Fortinet white logo
Fortinet white logo

Administration Guide

Appendix B - FortiClient log messages

Appendix B - FortiClient log messages

The following provides descriptions for the possible values for the <action> field for AntiVirus logs:

Action

Description

clean

Clean infected file by using cleandb provided by the AV engine.

ignored

Ignore the detection result. This option is mostly used in false positive cases.

warning

Display a popup warning and write log for detection.

accessdenied

Prevent user access to the infected file.

quarantined

Quarantine the infected files and store them in the FortiClient folder.

quarantinefailed

Failed to quarantine the infected files and store them in the FortiClient folder.

deleted

Deleted the infected file.

deletefailed

Failed to delete the infected file.

repaired

Repaired the infected file.

repairfailed

Cannot repair the infected file.

Client feature

ID

Level

Format

Description

AntiVirus 0x00017912 Warning action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=Found virus by [AntiVirus scan|AntiVirus realtime protection] in [filesystem|disk|email] This message is logged when a virus is found.
AntiVirus 0x00017929 Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=An attempt to delete a quarantined file failed (<file path>). An attempt to delete a quarantined file failed.
AntiVirus 0x00017928 Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=A quarantined file was deleted (<file path>). A quarantined file was deleted.
AntiVirus 0x00017927 Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=A quarantined file was restored (<file path>). A quarantined file was restored.
AntiVirus 0x00017926 Error action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=Failed to restore quarantined file to (<file path>) error=<error code>. Attempting to restore quarantined file failed.
AntiVirus 0x0001791f Error action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=Scheduled scan failed:Path to file/folder no longer exists. Path not found.
AntiVirus 0x0001791c Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=Cannot start scan task License expired.
AntiVirus 0x0001791b Warning action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=av_task killed suspicious process : <filename or process name> <filename or process name> is a suspicious process and has been terminated.
AntiVirus 0x0001791a Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=av_task scan thread is resumed This message when AV scanning is resumed.
AntiVirus 0x00017920 Warning action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=AntiVirus scan was stopped by a user before it finished. The user specified stopped an AntiVirus scan
AntiVirus 0x0001791e Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=av_task scan is stopped This message is logged if AV scanning is stopped.
AntiVirus 0x0001791d Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=av_task scan is started This message is logged if AV scanning is started.
AntiVirus 0x00017918 Warning action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=AntiVirus realtime protection killed malware process : [process name] A malware process killed a malware process.
AntiVirus 0x00017917 Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=Communication error [detailed info] err=[error_code] Communication error with other modules
AntiVirus 0x00017916 Warning action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=User disabled Realtime AntiVirus protection Logged when someone disables Realtime AntiVirus.
AntiVirus 0x00017915 Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=User enabled Realtime AntiVirus protection Logged when someone enables Realtime AntiVirus.
AntiVirus 0x00017914 Warning action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=Found suspicious by [AntiVirus scan|AntiVirus realtime protection] in [filesystem|disk|email] This message is logged when a suspicious is found.
AntiVirus 0x00017913 Warning action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=Found malware by [AntiVirus scan|AntiVirus realtime protection] in [filesystem|email] This message is logged when a malware is found.
AntiVirus 0x00017919 Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=av_task scan thread is suspended This message is logged if AV scanning is paused.
Application Database 0x0000d00b Error <context> <file reference> Unable to extract vendor id. The files is not digitally signed or the signature cannot be read. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d00e Error <context> <file reference> Can't access file because of sharing violation. Can't access file because of sharing violation. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d01a Error <context> <file reference> Invalid arguments. Invalid command line options supplied. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d019 Error <context> <file reference> Unable to bypass fortishield. Failed to bypass self-protection. The daemon might not function normally after this. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d011 Error <context> <file reference> Driver io error. APD driver io error. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d017 Error <context> <file reference> Pipe server initialization error. A communication initialization error occurred. It is probably temporary. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d016 Error <context> <file reference> Server-side pipe error. A communication error occurred. It is probably temporary. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d00a Error <context> <file reference> Can't open file. The file cannot be opened. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d018 Error <context> <file reference> Pipe server creation error. A communication initialization error occurred. It is probably temporary. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d008 Error <context> <file reference> db error - row not found. The requested row does not exist. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d003 Error <context> <file reference> db error - BIND command. A critical error occurred. The application database will not work. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d006 Error <context> <file reference> db error - unable to find fingerprint. The fingerprint does not exist in the database. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d01c Error <context> <file reference> Unable to allocate memory for vendor id cache. Low memory. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d01d Error <context> <file reference> Vendor id cache not initialized. This is probably temporary. An attempt will be made later to read/write to the cache. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d01e Error <context> <file reference> Unable to open vendor id cache shared memory. Application detection will not be functioning normally. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d01f Error <context> <file reference> Unable to open mutex to access vendor id shared memory. Application detection will not be functioning normally. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d005 Error <context> <file reference> db error - preparing sql statement. The sql statement used is invalid. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d004 Error <context> <file reference> db error - opening database. A critical error occurred. The application database is not present. An attempt to automatically regenerate it will occur. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d010 Error <context> <file reference> Can't start driver. Can't start the apd driver. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d001 Error <context> <file reference> db error - creating new database. A critical error occurred. The application database will not work. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d007 Error <context> <file reference> db error - invalid md5. The parameter supplied is not an MD5. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d00f Error <context> <file reference> Can't open driver. Can't open the apd driver. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application FireWall 0x00017982 Info action=<action_id> app=<application name> appid=<application id> apppath=<application location> count=<counter of action> rule=<rule that applied> ruleid=<id of rule> ruletype=<type of rule> cat=<category> catid=<category id> policyname=<policy name> msg=User enabled Firewall User enabled Firewall
Application FireWall 0x00017984 Warning action=<action_id> app=<application name> appid=<application id> apppath=<application location> count=<counter of action> rule=<rule that applied> ruleid=<id of rule> ruletype=<type of rule> cat=<category> catid=<category id> policyname=<policy name> msg=The Application Firewall report was cleared Logged when someone clears the application firewall report.
Application FireWall 0x00017983 Warning action=<action_id> app=<application name> appid=<application id> apppath=<application location> count=<counter of action> rule=<rule that applied> ruleid=<id of rule> ruletype=<type of rule> cat=<category> catid=<category id> policyname=<policy name> msg=User disabled Firewall User disabled Firewall
Application FireWall 0x00017985 Warning action=<action_id> app=<application name> appid=<application id> apppath=<application location> count=<counter of action> rule=<rule that applied> ruleid=<id of rule> ruletype=<type of rule> cat=<category> catid=<category id> policyname=<policy name> msg=The application firewall has been disabled because it's driver could not be loaded Logged when application firewall driver could not be loaded with error 127 (The specified procedure could not be found).
Application FireWall 0x00017981 Info action=<action_id> app=<application name> appid=<application id> apppath=<application location> count=<counter of action> rule=<rule that applied> ruleid=<id of rule> ruletype=<type of rule> cat=<category> catid=<category id> policyname=<policy name> msg=Firewall action type=[num] protocol=[num] direction=[num] source=[addr] destination=[addr] Firewall action
Application FireWall 0x00017980 Warning action=<action_id> app=<application name> appid=<application id> apppath=<application location> count=<counter of action> rule=<rule that applied> ruleid=<id of rule> ruletype=<type of rule> cat=<category> catid=<category id> policyname=<policy name> msg=Firewall action type=[num] protocol=[num] direction=[num] source=[addr] destination=[addr] Firewall action
Config Import/Export 0x00017a72 Info user=<logged on user> msg=Policy '[name]' was received and applied Logged when push configuration is received.
Config Import/Export 0x00017a73 Info user=<logged on user> msg=Compliance rules '[name]' were received and applied Logged when compliance rules are received.
Config Import/Export 0x00017a5c Info user=<logged on user> msg=A configuration file is exported to [location] Logged when someone exports a config file.
Config Import/Export 0x00017a5d Info user=<logged on user> msg=A configuration file is imported from [location] Logged when someone imports a config file.
EndPoint Control 0x00017ab7 Info action=<register|authenticate|unregister> actiontype=<auto|manual> user=<logged on user> epmgmtst=<blocked|quarantined> eponlinest=<regonline|regoffline> epplace=<onnet|offnet> epfeatures=<list of features installed> epenfeatures=<list of features enabled> ephbduration=<time duration in minutes that the client has been in the online state to FGT> ephblast=<timestamp of last heartbeat to FGT> ephbemsduration=<time duration in minutes that the client has been in the online state to EMS> ephbemslast=<timestamp of last heartbeat to EMS> msg=Endpoint control policy synchronization was enabled Logged when someone enables Endpoint control policy synchronization.
EndPoint Control 0x00017abf Info This is a report of the current AV whitelist engine/signatures this endpoint is using This is a report of the current AV whitelist engine/signatures this endpoint is using
EndPoint Control 0x00017abe Info user=<logged on user> social_srvc=<social media service> social_user=<social media user>social_email=<social media email>social_phone=<social media phone number> msg=User social media information User social media information
EndPoint Control 0x00017abd Info action=<register|authenticate|unregister> actiontype=<auto|manual> user=<logged on user> epmgmtst=<blocked|quarantined> eponlinest=<regonline|regoffline> epplace=<onnet|offnet> epfeatures=<list of features installed> epenfeatures=<list of features enabled> ephbduration=<time duration in minutes that the client has been in the online state to FGT> ephblast=<timestamp of last heartbeat to FGT> ephbemsduration=<time duration in minutes that the client has been in the online state to EMS> ephbemslast=<timestamp of last heartbeat to EMS> msg=Endpoint Ext Log to FAZ Endpoint Ext Log to FAZ
EndPoint Control 0x00017abc Info action=<register|authenticate|unregister> actiontype=<auto|manual> user=<logged on user> epmgmtst=<blocked|quarantined> eponlinest=<regonline|regoffline> epplace=<onnet|offnet> epfeatures=<list of features installed> epenfeatures=<list of features enabled> ephbduration=<time duration in minutes that the client has been in the online state to FGT> ephblast=<timestamp of last heartbeat to FGT> ephbemsduration=<time duration in minutes that the client has been in the online state to EMS> ephbemslast=<timestamp of last heartbeat to EMS> msg=Endpoint Quarantine Status changed to [status] Endpoint Quarantine Status Changed
EndPoint Control 0x00017abb Info action=<register|authenticate|unregister> actiontype=<auto|manual> user=<logged on user> epmgmtst=<blocked|quarantined> eponlinest=<regonline|regoffline> epplace=<onnet|offnet> epfeatures=<list of features installed> epenfeatures=<list of features enabled> ephbduration=<time duration in minutes that the client has been in the online state to FGT> ephblast=<timestamp of last heartbeat to FGT> ephbemsduration=<time duration in minutes that the client has been in the online state to EMS> ephbemslast=<timestamp of last heartbeat to EMS> msg=Endpoint Control Registration Status changed to [status] with FGT [serial] [address] and client ip [address] Endpoint Control Registration Status Changed
EndPoint Control 0x00017aba Warning action=<register|authenticate|unregister> actiontype=<auto|manual> user=<logged on user> epmgmtst=<blocked|quarantined> eponlinest=<regonline|regoffline> epplace=<onnet|offnet> epfeatures=<list of features installed> epenfeatures=<list of features enabled> ephbduration=<time duration in minutes that the client has been in the online state to FGT> ephblast=<timestamp of last heartbeat to FGT> ephbemsduration=<time duration in minutes that the client has been in the online state to EMS> ephbemslast=<timestamp of last heartbeat to EMS> msg=OffNet configuration version [version] doesn't match FortiGate configuration version [version] OffNet configuration version doesn't match FortiGate configuration version
EndPoint Control 0x00017ab8 Warning action=<register|authenticate|unregister> actiontype=<auto|manual> user=<logged on user> epmgmtst=<blocked|quarantined> eponlinest=<regonline|regoffline> epplace=<onnet|offnet> epfeatures=<list of features installed> epenfeatures=<list of features enabled> ephbduration=<time duration in minutes that the client has been in the online state to FGT> ephblast=<timestamp of last heartbeat to FGT> ephbemsduration=<time duration in minutes that the client has been in the online state to EMS> ephbemslast=<timestamp of last heartbeat to EMS> msg=Endpoint control policy synchronization was disabled Logged when someone disables Endpoint control policy synchronization.
EndPoint Control 0x00017ab6 Info action=<register|authenticate|unregister> actiontype=<auto|manual> user=<logged on user> epmgmtst=<blocked|quarantined> eponlinest=<regonline|regoffline> epplace=<onnet|offnet> epfeatures=<list of features installed> epenfeatures=<list of features enabled> ephbduration=<time duration in minutes that the client has been in the online state to FGT> ephblast=<timestamp of last heartbeat to FGT> ephbemsduration=<time duration in minutes that the client has been in the online state to EMS> ephbemslast=<timestamp of last heartbeat to EMS> msg=upload logs [state] Upload logs to registered FortiGate
EndPoint Control 0x00017ab9 Info action=<register|authenticate|unregister> actiontype=<auto|manual> user=<logged on user> epmgmtst=<blocked|quarantined> eponlinest=<regonline|regoffline> epplace=<onnet|offnet> epfeatures=<list of features installed> epenfeatures=<list of features enabled> ephbduration=<time duration in minutes that the client has been in the online state to FGT> ephblast=<timestamp of last heartbeat to FGT> ephbemsduration=<time duration in minutes that the client has been in the online state to EMS> ephbemslast=<timestamp of last heartbeat to EMS> msg=Endpoint Control Status changed to [status] Endpoint Control Status Changed
FortiProxy 0x00017a48 Warning user=<logged on user> msg=Fortiproxy is disabled Fortiproxy is disabled
FortiProxy 0x00017a49 Info user=<logged on user> msg=Fortiproxy is enabled Fortiproxy is enabled
FortiShield 0x00017a52 Warning user=<logged on user> msg=FortiShield is disabled FortiShield is disabled
FortiShield 0x00017a55 Warning user=<logged on user> msg=The console was unlocked The console password was unlocked.
FortiShield 0x00017a56 Warning user=<logged on user> msg=The console password was removed The console password was removed.
FortiShield 0x00017a57 Warning user=<logged on user> msg=FortiShield blocked application: [application path] from modifying: [file or registry path] FortiShield has prevented an application from modifying a file or registry setting protected by FortiClient.
FortiShield 0x00017a53 Info user=<logged on user> msg=FortiShield is enabled FortiShield is enabled
FortiShield 0x00017a54 Info user=<logged on user> msg=The console was locked The console password was locked.
IKE VPN 0x00017941 Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=locip=<ip address> locport=<port number> remip=<ip address> remport=<port number> outif=<interface> vpntunnel=<tunnel name> status=negotiate_error msg=IKE phase1 authentication fail as the preshare key mismatch. IKE phase1 authentication fail as the preshare key mismatch.
IKE VPN 0x0001793f Warning vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=A required application is not running. VPN cannot connect because the specified application is not running.
IKE VPN 0x0001793e Error vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=VPN cannot connect because an authorization rule failed. Logged when a VPN authorization rule failed.
IKE VPN 0x0001793d Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=VPN before logon was disabled Logged when someone disables VPN before logon.
IKE VPN 0x00017940 Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=locip=<ip address> locport=<port number> remip=<ip address> remport=<port number> outif=<interface> vpntunnel=<tunnel name> status=negotiate_error msg=IKE phase1 authentication fail as peer's certificate is not verified. IKE phase1 authentication fail as peer's certificate is not verified.
IKE VPN 0x0001793b Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=locip=<ip address> locport=<port number> remip=<ip address> remport=<port number> outif=<interface> vpntunnel=<tunnel name> action=install_sa inspi=<inbound spi> outspi=<outbound spi> <Initiator|Responder> tunnel <ip address/ip address> install sa Send sa to the IPsec driver.
IKE VPN 0x0001793a Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=VPN user choose disconnect the tunnel or no response The VPN user reject the banner warning and disconnect the tunnel
IKE VPN 0x00017939 Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=VPN user accept the banner and continue with the tunnel setup The VPN user accept the banner warning
IKE VPN 0x00017930 Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=VPN tunnel status VPN tunnel status
IKE VPN 0x0001793c Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=VPN before logon was enabled Logged when someone enables VPN before logon.
IKE VPN 0x00017936 Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=negotiation information <detailed info> negotiation information
IKE VPN 0x00017937 Error vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=negotiation error <detailed error> negotiation error
IKE VPN 0x00017931 Warning vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=locip=<ip address> locport=<port number> remip=<ip address> remport=<port number> outif=<interface> vpntunnel=<tunnel name> status=negotiate_error msg=No response from the peer phase1 retransmit reaches maximum count. No response from the peer phase1 retransmit reaches maximum count.
IKE VPN 0x00017932 Warning vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=locip=<ip address> locport=<port number> remip=<ip address> remport=<port number> outif=<interface> vpntunnel=<tunnel name> status=negotiate_error msg=No response from the peer phase2 retransmit reaches maximum count. No response from the peer phase2 retransmit reaches maximum count.
IKE VPN 0x00017938 Error vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=replayed packet detected (packet dropped) <detailed error> replayed packet detected (packet dropped).
IKE VPN 0x00017933 Warning vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=locip=<ip address> locport=<port number> remip=<ip address> remport=<port number> outif=<interface> vpntunnel=<tunnel name> status=negotiate_error msg=Received delete payload from peer check xauth password. Received delete payload from peer check xauth password.
IKE VPN 0x00017934 Error vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=locip=<ip address> locport=<port number> remip=<ip address> remport=<port number> outif=<interface> vpntunnel=<tunnel name> msg=Failed to acquire an IP address. Failed to acquire an IP address for the virtual adapter.
IKE VPN 0x00017935 Error vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=ike error <detailed error info> General error of IKE
IKE VPN 0x00017942 Error vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=VPN cannot connect because the computer failed a compliancy test. Logged when a compliance test fails when trying to connect a VPN tunnel.
Scheduler 0x00017a20 Info user=<logged on user> msg=Forcefully kill a child process fct (process name) after grace period expires A scheduler owned child process failed to stop when instructed to do so so was forcefully terminated.
Scheduler 0x00017a21 Error user=<logged on user> msg=The scheduler cannot start the scheduled task because the task's license is expired. The scheduler cannot start the scheduled task because the task's license is expired.
Scheduler 0x00017a68 Info user=<logged on user> msg=FortiClient is starting up FortiClient is starting up
Scheduler 0x00017a69 Info user=<logged on user> msg=%s is shutting down FortiClient is shutting down
Single Sign-On Mobility Agent 0x00017ad4 Info action=<logoff|logon|ipchange|wakeup|keepalive> domain=<domain name> remotegw=<remote gateway> user=<logged on user> msg=Single Sign-On event Single Sign-On event.
Single Sign-On Mobility Agent 0x00017ad6 Warning action=<logoff|logon|ipchange|wakeup|keepalive> domain=<domain name> remotegw=<remote gateway> user=<logged on user> msg=Single Sign-On Mobility Agent was disabled Logged when someone disables Single Sign-On Mobility Agent.
Single Sign-On Mobility Agent 0x00017ad7 Info action=<logoff|logon|ipchange|wakeup|keepalive> domain=<domain name> remotegw=<remote gateway> user=<logged on user> msg=Single Sign-On Mobility Agent is starting... version:[nnn] Single Sign-On Mobility Agent is starting
Single Sign-On Mobility Agent 0x00017ad8 Info action=<logoff|logon|ipchange|wakeup|keepalive> domain=<domain name> remotegw=<remote gateway> user=<logged on user> msg=Single Sign-On Mobility Agent is stopping... version:[nnn] Single Sign-On Mobility Agent is stopping
Single Sign-On Mobility Agent 0x00017ad5 Info action=<logoff|logon|ipchange|wakeup|keepalive> domain=<domain name> remotegw=<remote gateway> user=<logged on user> msg=Single Sign-On Mobility Agent was enabled Logged when someone enables Single Sign-On Mobility Agent.
SSL VPN 0x00017958 Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=SSLVPN tunnel status SSLVPN tunnel status
UI 0x00017a67 Info user=<logged on user> msg=Alerts were cleared Logged when alerts are cleared by a user.
UI 0x00017a66 Warning user=<logged on user> msg=Logs were cleared Logged when logs are cleared.
Update 0x00017a2a Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Customer initiated a software update request. Logged when a user presses the gui's update button.
Update 0x00017a37 Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Checking for updates. Checking for updates.
Update 0x00017a2c Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Update allowed only if you have a valid license Update allowed only if you have a valid license
Update 0x00017a38 Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Software update started. Software update started.
Update 0x00017a2d Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Software updates are disabled. Software updates from FortiGuard have been disabled.
Update 0x00017a2e Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Software updates from FortiGuard have been disabled because this client is managed. Software updates from FortiGuard have been disabled.
Update 0x00017a30 Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Software update successful. Software update successful.
Update 0x00017a2f Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Software updates require administrative privileges. The user does not have sufficient privileges to perform software updates.
Update 0x00017a32 Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Unable to perform software update. Registry does not contain image id to download. The image id that is expected to be in the registry is missing.
Update 0x00017a33 Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Update <module description> successful new version is <version number> Update was successful to the given version for the given module.
Update 0x0001798a Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Update success Update was successful.
Update 0x00017a34 Error avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Unable to load AV engine Failed to load the av engine
Update 0x00017a35 Error avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Error patching AV signature. Error patching AV signature.
Update 0x00017a36 Error avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Unable to load FASLE engine Unable to load FASLE engine
Update 0x00017a31 Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Software update failed. Software update failed.
Update 0x00017a39 Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Update successful <all engine/signature versions> Update was successful current engine/signature information recorded.
Vulnerability Scan 0x0001790b Info status=<started|finished|failed|cancelled|application> vulnid=<id of vulnerability> vulnname=<name of vulnerability> vulnseverity=<severity> vulncat=<category of vulnerability> vulncvss=<cvss> vulnref=<reference> vulnengine=<scan engine version> vulnsig=<signature version> user=<logged on user> appid=<app id> appversion=<app version> appvendor=<app vendor> product=<csv list of products> msg=Applying patch for Windows vulnerability The details of the vulnerability being remediated is described by the log fields
Vulnerability Scan 0x0001790a Info status=<started|finished|failed|cancelled|application> vulnid=<id of vulnerability> vulnname=<name of vulnerability> vulnseverity=<severity> vulncat=<category of vulnerability> vulncvss=<cvss> vulnref=<reference> vulnengine=<scan engine version> vulnsig=<signature version> user=<logged on user> appid=<app id> appversion=<app version> appvendor=<app vendor> product=<csv list of products> msg=Applying patch for vulnerability found The details of the vulnerability being remediated is described by the log fields
Vulnerability Scan 0x00017909 Info status=<started|finished|failed|cancelled|application> vulnid=<id of vulnerability> vulnname=<name of vulnerability> vulnseverity=<severity> vulncat=<category of vulnerability> vulncvss=<cvss> vulnref=<reference> vulnengine=<scan engine version> vulnsig=<signature version> user=<logged on user> appid=<app id> appversion=<app version> appvendor=<app vendor> product=<csv list of products> msg=A vulnerability scan result has been logged A Vulnerability scan result log
Vulnerability Scan 0x00017908 Info status=<started|finished|failed|cancelled|application> vulnid=<id of vulnerability> vulnname=<name of vulnerability> vulnseverity=<severity> vulncat=<category of vulnerability> vulncvss=<cvss> vulnref=<reference> vulnengine=<scan engine version> vulnsig=<signature version> user=<logged on user> appid=<app id> appversion=<app version> appvendor=<app vendor> product=<csv list of products> msg=The vulnerability scan status has changed A vulnerability scan status change
Webfilter 0x000178fb Warning status=<passthrough|monitor|warn|block> cat=<id of rating category> catdesc=<description of rating category> service=<http|https> hostname=<remote server> url=<url> ip=<local ip> user=<logged on user> msg=status=warn [logged on user] temporarily disabled blocking of category [category id] ([category name]) to access [url] The user [logged on user] proceeded to the url [url] after acknowledging a warning message.
Webfilter 0x000178fa Warning status=<passthrough|monitor|warn|block> cat=<id of rating category> catdesc=<description of rating category> service=<http|https> hostname=<remote server> url=<url> ip=<local ip> user=<logged on user> msg=Unable to retrieve the webfilter UDP port number. FortiClient will not be able to determine the FortiGuard rating of URLs.
Webfilter 0x000178f9 Warning status=<passthrough|monitor|warn|block> cat=<id of rating category> catdesc=<description of rating category> service=<http|https> hostname=<remote server> url=<url> ip=<local ip> user=<logged on user> msg=Unable to create proxy/webfilter communication socket. FortiClient will not be able to determine the FortiGuard rating of URLs.
Webfilter 0x000178f8 Warning status=<passthrough|monitor|warn|block> cat=<id of rating category> catdesc=<description of rating category> service=<http|https> hostname=<remote server> url=<url> ip=<local ip> user=<logged on user> msg=The Webfilter Violation report was cleared [user name] Logged when someone clears the webfilter violation report.
Webfilter 0x000178f7 Info status=<passthrough|monitor|warn|block> cat=<id of rating category> catdesc=<description of rating category> service=<http|https> hostname=<remote server> url=<url> ip=<local ip> user=<logged on user> msg=user's access to the url [action and reason] the action to the user's access and the reason
Webfilter 0x000178f6 Warning status=<passthrough|monitor|warn|block> cat=<id of rating category> catdesc=<description of rating category> service=<http|https> hostname=<remote server> url=<url> ip=<local ip> user=<logged on user> msg=user's access to the url [action and reason] the action to the user's access and the reason
Webfilter 0x000178f5 Warning status=<passthrough|monitor|warn|block> cat=<id of rating category> catdesc=<description of rating category> service=<http|https> hostname=<remote server> url=<url> ip=<local ip> user=<logged on user> msg=User disabled Webfilter Logged when someone disables webfiltering.
Webfilter 0x000178f4 Info status=<passthrough|monitor|warn|block> cat=<id of rating category> catdesc=<description of rating category> service=<http|https> hostname=<remote server> url=<url> ip=<local ip> user=<logged on user> msg=User enabled Webfilter Logged when someone enables webfiltering.

Appendix B - FortiClient log messages

Appendix B - FortiClient log messages

The following provides descriptions for the possible values for the <action> field for AntiVirus logs:

Action

Description

clean

Clean infected file by using cleandb provided by the AV engine.

ignored

Ignore the detection result. This option is mostly used in false positive cases.

warning

Display a popup warning and write log for detection.

accessdenied

Prevent user access to the infected file.

quarantined

Quarantine the infected files and store them in the FortiClient folder.

quarantinefailed

Failed to quarantine the infected files and store them in the FortiClient folder.

deleted

Deleted the infected file.

deletefailed

Failed to delete the infected file.

repaired

Repaired the infected file.

repairfailed

Cannot repair the infected file.

Client feature

ID

Level

Format

Description

AntiVirus 0x00017912 Warning action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=Found virus by [AntiVirus scan|AntiVirus realtime protection] in [filesystem|disk|email] This message is logged when a virus is found.
AntiVirus 0x00017929 Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=An attempt to delete a quarantined file failed (<file path>). An attempt to delete a quarantined file failed.
AntiVirus 0x00017928 Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=A quarantined file was deleted (<file path>). A quarantined file was deleted.
AntiVirus 0x00017927 Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=A quarantined file was restored (<file path>). A quarantined file was restored.
AntiVirus 0x00017926 Error action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=Failed to restore quarantined file to (<file path>) error=<error code>. Attempting to restore quarantined file failed.
AntiVirus 0x0001791f Error action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=Scheduled scan failed:Path to file/folder no longer exists. Path not found.
AntiVirus 0x0001791c Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=Cannot start scan task License expired.
AntiVirus 0x0001791b Warning action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=av_task killed suspicious process : <filename or process name> <filename or process name> is a suspicious process and has been terminated.
AntiVirus 0x0001791a Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=av_task scan thread is resumed This message when AV scanning is resumed.
AntiVirus 0x00017920 Warning action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=AntiVirus scan was stopped by a user before it finished. The user specified stopped an AntiVirus scan
AntiVirus 0x0001791e Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=av_task scan is stopped This message is logged if AV scanning is stopped.
AntiVirus 0x0001791d Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=av_task scan is started This message is logged if AV scanning is started.
AntiVirus 0x00017918 Warning action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=AntiVirus realtime protection killed malware process : [process name] A malware process killed a malware process.
AntiVirus 0x00017917 Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=Communication error [detailed info] err=[error_code] Communication error with other modules
AntiVirus 0x00017916 Warning action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=User disabled Realtime AntiVirus protection Logged when someone disables Realtime AntiVirus.
AntiVirus 0x00017915 Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=User enabled Realtime AntiVirus protection Logged when someone enables Realtime AntiVirus.
AntiVirus 0x00017914 Warning action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=Found suspicious by [AntiVirus scan|AntiVirus realtime protection] in [filesystem|disk|email] This message is logged when a suspicious is found.
AntiVirus 0x00017913 Warning action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=Found malware by [AntiVirus scan|AntiVirus realtime protection] in [filesystem|email] This message is logged when a malware is found.
AntiVirus 0x00017919 Info action=<clean|ignored|warning|accessdenied|quarantined|quarantinefailed|deleted|deletefailed|repaired|repairfailed> file=<infected file name> filesize=<infected file size> checksum=<infected file CRC checksum> virus=<virus name> sigid=<signature id of the virus> from=<sender> to=<receiver> service=<network protocol> vpn=<vpn tunnel name> user=<logged on user> msg=av_task scan thread is suspended This message is logged if AV scanning is paused.
Application Database 0x0000d00b Error <context> <file reference> Unable to extract vendor id. The files is not digitally signed or the signature cannot be read. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d00e Error <context> <file reference> Can't access file because of sharing violation. Can't access file because of sharing violation. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d01a Error <context> <file reference> Invalid arguments. Invalid command line options supplied. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d019 Error <context> <file reference> Unable to bypass fortishield. Failed to bypass self-protection. The daemon might not function normally after this. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d011 Error <context> <file reference> Driver io error. APD driver io error. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d017 Error <context> <file reference> Pipe server initialization error. A communication initialization error occurred. It is probably temporary. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d016 Error <context> <file reference> Server-side pipe error. A communication error occurred. It is probably temporary. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d00a Error <context> <file reference> Can't open file. The file cannot be opened. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d018 Error <context> <file reference> Pipe server creation error. A communication initialization error occurred. It is probably temporary. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d008 Error <context> <file reference> db error - row not found. The requested row does not exist. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d003 Error <context> <file reference> db error - BIND command. A critical error occurred. The application database will not work. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d006 Error <context> <file reference> db error - unable to find fingerprint. The fingerprint does not exist in the database. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d01c Error <context> <file reference> Unable to allocate memory for vendor id cache. Low memory. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d01d Error <context> <file reference> Vendor id cache not initialized. This is probably temporary. An attempt will be made later to read/write to the cache. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d01e Error <context> <file reference> Unable to open vendor id cache shared memory. Application detection will not be functioning normally. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d01f Error <context> <file reference> Unable to open mutex to access vendor id shared memory. Application detection will not be functioning normally. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d005 Error <context> <file reference> db error - preparing sql statement. The sql statement used is invalid. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d004 Error <context> <file reference> db error - opening database. A critical error occurred. The application database is not present. An attempt to automatically regenerate it will occur. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d010 Error <context> <file reference> Can't start driver. Can't start the apd driver. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d001 Error <context> <file reference> db error - creating new database. A critical error occurred. The application database will not work. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d007 Error <context> <file reference> db error - invalid md5. The parameter supplied is not an MD5. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application Database 0x0000d00f Error <context> <file reference> Can't open driver. Can't open the apd driver. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application FireWall 0x00017982 Info action=<action_id> app=<application name> appid=<application id> apppath=<application location> count=<counter of action> rule=<rule that applied> ruleid=<id of rule> ruletype=<type of rule> cat=<category> catid=<category id> policyname=<policy name> msg=User enabled Firewall User enabled Firewall
Application FireWall 0x00017984 Warning action=<action_id> app=<application name> appid=<application id> apppath=<application location> count=<counter of action> rule=<rule that applied> ruleid=<id of rule> ruletype=<type of rule> cat=<category> catid=<category id> policyname=<policy name> msg=The Application Firewall report was cleared Logged when someone clears the application firewall report.
Application FireWall 0x00017983 Warning action=<action_id> app=<application name> appid=<application id> apppath=<application location> count=<counter of action> rule=<rule that applied> ruleid=<id of rule> ruletype=<type of rule> cat=<category> catid=<category id> policyname=<policy name> msg=User disabled Firewall User disabled Firewall
Application FireWall 0x00017985 Warning action=<action_id> app=<application name> appid=<application id> apppath=<application location> count=<counter of action> rule=<rule that applied> ruleid=<id of rule> ruletype=<type of rule> cat=<category> catid=<category id> policyname=<policy name> msg=The application firewall has been disabled because it's driver could not be loaded Logged when application firewall driver could not be loaded with error 127 (The specified procedure could not be found).
Application FireWall 0x00017981 Info action=<action_id> app=<application name> appid=<application id> apppath=<application location> count=<counter of action> rule=<rule that applied> ruleid=<id of rule> ruletype=<type of rule> cat=<category> catid=<category id> policyname=<policy name> msg=Firewall action type=[num] protocol=[num] direction=[num] source=[addr] destination=[addr] Firewall action
Application FireWall 0x00017980 Warning action=<action_id> app=<application name> appid=<application id> apppath=<application location> count=<counter of action> rule=<rule that applied> ruleid=<id of rule> ruletype=<type of rule> cat=<category> catid=<category id> policyname=<policy name> msg=Firewall action type=[num] protocol=[num] direction=[num] source=[addr] destination=[addr] Firewall action
Config Import/Export 0x00017a72 Info user=<logged on user> msg=Policy '[name]' was received and applied Logged when push configuration is received.
Config Import/Export 0x00017a73 Info user=<logged on user> msg=Compliance rules '[name]' were received and applied Logged when compliance rules are received.
Config Import/Export 0x00017a5c Info user=<logged on user> msg=A configuration file is exported to [location] Logged when someone exports a config file.
Config Import/Export 0x00017a5d Info user=<logged on user> msg=A configuration file is imported from [location] Logged when someone imports a config file.
EndPoint Control 0x00017ab7 Info action=<register|authenticate|unregister> actiontype=<auto|manual> user=<logged on user> epmgmtst=<blocked|quarantined> eponlinest=<regonline|regoffline> epplace=<onnet|offnet> epfeatures=<list of features installed> epenfeatures=<list of features enabled> ephbduration=<time duration in minutes that the client has been in the online state to FGT> ephblast=<timestamp of last heartbeat to FGT> ephbemsduration=<time duration in minutes that the client has been in the online state to EMS> ephbemslast=<timestamp of last heartbeat to EMS> msg=Endpoint control policy synchronization was enabled Logged when someone enables Endpoint control policy synchronization.
EndPoint Control 0x00017abf Info This is a report of the current AV whitelist engine/signatures this endpoint is using This is a report of the current AV whitelist engine/signatures this endpoint is using
EndPoint Control 0x00017abe Info user=<logged on user> social_srvc=<social media service> social_user=<social media user>social_email=<social media email>social_phone=<social media phone number> msg=User social media information User social media information
EndPoint Control 0x00017abd Info action=<register|authenticate|unregister> actiontype=<auto|manual> user=<logged on user> epmgmtst=<blocked|quarantined> eponlinest=<regonline|regoffline> epplace=<onnet|offnet> epfeatures=<list of features installed> epenfeatures=<list of features enabled> ephbduration=<time duration in minutes that the client has been in the online state to FGT> ephblast=<timestamp of last heartbeat to FGT> ephbemsduration=<time duration in minutes that the client has been in the online state to EMS> ephbemslast=<timestamp of last heartbeat to EMS> msg=Endpoint Ext Log to FAZ Endpoint Ext Log to FAZ
EndPoint Control 0x00017abc Info action=<register|authenticate|unregister> actiontype=<auto|manual> user=<logged on user> epmgmtst=<blocked|quarantined> eponlinest=<regonline|regoffline> epplace=<onnet|offnet> epfeatures=<list of features installed> epenfeatures=<list of features enabled> ephbduration=<time duration in minutes that the client has been in the online state to FGT> ephblast=<timestamp of last heartbeat to FGT> ephbemsduration=<time duration in minutes that the client has been in the online state to EMS> ephbemslast=<timestamp of last heartbeat to EMS> msg=Endpoint Quarantine Status changed to [status] Endpoint Quarantine Status Changed
EndPoint Control 0x00017abb Info action=<register|authenticate|unregister> actiontype=<auto|manual> user=<logged on user> epmgmtst=<blocked|quarantined> eponlinest=<regonline|regoffline> epplace=<onnet|offnet> epfeatures=<list of features installed> epenfeatures=<list of features enabled> ephbduration=<time duration in minutes that the client has been in the online state to FGT> ephblast=<timestamp of last heartbeat to FGT> ephbemsduration=<time duration in minutes that the client has been in the online state to EMS> ephbemslast=<timestamp of last heartbeat to EMS> msg=Endpoint Control Registration Status changed to [status] with FGT [serial] [address] and client ip [address] Endpoint Control Registration Status Changed
EndPoint Control 0x00017aba Warning action=<register|authenticate|unregister> actiontype=<auto|manual> user=<logged on user> epmgmtst=<blocked|quarantined> eponlinest=<regonline|regoffline> epplace=<onnet|offnet> epfeatures=<list of features installed> epenfeatures=<list of features enabled> ephbduration=<time duration in minutes that the client has been in the online state to FGT> ephblast=<timestamp of last heartbeat to FGT> ephbemsduration=<time duration in minutes that the client has been in the online state to EMS> ephbemslast=<timestamp of last heartbeat to EMS> msg=OffNet configuration version [version] doesn't match FortiGate configuration version [version] OffNet configuration version doesn't match FortiGate configuration version
EndPoint Control 0x00017ab8 Warning action=<register|authenticate|unregister> actiontype=<auto|manual> user=<logged on user> epmgmtst=<blocked|quarantined> eponlinest=<regonline|regoffline> epplace=<onnet|offnet> epfeatures=<list of features installed> epenfeatures=<list of features enabled> ephbduration=<time duration in minutes that the client has been in the online state to FGT> ephblast=<timestamp of last heartbeat to FGT> ephbemsduration=<time duration in minutes that the client has been in the online state to EMS> ephbemslast=<timestamp of last heartbeat to EMS> msg=Endpoint control policy synchronization was disabled Logged when someone disables Endpoint control policy synchronization.
EndPoint Control 0x00017ab6 Info action=<register|authenticate|unregister> actiontype=<auto|manual> user=<logged on user> epmgmtst=<blocked|quarantined> eponlinest=<regonline|regoffline> epplace=<onnet|offnet> epfeatures=<list of features installed> epenfeatures=<list of features enabled> ephbduration=<time duration in minutes that the client has been in the online state to FGT> ephblast=<timestamp of last heartbeat to FGT> ephbemsduration=<time duration in minutes that the client has been in the online state to EMS> ephbemslast=<timestamp of last heartbeat to EMS> msg=upload logs [state] Upload logs to registered FortiGate
EndPoint Control 0x00017ab9 Info action=<register|authenticate|unregister> actiontype=<auto|manual> user=<logged on user> epmgmtst=<blocked|quarantined> eponlinest=<regonline|regoffline> epplace=<onnet|offnet> epfeatures=<list of features installed> epenfeatures=<list of features enabled> ephbduration=<time duration in minutes that the client has been in the online state to FGT> ephblast=<timestamp of last heartbeat to FGT> ephbemsduration=<time duration in minutes that the client has been in the online state to EMS> ephbemslast=<timestamp of last heartbeat to EMS> msg=Endpoint Control Status changed to [status] Endpoint Control Status Changed
FortiProxy 0x00017a48 Warning user=<logged on user> msg=Fortiproxy is disabled Fortiproxy is disabled
FortiProxy 0x00017a49 Info user=<logged on user> msg=Fortiproxy is enabled Fortiproxy is enabled
FortiShield 0x00017a52 Warning user=<logged on user> msg=FortiShield is disabled FortiShield is disabled
FortiShield 0x00017a55 Warning user=<logged on user> msg=The console was unlocked The console password was unlocked.
FortiShield 0x00017a56 Warning user=<logged on user> msg=The console password was removed The console password was removed.
FortiShield 0x00017a57 Warning user=<logged on user> msg=FortiShield blocked application: [application path] from modifying: [file or registry path] FortiShield has prevented an application from modifying a file or registry setting protected by FortiClient.
FortiShield 0x00017a53 Info user=<logged on user> msg=FortiShield is enabled FortiShield is enabled
FortiShield 0x00017a54 Info user=<logged on user> msg=The console was locked The console password was locked.
IKE VPN 0x00017941 Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=locip=<ip address> locport=<port number> remip=<ip address> remport=<port number> outif=<interface> vpntunnel=<tunnel name> status=negotiate_error msg=IKE phase1 authentication fail as the preshare key mismatch. IKE phase1 authentication fail as the preshare key mismatch.
IKE VPN 0x0001793f Warning vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=A required application is not running. VPN cannot connect because the specified application is not running.
IKE VPN 0x0001793e Error vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=VPN cannot connect because an authorization rule failed. Logged when a VPN authorization rule failed.
IKE VPN 0x0001793d Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=VPN before logon was disabled Logged when someone disables VPN before logon.
IKE VPN 0x00017940 Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=locip=<ip address> locport=<port number> remip=<ip address> remport=<port number> outif=<interface> vpntunnel=<tunnel name> status=negotiate_error msg=IKE phase1 authentication fail as peer's certificate is not verified. IKE phase1 authentication fail as peer's certificate is not verified.
IKE VPN 0x0001793b Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=locip=<ip address> locport=<port number> remip=<ip address> remport=<port number> outif=<interface> vpntunnel=<tunnel name> action=install_sa inspi=<inbound spi> outspi=<outbound spi> <Initiator|Responder> tunnel <ip address/ip address> install sa Send sa to the IPsec driver.
IKE VPN 0x0001793a Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=VPN user choose disconnect the tunnel or no response The VPN user reject the banner warning and disconnect the tunnel
IKE VPN 0x00017939 Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=VPN user accept the banner and continue with the tunnel setup The VPN user accept the banner warning
IKE VPN 0x00017930 Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=VPN tunnel status VPN tunnel status
IKE VPN 0x0001793c Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=VPN before logon was enabled Logged when someone enables VPN before logon.
IKE VPN 0x00017936 Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=negotiation information <detailed info> negotiation information
IKE VPN 0x00017937 Error vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=negotiation error <detailed error> negotiation error
IKE VPN 0x00017931 Warning vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=locip=<ip address> locport=<port number> remip=<ip address> remport=<port number> outif=<interface> vpntunnel=<tunnel name> status=negotiate_error msg=No response from the peer phase1 retransmit reaches maximum count. No response from the peer phase1 retransmit reaches maximum count.
IKE VPN 0x00017932 Warning vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=locip=<ip address> locport=<port number> remip=<ip address> remport=<port number> outif=<interface> vpntunnel=<tunnel name> status=negotiate_error msg=No response from the peer phase2 retransmit reaches maximum count. No response from the peer phase2 retransmit reaches maximum count.
IKE VPN 0x00017938 Error vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=replayed packet detected (packet dropped) <detailed error> replayed packet detected (packet dropped).
IKE VPN 0x00017933 Warning vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=locip=<ip address> locport=<port number> remip=<ip address> remport=<port number> outif=<interface> vpntunnel=<tunnel name> status=negotiate_error msg=Received delete payload from peer check xauth password. Received delete payload from peer check xauth password.
IKE VPN 0x00017934 Error vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=locip=<ip address> locport=<port number> remip=<ip address> remport=<port number> outif=<interface> vpntunnel=<tunnel name> msg=Failed to acquire an IP address. Failed to acquire an IP address for the virtual adapter.
IKE VPN 0x00017935 Error vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=ike error <detailed error info> General error of IKE
IKE VPN 0x00017942 Error vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=VPN cannot connect because the computer failed a compliancy test. Logged when a compliance test fails when trying to connect a VPN tunnel.
Scheduler 0x00017a20 Info user=<logged on user> msg=Forcefully kill a child process fct (process name) after grace period expires A scheduler owned child process failed to stop when instructed to do so so was forcefully terminated.
Scheduler 0x00017a21 Error user=<logged on user> msg=The scheduler cannot start the scheduled task because the task's license is expired. The scheduler cannot start the scheduled task because the task's license is expired.
Scheduler 0x00017a68 Info user=<logged on user> msg=FortiClient is starting up FortiClient is starting up
Scheduler 0x00017a69 Info user=<logged on user> msg=%s is shutting down FortiClient is shutting down
Single Sign-On Mobility Agent 0x00017ad4 Info action=<logoff|logon|ipchange|wakeup|keepalive> domain=<domain name> remotegw=<remote gateway> user=<logged on user> msg=Single Sign-On event Single Sign-On event.
Single Sign-On Mobility Agent 0x00017ad6 Warning action=<logoff|logon|ipchange|wakeup|keepalive> domain=<domain name> remotegw=<remote gateway> user=<logged on user> msg=Single Sign-On Mobility Agent was disabled Logged when someone disables Single Sign-On Mobility Agent.
Single Sign-On Mobility Agent 0x00017ad7 Info action=<logoff|logon|ipchange|wakeup|keepalive> domain=<domain name> remotegw=<remote gateway> user=<logged on user> msg=Single Sign-On Mobility Agent is starting... version:[nnn] Single Sign-On Mobility Agent is starting
Single Sign-On Mobility Agent 0x00017ad8 Info action=<logoff|logon|ipchange|wakeup|keepalive> domain=<domain name> remotegw=<remote gateway> user=<logged on user> msg=Single Sign-On Mobility Agent is stopping... version:[nnn] Single Sign-On Mobility Agent is stopping
Single Sign-On Mobility Agent 0x00017ad5 Info action=<logoff|logon|ipchange|wakeup|keepalive> domain=<domain name> remotegw=<remote gateway> user=<logged on user> msg=Single Sign-On Mobility Agent was enabled Logged when someone enables Single Sign-On Mobility Agent.
SSL VPN 0x00017958 Info vpnstate=<connected|disconnected> vpntunnel=<tunnel name> vpnuser=<vpn user> remotegw=<remote gateway> user=<logged on user> msg=SSLVPN tunnel status SSLVPN tunnel status
UI 0x00017a67 Info user=<logged on user> msg=Alerts were cleared Logged when alerts are cleared by a user.
UI 0x00017a66 Warning user=<logged on user> msg=Logs were cleared Logged when logs are cleared.
Update 0x00017a2a Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Customer initiated a software update request. Logged when a user presses the gui's update button.
Update 0x00017a37 Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Checking for updates. Checking for updates.
Update 0x00017a2c Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Update allowed only if you have a valid license Update allowed only if you have a valid license
Update 0x00017a38 Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Software update started. Software update started.
Update 0x00017a2d Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Software updates are disabled. Software updates from FortiGuard have been disabled.
Update 0x00017a2e Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Software updates from FortiGuard have been disabled because this client is managed. Software updates from FortiGuard have been disabled.
Update 0x00017a30 Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Software update successful. Software update successful.
Update 0x00017a2f Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Software updates require administrative privileges. The user does not have sufficient privileges to perform software updates.
Update 0x00017a32 Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Unable to perform software update. Registry does not contain image id to download. The image id that is expected to be in the registry is missing.
Update 0x00017a33 Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Update <module description> successful new version is <version number> Update was successful to the given version for the given module.
Update 0x0001798a Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Update success Update was successful.
Update 0x00017a34 Error avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Unable to load AV engine Failed to load the av engine
Update 0x00017a35 Error avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Error patching AV signature. Error patching AV signature.
Update 0x00017a36 Error avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Unable to load FASLE engine Unable to load FASLE engine
Update 0x00017a31 Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Software update failed. Software update failed.
Update 0x00017a39 Info avengine=<AV engine version> avsig=<AV high signature version> avsigext=<AV extend signature version> avsigetm=<AV extreme signature version> avsigheu=<AV heuristics signature version> rootkitengine=<anti rootkit engine version> rootkitsig=<anti rootkit signature version> appengine=<application engine version> appsig=<application signature version> ipseng=<IPS engine version> ipssig=<IPS signature version> vulnsig=<vulnerability scan signature version> avsiglastupdate=<last time AV high signature is updated> msg=Update successful <all engine/signature versions> Update was successful current engine/signature information recorded.
Vulnerability Scan 0x0001790b Info status=<started|finished|failed|cancelled|application> vulnid=<id of vulnerability> vulnname=<name of vulnerability> vulnseverity=<severity> vulncat=<category of vulnerability> vulncvss=<cvss> vulnref=<reference> vulnengine=<scan engine version> vulnsig=<signature version> user=<logged on user> appid=<app id> appversion=<app version> appvendor=<app vendor> product=<csv list of products> msg=Applying patch for Windows vulnerability The details of the vulnerability being remediated is described by the log fields
Vulnerability Scan 0x0001790a Info status=<started|finished|failed|cancelled|application> vulnid=<id of vulnerability> vulnname=<name of vulnerability> vulnseverity=<severity> vulncat=<category of vulnerability> vulncvss=<cvss> vulnref=<reference> vulnengine=<scan engine version> vulnsig=<signature version> user=<logged on user> appid=<app id> appversion=<app version> appvendor=<app vendor> product=<csv list of products> msg=Applying patch for vulnerability found The details of the vulnerability being remediated is described by the log fields
Vulnerability Scan 0x00017909 Info status=<started|finished|failed|cancelled|application> vulnid=<id of vulnerability> vulnname=<name of vulnerability> vulnseverity=<severity> vulncat=<category of vulnerability> vulncvss=<cvss> vulnref=<reference> vulnengine=<scan engine version> vulnsig=<signature version> user=<logged on user> appid=<app id> appversion=<app version> appvendor=<app vendor> product=<csv list of products> msg=A vulnerability scan result has been logged A Vulnerability scan result log
Vulnerability Scan 0x00017908 Info status=<started|finished|failed|cancelled|application> vulnid=<id of vulnerability> vulnname=<name of vulnerability> vulnseverity=<severity> vulncat=<category of vulnerability> vulncvss=<cvss> vulnref=<reference> vulnengine=<scan engine version> vulnsig=<signature version> user=<logged on user> appid=<app id> appversion=<app version> appvendor=<app vendor> product=<csv list of products> msg=The vulnerability scan status has changed A vulnerability scan status change
Webfilter 0x000178fb Warning status=<passthrough|monitor|warn|block> cat=<id of rating category> catdesc=<description of rating category> service=<http|https> hostname=<remote server> url=<url> ip=<local ip> user=<logged on user> msg=status=warn [logged on user] temporarily disabled blocking of category [category id] ([category name]) to access [url] The user [logged on user] proceeded to the url [url] after acknowledging a warning message.
Webfilter 0x000178fa Warning status=<passthrough|monitor|warn|block> cat=<id of rating category> catdesc=<description of rating category> service=<http|https> hostname=<remote server> url=<url> ip=<local ip> user=<logged on user> msg=Unable to retrieve the webfilter UDP port number. FortiClient will not be able to determine the FortiGuard rating of URLs.
Webfilter 0x000178f9 Warning status=<passthrough|monitor|warn|block> cat=<id of rating category> catdesc=<description of rating category> service=<http|https> hostname=<remote server> url=<url> ip=<local ip> user=<logged on user> msg=Unable to create proxy/webfilter communication socket. FortiClient will not be able to determine the FortiGuard rating of URLs.
Webfilter 0x000178f8 Warning status=<passthrough|monitor|warn|block> cat=<id of rating category> catdesc=<description of rating category> service=<http|https> hostname=<remote server> url=<url> ip=<local ip> user=<logged on user> msg=The Webfilter Violation report was cleared [user name] Logged when someone clears the webfilter violation report.
Webfilter 0x000178f7 Info status=<passthrough|monitor|warn|block> cat=<id of rating category> catdesc=<description of rating category> service=<http|https> hostname=<remote server> url=<url> ip=<local ip> user=<logged on user> msg=user's access to the url [action and reason] the action to the user's access and the reason
Webfilter 0x000178f6 Warning status=<passthrough|monitor|warn|block> cat=<id of rating category> catdesc=<description of rating category> service=<http|https> hostname=<remote server> url=<url> ip=<local ip> user=<logged on user> msg=user's access to the url [action and reason] the action to the user's access and the reason
Webfilter 0x000178f5 Warning status=<passthrough|monitor|warn|block> cat=<id of rating category> catdesc=<description of rating category> service=<http|https> hostname=<remote server> url=<url> ip=<local ip> user=<logged on user> msg=User disabled Webfilter Logged when someone disables webfiltering.
Webfilter 0x000178f4 Info status=<passthrough|monitor|warn|block> cat=<id of rating category> catdesc=<description of rating category> service=<http|https> hostname=<remote server> url=<url> ip=<local ip> user=<logged on user> msg=User enabled Webfilter Logged when someone enables webfiltering.