_EVENT_SSL_VPN_ Unknown

SESSION_EXIT_FAIL

39946 LOG_ID_EVENT_SSL_VPN_ Unknown

SESSION_EXIT_ERR

39947 LOG_ID_EVENT_SSL_VPN_ Unknown

SESSION_TUNNEL_UP

39948 LOG_ID_EVENT_SSL_VPN_ Unknown

SESSION_TUNNEL_DOWN

39949 LOG_ID_EVENT_SSL_VPN_ Unknown

SESSION_TUNNEL_STATS

39950 LOG_ID_EVENT_SSL_VPN_ Unknown

SESSION_TUNNEL_
UNKNOWNTAG

39951 LOG_ID_EVENT_SSL_VPN_ Unknown

SESSION_TUNNEL_ERROR

39952 LOG_ID_EVENT_SSL_VPN_ Unknown

SESSION_ENTER_CONSERVE_
MODE

39953 LOG_ID_EVENT_SSL_VPN_ Unknown

SESSION_LEAVE_CONSERVE_
MODE

40001 LOG_ID_PPTP_TUNNEL_UP PPTP tunnel up Unknown

40002 LOG_ID_PPTP_TUNNEL_DOWN PPTP tunnel down Unknown

40003 LOG_ID_PPTP_TUNNEL_STAT PPTP tunnel status Unknown

40014 LOG_ID_PPTP_REACH_MAX_ Client connection failed: PPTP Warning

CON connection limit reached

40016 LOG_ID_L2TPD_SVR_DISCON L2TPD service is disconnected Warning

40017 LOG_ID_L2TPD_CLIENT_CON_ L2TP client connection failed Warning

FAIL

Log Reference 140

Fortinet Technologies Inc.
Event Log VPN

Message Message Description Value

ID

40019 LOG_ID_L2TPD_CLIENT_DISCON L2TP client is disconnected Information

40021 LOG_ID_PPTP_NOT_CONIG PPTP is not configured in this Debug

VDOM

40022 LOG_ID_PPTP_NO_IP_AVAIL No IP addresses left to assign in Warning

this VDOM

40024 LOG_ID_PPTP_OUT_MEM Not enough memory Warning

40034 LOG_ID_PPTP_START PPTPD started successfully Notice

40035 LOG_ID_PPTP_START_FAIL PPTPD failed to start Error

40036 LOG_ID_PPTP_EXIT PPTPD exited successfully Notice

40037 LOG_ID_PPTPD_SVR_DISCON PPTPD service is disconnected Information

40038 LOG_ID_PPTPD_CLIENT_CON PPTPD client is connected Information

40039 LOG_ID_PPTPD_CLIENT_DISCON PPTPD client is disconnected Information

40101 LOG_ID_L2TP_TUNNEL_UP L2TP tunnel is up Unknown

40102 LOG_ID_L2TP_TUNNEL_DOWN L2TP tunnel is down Unknown

40103 LOG_ID_L2TP_TUNNEL_STAT L2TP tunnel status Unknown

40114 LOG_ID_L2TPD_START L2TPD started Notice

40115 LOG_ID_L2TPD_EXIT L2TPD exited Notice

40118 LOG_ID_L2TPD_CLIENT_CON L2TP client is connected Information

41984 LOG_ID_EVENT_SSL_VPN_ Certificate loaded successfully Information

CERT_LOAD

41985 LOG_ID_EVENT_SSL_VPN_ Certificate is removed Information

CERT_REMOVAL

41987 LOG_ID_EVENT_SSL_VPN_ Certificate is updated Information

CERT_UPDATE

41988 LOG_ID_EVENT_SSL_VPN_ SSL setting changed Information

SETTING_UPDATE

141 Log Reference

Fortinet Technologies Inc.
VPN Event Log

Message Message Description Value

ID

41989 LOG_ID_EVENT_SSL_VPN_ Certificate error Information

CERT_ERR

41990 LOG_ID_EVENT_SSL_VPN_ Certificate update failed Information

CERT_UPDATE_FAILED

Log Reference 142

Fortinet Technologies Inc.
WAD

Event-Wad log messages record WAN optimization events, such as a user adding an WAN optimization rule as well as
web proxy events.

In the log fields, these logs are defined as: type=event; subtype= wad.

Log Field Log Field Description Data Type Length Value

Name

action The action the FortiGate String 32

unit should take for this fire-
wall policy.

addr_type The address type. String 4

alert The alert name. String 256

app-type The application type. String 64

authgrp The authenticated group. String 36

date The date the log event was String 10

generated on the device.

desc The description. String 128

devid The serial number of the String 16

device.

dstip The destination IP address. IP Address 39

dstport The destination port number UINT16 5

of the TCP or UDP traffic.
The destination port is zero
for other types of traffic.

fqdn String 256

fwserver_ The firewall server name. String 32

name

handshake The handshake IP address. String 32

143 Log Reference

Fortinet Technologies Inc.
WAD Event Log

Log Field Log Field Description Data Type Length Value

Name

host The host IP address. String 256

ip The IP address. IP Address 39

level The log priority level. String 11

local The local IP address. IP Address 39

logdesc The log description. String

logid A ten-digit number. The first String 10

two digits represent the log
type and the following two
digits represent the log sub-
type. The last one to five
digits are the message id.

msg The activity or event that the String

FortiGate unit recorded.

peer The peer IP address. String 36

policyid The ID number of the fire- UINT32 10

wall policy that applies to
the session or packet. Any
policy that is automatically
added by the FortiGate will
have an index number of
zero. For more information,
see the Knowledge Base art-
icle, Firewall policy=0.

port The port scanned. UINT16 5

reason The reason the log event String 256

was generated.

remote The remote IP address. IP Address 39

serial The serial number of the log UINT32 10

message.

session_id The session ID. UINT32 10

srcip The source IP address. IP Address 39

Log Reference 144

Fortinet Technologies Inc.
Event Log WAD

Log Field Log Field Description Data Type Length Value

Name

srcport The source port of the TCP UINT16 5

or UDP traffic. The source
protocol is zero for other
types of traffic.

subtype The subtype of the log mes- String 20

sage. The possible values of
this field depend on the log
type.

time The time stamp of the String 8

event.

type The log type. String 16

vd The virtual domain name. String 32

145 Log Reference

Fortinet Technologies Inc.
WAD Log Messages

The following table describes the log message IDs and messages of the WAD log.

Message ID Message Description Severity

40960 LOGID_EVENT_WAD_ Web proxy forward server error Notice

WEBPROXY_FWD_SRV_
ERROR

48000 LOG_ID_WAD_SSL_RCV_ SSL handshake received Debug

HS

48001 LOG_ID_WAD_SSL_RCV_ SSL handshake has invalid length Error

WRG_HS

48002 LOG_ID_WAD_SSL_SENT_ SSL handshake sent Debug

HS

48003 LOG_ID_WAD_SSL_WRG_ SSL handshake message has an Error

HS_LEN invalid length

48004 LOG_ID_WAD_SSL_RCV_ SSL ChangeCipherSpec received Debug

CCS

48005 LOG_ID_WAD_SSL_RSA_ RSA verification of Diffie-Hellman Error

DH_FAIL parameters failed

48006 LOG_ID_WAD_SSL_SENT_ SSL ChangeCipherSpec sent Debug

CCS

48007 LOG_ID_WAD_SSL_BAD_ Hash in SSL finished does not Error

HASH match calculated hash

48009 LOG_ID_WAD_SSL_ SSL decryption failed Error

DECRY_FAIL

48011 LOG_ID_WAD_SSL_LESS_ SSL minor version is less than Error

MINOR configured minimum value

48013 LOG_ID_WAD_SSL_NOT_ SSL Cipher Suites offered are not Error

SUPPORT_CS supported

48016 LOG_ID_WAD_SSL_HS_ SSL handshake completed Debug

FIN

48017 LOG_ID_WAD_SSL_HS_ SSL handshake too long Error

TOO_LONG

146 Log Reference

Fortinet Technologies Inc.
WAD Event Log

Message ID Message Description Severity

48019 LOG_ID_WAD_SSL_SENT_ SSL alert sent Error

ALERT
Debug

48023 LOG_ID_WAD_SSL_RCV_ SSL alert received Error

ALERT
Debug

48027 LOG_ID_WAD_SSL_ Invalid SSL content type Error

INVALID_CONT_TYPE

48029 LOG_ID_WAD_SSL_BAD_ SSL ChangeCipherSpec has an Error

CCS_LEN invalid length

48031 LOG_ID_WAD_SSL_BAD_ SSL Diffie-Hellman has an incor- Error

DH rect value

48032 LOG_ID_WAD_SSL_PUB_ Certificate's public key too long Error

KEY_TOO_BIG

48100 LOG_ID_WAD_AUTH_ WANOpt peer certificate authen- Error

FAIL_CERT tication failed

48101 LOG_ID_WAD_AUTH_ WANOpt peer PSK authentication Error

FAIL_PSK failed

48102 LOG_ID_WAD_AUTH_ WANOpt peer authentication Error

FAIL_OTH failed

48300 LOG_ID_WRG_SVR_FGT_ WANOpt server side FortiGate is Critical

CONF not properly configured

48301 LOG_ID_UNEXP_APP_ Unexpected WANOpt application Critical

TYPE type

Log Reference 147

Fortinet Technologies Inc.
Wireless

Event-Wireless log messages record wireless events that occur with FortiGate units that have WiFi capabilities.

In the log fields, these logs are defined as: type=event; subtype= wireless.

Log Field Name Log Field Data Type Length Value

Description

action The action the String 32

FortiGate unit
should take for
this firewall policy.

age The time in UINT32 10

seconds - time
passed since last
seen.

ap The physical String 36

access point
name.

apscan The name of the String 36

access point,
which scanned
and detected the
rogue access
point.

apstatus The status of the UINT8 3

access point.

aptype The access point UINT8 3

type.

bssid The service set String 17

ID.

cfgtxpower The Config TX UINT32 10

power.

148 Log Reference

Fortinet Technologies Inc.
Wireless Event Log

Log Field Name Log Field Data Type Length Value

Description

channel The channel num- UINT8 3

ber.

configcountry The Config Coun- String 4

try name.

date The date the log String 10

event was gen-
erated on the
device.

detectionmethod The detection String 21

method.

devid The serial number String 16

of the device.

ds The direction with String 8

distribution sys-
tem.

duration The duration of UINT32 10

the interval for
item counts (such
as infected,
scanned, etc) in
this log entry.

eapolcnt The EAPOL UINT32 10

packet count.

eapoltype The EAPOL String 16

packet type.

encrypt Whether the UINT8 3

packet is encryp-
ted or not.

frametype The type of frame String 32

used in traffic.

group The user group String 64

name.

invalidmac The MAC address String 17

with invalid OUI.

Log Reference 149

Fortinet Technologies Inc.
Event Log Wireless

Log Field Name Log Field Data Type Length Value

Description

ip The IP address. IP Address 39

level The log priority String 11

level.

live The time in UINT32 10

seconds.

logdesc The log descrip- String

tion.

logid A ten-digit num- String 10

ber. The first two
digits represent
the log type and
the following two
digits represent
the log subtype.
The last one to
five digits are the
message id.

mac The MAC String 17

address.

manuf The manufacturer String 20

name.

meshmode The mesh mode. String 19

mgmtcnt The number of UINT32 10

unauthorized cli-
ent flooding man-
agemet frames.

msg The activity or String

event that the
FortiGate unit
recorded.

noise The traffic noise. INT8 4

onwire A flag to indicate if String 3

the AP is onwire
or not.

150 Log Reference

Fortinet Technologies Inc.
Wireless Event Log

Log Field Name Log Field Data Type Length Value

Description

opercountry The operating String 4

country.

opertxpower The operating TX UINT32 10

power.

profile The application String 64

profile .

radioband The radio band String 64

ID.

radioid The radio signal UINT8 3

ID.

radioidclosest The radio ID on UINT8 3

the AP closest the
rogue AP.

radioiddetected The radio ID on UINT8 3

the AP which
detected the
rogue AP.

rate The traffic rate. UINT8 3

reason The reason for String 256

which log was gen-
erated.

rssi The received sig- UINT8 3

nal strength indic-
ator.

security The wireless secur- String 10 • open

ity.
• wep64

• wep128

• wpa-psk

• wpa-radius

• wpa

• wpa2

• wpa2-auto

Log Reference 151

Fortinet Technologies Inc.
Event Log Wireless

Log Field Name Log Field Data Type Length Value

Description

securitymode The security String 20

mode.

seq String 16

signal The traffic signal. INT8 4

sn String 64

snclosest The SN of the String 36

accesspoint
closest to the
rogue access
point.

sndetected The SN of the String 36

access point
which detected
the rogue access
point.

snmeshparent The SN of the String 36

mesh parent.

srcip The source IP Address 39

IP address.

ssid The base service String 33

set ID.

stacount The number of sta- UINT32 10

tions/clients.

stamac The station/client String 17

MAC address.

subtype The subtype of String 20

the log message.
The possible val-
ues of this field
depend on the log
type.

tamac The MAC address String 17

of Transmitter, if
none, then
receiver.

152 Log Reference

Fortinet Technologies Inc.
Wireless Event Log

Log Field Name Log Field Data Type Length Value

Description

threattype The WIDS threat String 64

type.

time The time stamp of String 8

the event.

type The log type. String 16

user The name of the String 256

user creating the
traffic.

vap The virtual access String 36

point name.

vd The virtual String 32

domain name.

weakwepiv The Weak Wep Ini- String 8

tiation Vector.

Log Reference 153

Fortinet Technologies Inc.
Wireless Log Messages

The following table describes the log message IDs and messages of the Wireless log.

Message ID Message Description Severity

43520 LOG_ID_EVENT_ Wireless system activity Notice

WIRELESS_SYS

43521 LOG_ID_EVENT_ Wireless rogue AP activity Unknown

WIRELESS_ROGUE

43522 LOG_ID_EVENT_ Physical AP activity Notice

WIRELESS_WTP

43524 LOG_ID_EVENT_ Wireless client activity Notice

WIRELESS_STA

43525 LOG_ID_EVENT_ Wireless rogue AP activity Unknown

WIRELESS_ONWIRE

43526 LOG_ID_EVENT_ Physical AP radio activity Notice

WIRELESS_WTPR
Unknown

43527 LOG_ID_EVENT_ Wireless rogue AP status con- Notice

WIRELESS_ROGUE_CFG figured

43528 LOG_ID_EVENT_ Physical AP radio activity Unknown

WIRELESS_WTPR_ERROR

43529 LOG_ID_EVENT_ Wireless client load balancing Notice

WIRELESS_CLB

43530 LOG_ID_EVENT_ Wireless bridge intrusion detec- Notice

WIRELESS_WIDS_WL_ ted
BRIDGE

43531 LOG_ID_EVENT_ Wireless broadcasting deau- Notice

WIRELESS_WIDS_BR_ thentication detected
DEAUTH

43532 LOG_ID_EVENT_ Wireless Null SSID Probe Notice

WIRELESS_WIDS_NL_ Response detected
PBRESP

43533 LOG_ID_EVENT_ Wireless Invalid MAC OUI detec- Notice

WIRELESS_WIDS_MAC_ ted
OUI

154 Log Reference

Fortinet Technologies Inc.
Wireless Event Log

Message ID Message Description Severity

43534 LOG_ID_EVENT_ Wireless Long Duration Attack Notice

WIRELESS_WIDS_LONG_ detected
DUR

43535 LOG_ID_EVENT_ Wireless Weak WEP IV detec- Notice

WIRELESS_WIDS_WEP_IV ted

43542 LOG_ID_EVENT_ Wireless EAPOL Packet Flood- Notice

WIRELESS_WIDS_EAPOL_ ing detected
FLOOD

43544 LOG_ID_EVENT_ Wireless Management Flooding Notice

WIRELESS_WIDS_MGMT_ detected
FLOOD

43546 LOG_ID_EVENT_ Wireless Spoofed deau- Notice

WIRELESS_WIDS_ thentication detected
SPOOF_DEAUTH

43548 LOG_ID_EVENT_ Wireless ASLEAP Attack detec- Notice

WIRELESS_WIDS_ASLEAP ted

43550 LOG_ID_EVENT_ Wireless station presence detec- Notice

WIRELESS_STA_LOCATE tion

Log Reference 155

Fortinet Technologies Inc.
Other Logs

Other Logs

VOIP 157
VOIP Log Messages 160
NetScan 161
NetScan Log Messages 165

156 Log Reference

Fortinet Technologies Inc.
VOIP

VOIP log messages record VOIP activities that include the SIP and SCCP protocols.

Log Field Name Log Field Description Data Type Length Value

action The action the FortiGate String 15

unit should take for the
event.

call_id String 64

column UINT32 10

count UINT32 10

date The date the log event String 10

was generated on the
device.

devid The device serial num- String 16

ber.

dir String 8

dst_int The destination inter- String 16

face.

dst_port The destination port. UINT16 5

dstip The destination IP IP Address 39

address.

duration UINT32 10

endpoint String 128

epoch UINT32 10

event_id The event ID. UINT32 10

eventtype The event type. String 32

from String 128

group The user group name. String 64

157 Log Reference

Fortinet Technologies Inc.
VOIP Other Logs

Log Field Name Log Field Description Data Type Length Value

kind String 10

level The log priority level. String 11

line String 64

logid A ten-digit number. The String 10

first two digits represent
the log type and the fol-
lowing two digits rep-
resent the log subtype.
The last one to five digits
are the message id.

malform_data UINT32 10

malform_desc String 47

message_type The type of message String 16

that the FortiGate unit
recorded.

phone String 64

policy_id The policy ID. UINT32 10

profile The profile name. String 64

profile_group The profile group. String 64

profile_type The profile type. String 64

proto The protocol name. UINT8 3

reason The reason why the log String 128

was recorded.

request_name String 64

session_id The session ID. UINT32 10

src_int The source interface. String 16

src_port The source port. UINT16 5

srcip The source IP address. IP Address 39

Log Reference 158

Fortinet Technologies Inc.
Other Logs VOIP

Log Field Name Log Field Description Data Type Length Value

status The status of the action String 23

the FortiGate unit took
when the event occurred.

subtype The subtype of the log String 20

message. The possible
values of this field
depend on the log type.

time The time stamp of the String 8

event.

to String 512

type The log type. String 16

user The name of the user cre- String 256

ating the traffic.

vd The virtual domain String 32

name.

voip_proto The VOIP protocol. String 4

159 Log Reference

Fortinet Technologies Inc.
VOIP Log Messages

The following table describes the log message IDs and messages of the VOIP log.

Message ID Message Severity

44032 LOGID_EVENT_VOIP_SIP Information

44033 LOGID_EVENT_VOIP_SIP_BLOCK Notice

44034 LOGID_EVENT_VOIP_SIP_FUZZING Information

44035 LOGID_EVENT_VOIP_SCCP_ Information

REGISTER

44037 LOGID_EVENT_VOIP_SCCP_CALL_ Information

BLOCK

44038 LOGID_EVENT_VOIP_SCCP_CALL_ Information

INFO
NetScan

Netscan logs record network scanning activities preformed by the FortiGate unit.

Log Field Name Log Field Descrip- Data Type Length Value
tion

action The action the String 17 l host-detection

FortiGate unit should l os-scan
take for this event. l port-detection
l scan
l service-detection
l vuln-count
l vuln-detection

agent String 64

assetid The asset ID. UINT32 10

assetname Th asset name. String 64

date The date the log event String 10

was generated on the
device.

devid The device serial ID. String 16

direction The direction of the UINT32 10

packets.

dstintf The destination inter- String 32

face.

dstip The destination IP IP Address 39

address.

dstname The destination name. String 64

dstport The destination port. UINT16 5

end UINT32 10

engine String 32

eventtype The event type. String 32

group Theuser group name. String 64

161 Log Reference

Fortinet Technologies Inc.
NetScan Other Logs

Log Field Name Log Field Descrip- Data Type Length Value
tion

level The log priority level. String 11

logid A ten-digit number. String 10

The first two digits rep-
resent the log type and
the following two digits
represent the log sub-
type. The last one to
five digits are the mes-
sage id.

method String 4 l ARP

l ICMP
l TCP
l UDP

msg The activity or event String

that the FortiGate unit
recorded.

os The software version. String

osfamily String 64

osgen String 64

osvendor The operating system String 64

vendor.

plugin String 32

policyid The policy ID. UINT32 10

profile The profile name. String 64

profilegroup The profile group. String 4

proto The protocol name. String 3 l tcp

l udp

serial The serial number of UINT32 10

the log message.

service The service name. String 64

Log Reference 162

Fortinet Technologies Inc.
Other Logs NetScan

Log Field Name Log Field Descrip- Data Type Length Value
tion

severity String 8 l critical

l high
l info
l low
l medium

srcintf The source interface. String 32

srcip The source IP address. IP Address 39

srcname The source name. String 64

srcport The source port. UINT16 5

start UINT32 10

status The status of the String 8 l complete

action the FortiGate l pause
unit took when the l resume
event occurred. l start
l stop

subtype The subtype of the log String 20

message. The possible
values of this field
depend on the log
type.

time The time stamp of the String 8

event.

type The log type. String 16

user The name of the user String 256

creating the traffic.

vd The virtual domain String 32

name.

vuln The vulnerability String 128

name.

vulncat The vulnerability cat- String 32

egory.

163 Log Reference

Fortinet Technologies Inc.
NetScan Other Logs

Log Field Name Log Field Descrip- Data Type Length Value
tion

vulncnt The vulnerabiility UINT32 10

count.

vulnid The vulnerability ID. UINT32 10

vulnref String

vulnscore The vulnerability score. String 128

Log Reference 164

Fortinet Technologies Inc.
NetScan Log Messages

The following table describes the log message IDs and messages of the NetScan log.

Message ID Message Severity

4096 LOG_ID_NETSCAN_VULN_SCAN Notice

4097 LOG_ID_NETSCAN_DISCOVERY_SCAN Notice

4098 LOG_ID_NETSCAN_VULN_DETECT Notice

4100 LOG_ID_NETSCAN_SERVICE_DETECT Notice

4101 LOG_ID_NETSCAN_VULN_MESSAGE Notice

4102 LOG_ID_NETSCAN_DISCOVERY_MESSAGE Notice

4104 LOG_ID_NETSCAN_HOST_DETECT Notice

4105 LOG_ID_NETSCAN_PORT_DETECT Notice

165 Log Reference

Fortinet Technologies Inc.
 Security (UTM) Appendix A: Log field diff - 5.2.2 and 5.2.3

Appendix A: Log field diff - 5.2.2 and 5.2.3

Refer to the FortiOS Log Reference Guide Version 5.2.2 for a complete list of log field details related to version 5.2.2.
This section covers changes applicable to the 5.2.3 version only. It is recommended that you keep both the 5.2.2 and
5.2.3 FortiOS Log Reference Guides available for a comparison of log field delta between the versions.

For all reference purposes, in the tables provided below (see tables) , the term Removed indicates
that a log field was removed in version 5.2.3 but exists in version 5.2.2. Similarly, the term Added
indicates that a log filed was added in version 5.2.3 but does not exist in version 5.2.2.

Security (UTM)

The following tables provide a list of log fields that were added newly or removed from the security (UTM) log subtypes
in FortiOS version 5.2.3.

Antivirus

Log Field Name Changes in Version 5.2.3

dstintf Added

srcintf Added

Application

Log Field Name Changes in Version 5.2.3

dstintf Added

srcintf Added

Anomaly

Log Field Name Changes in Version 5.2.3

dstintf Added

srcintf Added

Log Reference 166

Fortinet Technologies Inc.
 Appendix A: Log field diff - 5.2.2 and 5.2.3 Event

DLP

Log Field Name Changes in Version 5.2.3

dstintf Added

srcintf Added

Email

Log Field Name Changes in Version 5.2.3

dstintf Added

srcintf Added

IPS

Log Field Name Changes in Version 5.2.3

dstintf Added

srcintf Added

WebFilter

Log Field Name Changes in Version 5.2.3

dstintf Added

srcintf Added

Event

The following tables provide a list of log fields that were added newly or removed between from the event log subtypes
in FortiOS version 5.2.3.

167 Log Reference

Fortinet Technologies Inc.
 Other logs Appendix A: Log field diff - 5.2.2 and 5.2.3

Endpoint

Log Field Name Changes in Version 5.2.3

dstintf Added

srcintf Added

System

Log Field Name Changes in Version 5.2.3

dst Removed

dstport Removed

encryption Added

expectedhandshake Added

expectedsignature Added

mac Added

maxminor Added

max-minor Removed

minminor Added

min_minor Removed

recv-minor Removed

recvminor Added

Other logs

The following tables provide a list of log fields that were added newly or removed between the from the other log types
in FortiOS version 5.2.3.

Log Reference 168

Fortinet Technologies Inc.
Appendix A: Log field diff - 5.2.2 and 5.2.3 Other logs

VOIP

Log Field Name Changes in Version 5.2.3

dstintf Added

srcintf Added

169 Log Reference

Fortinet Technologies Inc.
Copyright© 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and
other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective
owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network
variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet
disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that
expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance
metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet
reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.