Sophos XG Firewall Web Interface Reference and Admin Guide v16.5
Add to My manuals627 Pages
Sophos XG Firewall is a comprehensive network security solution that protects your network from threats, including malware, viruses, and intrusions. It is designed to be easy to use and manage, and offers a wide range of features to help you secure your network.
advertisement
Data Fields
timezone device_name device_id deployment_mode log_id
Type
string string string string log_type log_component log_subtype priority string string string string
System Logs
Log Component
HA
DHCP Server
Message ID
60012
60013
60014
60015
60016
60017
60018
60019
17838
60020
| Appendix A - Logs | 535
Description
Time zone set on the appliance e.g. IST
Model number of the device
Serial number of the device
Mode in which appliance is deployed
Possible values: Route, Bridge
Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11) e.g. 0101011, 0102011 c1c2 - Log Type e.g. 01 for firewall log c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack etc.
c5c6 - Log Sub Type i.e. allow/violation c7 - Priority e.g. 0 for Emergency c8c9c10c11 - Message ID e.g. 00001 for traffic allowed by firewall
Type of event e.g. firewall event
Component responsible for logging e.g. Firewall rule
Sub type of event
.
Severity level of traffic
Message
Appliance becomes standalone
Appliance goes in fault
Appliance becomes auxiliary
Appliance becomes primary
Appliance becomes standalone at appliance start up
Appliance goes in fault at appliance start up
Appliance becomes auxiliary at appliance start up
Appliance becomes primary at appliance start up
HA was disabled
DHCP lease renew
Log Component
Appliance
Interface
Gateway
DDNS
WebCat
AV
IPS
Interface
Dial-In
17817
17920
17819
17922
17921
17820
17821
17822
17905
17943
17944
17813
17814
18036
17815
17923
17924
17931
17932
17933
17934
17941
17942
Message ID
60021
60022
17807
17808
17809
17810
17811
17812
17816
17904
| Appendix A - Logs | 536
Message
DHCP lease release
DHCP lease expired
CPU usage exceeded the threshold
Physical memory usage exceeded the threshold
SWAP memory usage exceeded the threshold
Config disk usage exceeded the threshold
Signature disk usage exceeded the threshold
Reports disk usage reached the higher threshold
Appliance started successfully
Reserved for OPCODE failure snmp trap (logs will be added later)
Reserved for Service failure snmp trap (logs will be added later)
Scheduled backup was successfully taken (Information)
Failed to send scheduled backup
Fan Speed has decreased below the desirable level
Temperature has increased above the desired level
Report disk usage reached lower than the lower threshold
Report disk usage exceeded the lower threshold
The audit subsystem has successfully shut down.
Fail to send certificate passphrase .
Connectivity to ConnectWise Server has been lost.
Fail to send test mail : <Reason>
Interface UP/Interface Down
Gateway live/ Gateway dead
Up/down gateway detail to SFM
DDNS Update successful/failed
WebCat Database upgraded from <old version> to <new version>
WebCat Database upgrade failed
AV Definitions upgraded from <old version> to <new version>
AV Definitions upgrade failed
IPS Signatures upgrade failed
Primary Link down/Up and link failover/failback to backup/ primary link
Dial-In client connected
Dial-In client disconnected
Log Component
Quarantine
SSL VPN
L2TP
PPTP
IPSec
17840
17841
17842
17843
17844
17832
17833
17834
17835
17836
17936
17937
17803
17804
17805
17806
17801
17802
Message ID
17823
17824
17825
17826
17827
17828
17829
17830
17831
17837
17839
| Appendix A - Logs | 537
Message
Quarantined email could not be released because <reason>
SSL VPN Connection (Tunnel Access) Established
SSL VPN Connection (Tunnel Access) Terminated
SSL VPN Connection (Web Access) Established
SSL VPN Connection (Web Access) Terminated
SSL VPN Connection (Application Access) Established
SSL VPN Connection (Application Access) Terminated
SSL VPN resource access allowed
SSL VPN resource access denied
User Certificate <certificate_name> was created for user
<username>
All User Certificates deleted
L2TP Connection Established
L2TP Connection Terminated
PPTP Connection Established
PPTP Connection Terminated
IPSec Connection Established
IPSec Connection Terminated
Failover group Activation successful. A particular connection/
No connection established
Failover successful
Failover failed. Connection will be established on next failback event
Failback successful
Failback failed, revert back to current running connection successful
Failback failed, revert back to current running connection also failed. Connection will be established on next failback event
<connectionname>, activation: Connection activated successfully
<connectionname>, activation: Failed to activate this connection. Reason: <reason>
<connectionname>, activation: Trying to deactivate/initiate/ terminate an inactive connection. Probable DB sync problem
<connectionname>, EST-P1-MM: Response to establishment request from <peeris> peer <peerrequesterip> successful
<connectionname>, EST-P1-MM: Response to establishment request from <peerrequesterip> failed because <reason>
<connectionname>, EST-P1-AM: Responding to establishment request from <peerrequesterip>, state # <state>
Log Component Message ID
17845
17846
17847
17848
17849
17850
17851
17852
17853
17854
17855
17856
17857
17858
17859
17860
17861
| Appendix A - Logs | 538
Message
<connectionname>, EST-P1-AM: Response to establishment request from <peerrequesterip> failed because <reason>
<connectionname>, EST-P1-MM: Connection being initiated on request
<connectionname>, EST-P1-AM: Connection with state
<state> being initiated on request
<connectionname>, EST-P1-MM: Peer ID is <peerid>
<connectionname>, EST-P1-AM: Peer ID is <peerid>
<connectionname>, EST-P1: Phase-1 ID mismatch.
Configured peer id is <remoteid> and received peer id is
<peerid>. System is initiator. Verify ID configuration at both the ends is in sync.
<connectionname>, EST-P1: Phase-1 ID mismatch. No suitable connection for peer id <peerid>. System is responder.
Verify ID configuration at both the ends is in sync.
<connectionname2>, EST-P1: switched the connection from <connectionname> to <connectionname2> because a
<connection name2>'s configuration matches the request better.
<connectionname>, EST-P1: Peer did not accept any proposal sent. Reconfigure the connection on either of the ends
<connectionname>, EST-P1: System did not accept any proposal received. Need to reconfigure the connection on either of the ends.
<connectionname>, EST-P1: An error (mostly related to network) has occurred while sending a packet to advance the
IKE state machine from state <state>.
<connectionname>, EST-P1: max number of retransmissions
<count> reached STATE_MAIN_I1. No response (or no acceptable response) to first IKE message
<connectionname>, EST-P1: max number of retransmissions
<count> reached STATE_MAIN_I3. Possible authentication failure or NAT device in between: no acceptable response to first encrypted message
<connectionname>, EST-P1: Malformed payload in packet.
probable authentication failure (mismatch of preshared secrets). Verify pre-shared secrets are same at both the ends.
<connectionname>, EST-P1: unexpected message received in state <state>. payload received from the peer do not lead the
System to the next expected IKE state
<connectionname>, EST-P1: Informational Exchange message is invalid because it has a previously used Message ID
<messageid>
<connectionname>, EST-P1-MM: Phase-1 SA initiated by peer is established
Log Component Message ID
17865
17866
17867
17868
17869
17870
17871
17876
17877
17878
17879
17872
17873
17874
17875
17880
17881
| Appendix A - Logs | 539
Message
<connectionname>, EST-P2: Initiating Phase-2 (protected by
Phase-1 SA with <state>) on request with policy <policybits>
<connectionname>, EST-P2: Initiating Phase-2 SA re-keying using Phase-1 SA <state>
<connectionname>, EST-P2: Responding to a Phase-2 establishment request with Message id <MESSAGE ID>
<connectionname>, EST-P2: max number of retransmissions
<count> reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
<connectionname>, EST-P2: System require Perfect Forward
Secrecy(PFS) but peer proposed not to use PFS
<connectionname>, EST-P2: Local subnet – Remote subnet configuration of the connection being initiated conflicts with that of an already established connection
<establishedconnectionname>. Terminate connection
<establishedconnectionname> before initiating.
<connectionname>, EST-P2: System received a Phase-2 connection request whose Local subnet – Remote subnet configuration conflicts with that of an already established connection <establishedconnectionname>. System is terminating connection <establishedconnectionname> to honour the incoming request.
<connectionname>, EST-P2: A Phase-2 SA initiated by
System is established.
<connectionname>, EST-P2: A Phase-2 SA initiated by peer is established
<connectionname>, NAT-T: No NAT device detected between
Local Server and Remote Server
<connectionname>, NAT-T: Local server is behind a NAT device
<connectionname>, NAT-T: Remote server is behind a NAT device
<connectionname>, NAT-T: Both Local and remote server are behind NAT devices
<connectionname>, SA-MGT: Peer requested to delete
Phase-1 SA. Deleting ISAKMP state <state>
<connectionname>, SA-MGT: Peer requested to delete
Phase-2 SA. Deleting IPSec state <state>
<connectionname>, SA-MGT: Peer requested to delete
Phase-2 SA. Deleting existing SA and re-inititate a new one.
Replacing IPSEC State #<state>
<connectionname>, SA-MGT: Deleting remote access connection instance with peer <remoteinterfaceip>, isakmp=#<isakmp>, ipsec=#<ipsec>
Log Component
17901
17902
17903
17939
17895
17896
17897
17898
17899
17900
17885
17886
17887
17888
17889
17890
17891
17892
17893
17894
Message ID
17882
17883
17884
| Appendix A - Logs | 540
Message
<connectionname>, SA-MGT: Deleting connection
<connectionname>, SA-MGT: On deletion of connection, corresponding SA <state> is being deleted
<connectionname>, SA-MGT: Initiating Re-keying of connection 's Phase-1 (main mode) SA <state>
<connectionname>, SA-MGT: Initiating Re-keying of connection 's Phase-1 (aggresive mode) state <oldstate> to state <newstate>
<connectionname>, SA-MGT: Phase 1 SA is being re-keyed
<connectionname>, SA-MGT: Phase 2 SA is being re-keyed
<connectionname>, SA-MGT: Phase 1 SA has expired
<connectionname>, SA-MGT: Phase 1 SA has expired.
Connection is configured not to re-key
<connectionname>, SA-MGT: Phase 2 SA has expired
<connectionname>, SA-MGT: Phase 2 SA has expired.
Connection is configured not to re-key
<connectionname>, DPD: Dead peer detection enabled
<connectionname>, DPD: Peer was unreachable and was marked as dead for this connection
<connectionname>, DPD: Connection was
<actiononpeerdead> because peer was dead
<connectionname>, DPD: Connection was scheduled to be rekeyed because peer was unreachable and connection was reinitiated
<connectionname>, XAUTH: Sending username/password request
<connectionname>, XAUTH: User <user> attempting to login
<connectionname>, XAUTH: User <user> authenticated successfully
<connectionname>, XAUTH: User <user> failed to authenticate because <reason>
<connectionname>, XAUTH: received MODECFG message when in state <STATE NAME>, and Appliance is not
XAUTH client
<connectionname>, XAUTH: Username/password requested but connection configured as XAUTH client cannot be rekeyed. Turn off rekey for the connection
<connectionname>, XAUTH: XAUTH: Answering XAUTH challenge with user <user>
<connectionname>, XAUTH: Successfully authenticated.
Appliance is XAUTH Client
Failed to send IPSec tunnel UP/Down notification mail
Log Component
Landing Page
WLAN
CCC
Appliance Access
HTTPS
Guest User
Virtual Host
CTA
PPPoE
Message ID
17938
17906
17907
17908
17909
17911
17910
17912
17918
17919
17927
17928
17929
17930
17935
17940
17953
17913
17914
17915
17916
17917
17925
17926
17954
17955
17956
17957
17958
| Appendix A - Logs | 541
Message
IPSec tunnel UP/Down notification mail sent successfully
Landing page accepted
Landing page declined
Rogue AP scan successfully completed
Rogue AP scan failed
System triggered Rogue AP Scan was initiated
Failed to send heartbeat from appliance to CCC (reserved for use with CCC, no log is generated) heartbeat sent from appliance to CCC (reserved for use with
CCC, no log is generated)
Failed to send keep-alive from appliance to CCC (reserved for use with CCC, no log is generated) keep-alive sent from appliance to CCC (reserved for use with
CCC, no log is generated)
System blocked administrator account for login because of too may wrong login attempts
System unblocked administrator account
System locked administrator's session
Unknown protocol traffic was denied
Invalid Certificate was blocked
Guest user is added in system
Access details SMS sent to the SMS gateway for delivery to guest user
One or more Guest user expired and auto-purged successfully
One or more Guest user expired and auto-purged failed
One or more Guest user expired and auto-purge partially failed
Failed to send Access details SMS
Mapped Server <server_ipaddress> is UP/Mapped Server
<server_ipaddress> is DOWN
CTA started with active collectors
<interface name: PADO packet timeout no response from server.
<interface name>: Terminating Session, Reattempting in
<seconds> Sec.
<interface name>: Discovery process completed
<interface name>: LCP link established
<interface name>: ISP not supporting LCP
<interface name>: Authentication successful
Log Component
PPTP
L2TP
17977
17978
17979
17980
Message ID
17959
17960
17961
17962
17963
17964
17965
17966
17967
17969
17972
17973
17974
17975
17976
17981
17982
17983
17984
17985
17986
17987
17988
| Appendix A - Logs | 542
Message
<interface name>: Authentication Fail. Please check username and password
<interface name>: Set interface IP < local IP>
<interface name>: Set gateway IP < remote IP>
<interface name>: Set Primary DNS < DNS IP if enable>
<interface name>: Set Aux DNS < DNS IP>
<interface name>: PPPoE Link Up
<interface name>: PPPoE Link Down
<interface name>: Disconnect PPPoE due to LCP timeout
<interface name>: Disconnect PPPoE due to Idle timeout
<interface name>: Reconnected on schedule event.
LCP : Negotiation Opening for < Client IP >
LCP : Link Established for < Client IP >
< PAP/CHAP/MS-CHAPv2 > : Starting Authentication
< PAP/CHAP/MS-CHAPv2 > : Authentication Successful for
User < user name >
< PAP/CHAP/MS-CHAPv2 > : Authentication Failed for User
< user name >
IPCP : IP allocated : < IP allocated >, IPCP : Set DNS : <
Primary/secondary DNS Server >, IPCP : Set WINS : <
Primary/secondary WINS Server >
LCP : Disconnect due to LCP timeout
STATS : Connect time : < connection time >, STATS : Sent < no. of bytes > bytes, received < no. of bytes > bytes
IPCP : Taking IPCP down for < Client IP > : < Reason >,
LCP : Negotiation Closing for <Client IP > : < Reason >,
LCP : Negotiation Closed for < Client IP >
IPCP : Taking IPCP down for < Client IP > : < Reason >,
LCP : Negotiation Closing for <Client IP > : < Reason >,
LCP : Negotiation Closed for < Client IP >
LCP : Negotiation Opening for < Client IP >
LCP : Link Established for < Client IP >
< PAP/CHAP/MS-CHAP > : Starting Authentication
< PAP/CHAP/MS-CHAP > : Authentication Successful for
User < user name >
< PAP/CHAP/MS-CHAP > : Authentication Failed for User < user name >
IPCP : IP allocated : < IP allocated >, IPCP : Set DNS : <
Primary/secondary DNS Server >, IPCP : Set WINS : <
Primary/secondary WINS Server >
LCP : Disconnect due to LCP timeout
Log Component Message ID
17989
17990
System
WC
RED
ATP
SSLVPN clients
IPSEC clients
Authentication clients
RED firmware
18017
18018
18019
18020
18021
18022
18023
18024
18025
18001
18002
18003
18004
18005
18006
18007
18008
18014
18015
18016
18032
17991
18000
17998
17999
| Appendix A - Logs | 543
Message
STATS : Connect time : < connection time >, STATS : Sent < no. of bytes > bytes, received < no. of bytes > bytes
IPCP : Taking IPCP down for < Client IP > : < Reason >,
LCP : Negotiation Closing for <Client IP > : < Reason >,
LCP : Negotiation Closed for < Client IP >
IPCP : Taking IPCP down for < Client IP > : < Reason >,
LCP : Negotiation Closing for <Client IP > : < Reason >,
LCP : Negotiation Closed for < Client IP >
Event new firmware detected for <type>: <version>
[ <AP-ID>] unknown AP model encountered: <type>, dropping.
[<AP-ID>] no firmware available for AP type '<type>', dropping.
[ <AP-ID> ] device not authorized yet, dropping.
[ <AP-ID> ] Corrupt payload. Device may have wrong key.
Delete device to re-register it.
[ <AP-ID>] sent firmware <firmware> to device, releasing connection.
[ <AP-ID> ] failed to send <firmware> to device, dropping.
[MASTER] sending notification about offline AP <AP>
Successfully sent config to AP [ <AP-ID> ].
Failed to send config to AP [ <AP-ID> ].
RED is connected
RED in disconnected
RED interim event
Red devices: Disabled: 5 Enabled: 15 Connected: 12
Disconnected 3
ATP Definitions upgraded from <old version> to <new version>
ATP Definitions upgrade failed
SSLVPN clients upgraded from <old version> to <new version>
SSLVPN clients upgrade failed
IPSEC clients upgraded from <old version> to <new version>
IPSEC clients upgrade failed
Authentication clients upgraded from <old version> to <new version>
Authentication clients upgrade failed
RED firmware upgraded from <old version> to <new version>
advertisement
Key Features
- Firewall rules
- Web filtering
- Intrusion prevention
- VPN
- Wireless management
- Email security
- Advanced threat protection
Related manuals
Frequently Answers and Questions
What is the purpose of Sophos XG Firewall?
What are the key features of Sophos XG Firewall?
How do I access the Sophos XG Firewall web interface?
How do I configure basic firewall rules?
How do I enable web filtering?
What is the difference between a user rule and a network rule?
How do I create a VPN tunnel?
advertisement
Table of contents
- 7 What's New in this Release
- 9 Introduction
- 9 Flavors
- 9 Administrative Interfaces
- 10 Administrative Access
- 10 Using Admin Console
- 12 Supported Browsers
- 12 Menus
- 13 Pages
- 14 List Navigation Controls
- 14 Monitor and Analyze
- 14 Control Center
- 21 Current Activities
- 21 Live Users
- 22 Live Connections
- 24 Live Connections IPv
- 26 View Live Connection Details
- 30 IPsec Connections
- 30 Remote Users
- 30 Diagnostics
- 31 Tools
- 34 System Graphs
- 39 URL Category Lookup
- 40 Packet Capture
- 45 Connection List
- 49 Support Access
- 50 Protect
- 50 Firewall
- 52 User / Network Rule
- 64 Business Application Rule
- 119 Intrusion Prevention
- 119 DoS Attacks
- 120 IPS Policies
- 125 Custom IPS Signatures
- 126 DoS & Spoof Prevention
- 136 Policies
- 139 User Activities
- 140 Categories
- 142 URL Groups
- 142 Exceptions
- 143 Protection
- 145 Advanced
- 146 File Types
- 146 Surfing Quotas
- 149 User Notifications
- 149 Applications
- 149 Application List
- 150 Application Filter
- 153 Traffic Shaping Default
- 154 Wireless
- 154 Wireless Client List
- 154 Wireless Networks
- 158 Access Point Overview
- 164 Access Point Groups
- 165 Mesh Networks
- 168 Hotspots
- 177 Hotspot Voucher Definition
- 178 Rogue AP Scan
- 180 Wireless Settings
- 181 Hotspot Settings
- 182 Email
- 183 MTA Mode
- 209 Legacy Mode
- 236 Web Server
- 236 Web Servers
- 238 Protection Policies
- 242 Authentication Policies
- 244 Authentication Templates
- 245 SlowHTTP Protection
- 246 Advanced Threat
- 246 Advanced Threat Protection
- 247 Security Heartbeat
- 249 Sandstorm Activity
- 250 Sandstorm Settings
- 250 Configure
- 251 IPsec Connections
- 273 SSL VPN (Remote Access)
- 275 SSL VPN (Site to Site)
- 278 VPN Client
- 281 L2TP (Remote Access)
- 285 Clientless Access
- 285 Bookmarks
- 287 Bookmark Groups
- 287 PPTP (Remote Access)
- 289 IPsec Profiles
- 295 SSL VPN
- 299 Network
- 299 Interfaces
- 328 Zones
- 331 WAN Link Manager
- 348 IPv6 Router Advertisement
- 351 Cellular WAN
- 353 IP Tunnels
- 355 Neighbors (ARP-NDP)
- 358 Dynamic DNS
- 360 Routing
- 361 Static Routing
- 364 Policy Routing
- 366 Gateways
- 374 Information
- 387 Upstream Proxy
- 389 Multicast (PIM-SIM)
- 394 Authentication
- 395 Servers
- 404 Services
- 412 Groups
- 416 Users
- 423 One-Time Password
- 426 Captive Portal
- 429 Guest Users
- 435 Clientless Users
- 438 Guest User Settings
- 443 Client Downloads
- 445 System Services
- 446 High Availability
- 453 Traffic Shaping Settings
- 456 Log Settings
- 462 Data Anonymization
- 465 Traffic Shaping
- 469 Services
- 470 System
- 470 Profiles
- 471 Schedule
- 473 Access Time
- 475 Surfing Quotas
- 478 Network Traffic Quota
- 482 Network Address Translation
- 482 Device Access
- 484 Hosts and Services
- 485 IP Host
- 486 IP Host Group
- 487 MAC Host
- 488 FQDN Host
- 489 FQDN Host Group
- 489 Country Group
- 490 Services
- 491 Service Group
- 492 Administration
- 493 Licensing
- 494 Device Access
- 497 Admin Settings
- 500 Central Management
- 501 Notification Settings
- 503 Netflow
- 503 Messages
- 506 Backup & Firmware
- 509 Import Export
- 510 Firmware
- 512 Pattern Updates
- 514 Certificates
- 516 Certificate Authorities
- 517 Certificate Revocation Lists
- 518 Appendix A - Logs
- 518 Log Viewer
- 519 View List of System Events
- 520 View List of Web Filter Events
- 521 View List of Application Filter Events
- 522 View List of Malware Events
- 523 View List of Email Events
- 524 View List of Firewall Events
- 525 View List of IPS Events
- 526 View List of Authentication Events
- 527 View List of Admin Events
- 527 View List of Web Server Protection (WAF) Events
- 528 View List of Advanced Threat Protection Events
- 529 View List of Security Heartbeat Events
- 530 Log ID Structure
- 530 Log Type
- 531 Log Component
- 533 Log Subtype
- 534 Priority
- 534 Common Fields for all Logs
- 535 System Logs
- 544 Web Filter Logs
- 545 Module-specific Fields
- 545 Application Filter Logs
- 546 Module-specific Fields
- 547 Malware Logs
- 547 Module-specific Fields
- 549 Email Logs
- 550 Module-specific Fields
- 551 Firewall Rule Logs
- 552 Module-specific Fields
- 554 IPS Logs
- 555 Module-specific Fields
- 557 Authentication Logs
- 558 Module-specific Fields
- 558 Admin Logs
- 559 Module-specific Fields
- 559 Sandbox Report Logs
- 560 Web Application Firewall (WAF) Logs
- 561 Advanced Threat Protection (ATP) Logs
- 561 Heartbeat Logs
- 562 System Health Logs
- 562 Appendix B - IPS - Custom Pattern Syntax
- 569 Appendix C - Default File Type Categories
- 573 Appendix D - Supported Micro-Apps
- 576 Appendix E - USB Compatibility List
- 626 Appendix F - Compatibility with SFMOS
- 627 Appendix G - Additional Documents
- 627 Copyright Notice