Fortinet white logo
Fortinet white logo

Administration Guide

7.4.0

Events and alarms list

Events and alarms list

When events are enabled, they can be enabled for All Groups or for a single group. Depending on the event you may not want to enable it for all groups because the volume of events would be overwhelming. For example, if you enabled the host connected event for all groups, you would receive an event message every time someone connects to the network.

When you look at an event in the Event Viewer, additional information is provided about that occurrence of the event. It might include information such as user name, IP address, MAC address or location.

Each event has a corresponding alarm that can be configured. See Map events to alarms.

Event names highlighted in gray are no longer used. However, they are still available in the Event Log to accommodate importing older data that may contain those events.

Events and alarms

Event

Definition

Access Configuration Modified

Generated whenever an Access Configuration is modified.

Access Policy Modified

Generated whenever an Access Policy is modified.

Adapter Created

Generated whenever an adapter is added to a host.

Adapter Destroyed

Generated whenever an adapter is removed from a host.

Adapter Connected to a disallowed SSID

Adapter Disconnected from disallowed SSID

Adapter connected to/disconnected from SSID not included in the list defined under Restrict Wireless Connections to Specific SSIDs. See Create or edit a configuration. See also KB article https://community.fortinet.com/t5/FortiNAC/Technical-Tip-SSID-AP-check-and-Multihome-detection-with/ta-p/282330

Add/Modify/Remove Blocking via REST API

Generated whenever a REST API request is received that creates or removes a Control Task.

Add/Modify/Remove Host

Generated whenever a trap is received that adds, modifies or removes a host record in the database.

Add/Modify/Remove Host via REST API

Generated whenever a REST API request is received that adds, modifies or removes a host record in the database.

Add/Modify/Remove User

Generated whenever a trap is received that adds, modifies or removes a user record in the database.

Add/Modify/Remove User via REST API

Generated whenever a REST API request is received that adds, modifies or removes a user record in the database.

Admin User Created

Administrative user created. User types are not included in the event message.

Admin User Destroyed

Administrative user deleted from the database.

Admin User Logged Out

Administrative user logged out of the user interface.

Admin User Login Failure

Administrative user failed to log into the user interface.

Admin User Login Success

Administrative user logged into the user interface.

Admin User Timed Out

Administrative user was logged out of the User Interface based on the settings in Users & Hosts > Administrators > Timeout Settings in the Administrative Interface Inactivity Time (Minutes) field.

Admin Profile Modified Generates when the Admin Profile has been changed.Reports user and the change made to the profile.

Administrative Status Success

User has gone into port properties for an individual port and successfully turned the Admin Status on or off.

Agent - Unrecognized Vendor OUI

No longer used.

Generated when an agent scans a host and returns MAC addresses that have a vendor OUI that is not included in the vendor OUI Management list in FortiNAC.

Agent Message Sent

Message sent from FortiNAC user to one or more hosts. Only hosts running the Persistent Agent can receive messages. This event is not generated if the message fails to send.

Agent Update Failure
Agent Update Success

Indicates whether or not an agent updated successfully.

Alarm Created

Indicates that an event has caused an alarm.

Appliance Weak Password(s)

Indicates that password for the appliance and/or the admin UI are either a default factory password or are not complex enough. It is recommended that you modify the password. Otherwise, your network may be at risk for a security breach.

Application Server Contact Lost

Generated when contact is lost to the Nessus plugin in a 1200/8200 pair. Requires contact to be established before contact can be lost.

Application Violation

FortiNAC can receive traps from external applications hosted on servers modeled in the Topologyas Pingable or Server devices. This event is generated when a trap is received. Traps might be used to indicate intrusion or that a threshold has been exceeded.

A Host Application Violation event can be generated at the same time.

Application Violation Reset

Generated based on a trap sent from an external application. Indicates that the condition that caused the Application Violation event is no longer happening and operations can return to normal. For example, if hosts have been marked at risk, they can now be marked safe and can access the network.

A Host Application Violation Reset can be generated at the same time with host specific information.

Authenticated User

Successfully verified users credentials with the directory.

Authentication Configuration Modified

Generated whenever an authentication configuration is modified.

Authentication Failure

Unable to verify users credentials with the directory.

Authentication Policy Modified

Generated whenever an authentication policy is modified.

Authentication Time-out Failure

User did not authenticate within the alloted time.

Authentication Trap Receive

Received an authentication trap from the directory.

Auto-Definition Synchronizer Failure FotiNAC unable to perform Auto-Definition update with fnac-updates.fortinet.net.
Auto-Definition Synchronizer Success FotiNAC successfully performed Auto-Definition update with fnac-updates.fortinet.net.

BigFix High Violation

BigFix Medium Violation

BigFix Low Violation

Endpoint violation reported by BigFix. For details see Patch management.

Certificate Expiration Warning

Generated when a certificate is due to expire within 30 days.

Certificate Expiration Warning (CRITICAL)

Generated when a certificate is due to expire within 7 days.

Certificate Expired

Generated when a certificate has expired.

cipSecTunnelStop

Generated when VPN connection IPsec Phase-2 Tunnel becomes inactive.

CLI Configuration Failure
CLI Configuration Success

Generated when a user tries to configure a Scheduled task that involves applying a CLI configuration to a group. Indicates whether or not the configuration of the scheduled task was successful.

CLI Data Substitution Failure

Indicates failure to substitute the "Port, VLAN, IP, or MAC" data into the CLI.

Communication Lost with
BigFix Server

Event indicates that the BigFix patch management server cannot be reached.

Communication Lost with
iboss

If configured FortiNAC sends user ID and IP address to iboss each time a host connects to the network.

Event indicates that the iboss SSO Agent modeled in the Inventory cannot be reached.

Communication Lost with
Palo Alto User Agent

Palo Alto User Agent is a component of the Palo Alto Firewall. If configured FortiNAC sends user ID and IP address to the Palo Alto User Agent each time a host connects to the network.

Event indicates that the Palo Alto User Agent modeled in the Inventory cannot be reached.

Communication Lost with
PatchLink Server

Event indicates that the PatchLink patch management server cannot be reached.

Communication Lost with
RADIUS/SSO Agent

Fortinet SSO Agent is a component of the FortiGate Firewall. If configured FortiNAC sends user ID and IP address to the Fortinet SSO Agent each time a host connects to the network.

Event indicates that the Fortinet SSO Agent modeled in the Inventory cannot be reached.

Communication Lost with
Script

Generated if a Custom Script SSO Agent is configured in Inventory. FortiNAC sends user ID and IP address as parameters to the script each time a host connects to the network.

Event indicates that the script configured in the Inventory failed to run.

Conference Created

Using guest/contractor accounts you can create a batch of conference user accounts. This event is generated when those accounts are created and indicates the number of accounts created.

Contact Established

Contact with a device has been established.

Contact Lost

Contact with a device has been lost.

Container Created

New container has been created in the database. Containers are a grouping mechanism for devices that display in the Inventory.

Container Destroyed

Container has been deleted from the database. Deleting a container deletes all of the devices it contains.

Database Archive/Purge Failure
Database Archive/Purge Success

Indicates whether or not the scheduled database archive/purge was successful.

Database Backup Failure
Database Backup Success

Indicates whether or not the scheduled database backup was successful.

Database Replication Error

Occurs in a high availability situation when the MasterLoader database is not replicating. Can also be triggered when the database on the secondary server is not running.

Database Replication Succeeded

Occurs in a high availability situation when the MasterLoader database is successfully replicated to the secondary server.

De-authenticated

User logged off from host.

De-authentication Failure

Unable to log off user from host. User not found.

Deleted Host Successfully

Host or FortiNAC user has been successfully deleted from the database. If multiple records are deleted at once, a separate event is generated for each record.

Device Cold Start

Device was restarted using the power switch.

Device Created

New managed device has been created in the database.

Device Destroyed

Managed device has been deleted from the database.

Device Fingerprint Changed

Host is using a different operating system than the one with which the host was registered. This could occur on a host with a dual-boot. For example, the host registers with a Windows operating system. The user later boots the host using Linux and tries to access the network. That change would trigger this event. An upgrade within a family of operating systems would not normally trigger this event, such as from Windows XP to Windows Vista.

Operating system is determined by the DHCP fingerprint.

Device Identity

No longer used.

Device Link

A device has linked to port X on the network.

Device Link Down

A device link goes down on a specific port because a device was disconnected from the port.

Device Link Up

Generated when a device link goes up on a specific port.

Device Profile Rule Match

A rogue host has matched a Device Profiling rule allowing it to be assigned a device type and registered.

Device Profiling Automatic
Registration

A rogue host has been registered by device profiling based on a device profiling rule.

Device Profiling Rule Missing Data

Indicates that device profiler cannot compare a rogue against a rule because FortiNAC does not have enough information about the rogue, such as a DHCP fingerprint. If device profiler cannot compare a rogue against a rule it does not continue processing that rogue, and moves on to the next rogue.

Device Rule Confirmation
Failure
Device Rule Confirmation
Success

Devices identified by a Device Profiling rule maintain their association with that rule. If enabled, the associated rule and the device are checked periodically to see if the rule is still valid for the device. These event messages indicate whether or not the device matched the associated rule.

Device Warm Start

Device was restarted from the command line interface.

DHCP Host Name Changed

Generated when a known host connects to the network and its hostname is different. Indicates that the hostname in the database associated with the MAC address and existing DHCP finger print for that host is different.

Directory Connection Failure

The connection to a directory, such as Active Directory or LDAP, failed. The directory could have refused the connection because the user name and password were incorrect. This event can be triggered when testing the connection to the directory with Test on the Directory Configuration window.

Directory Group Disabled
Directory Group Enabled

Users can be disabled/enabled in a directory, such as LDAP, based on group membership. When the FortiNAC database synchronizes with the directory, users that are members of the group are enabled. Users that are not members of the group are disabled.

Directory Synchronization
Failure
Directory Synchronization
Success

Indicates whether or not a directory, such as Active Directory or LDAP, synchronized with the user database. Could be caused if FortiNAC fails to connect to the directory. This synchronization is a one time task done when the directory is configured. See Schedule synchronization.

Directory User Disabled
Directory User Enabled

Users can be disabled/enabled in a directory, such as LDAP. When the FortiNAC database synchronizes with the directory, users can be disabled/enabled based on their directory setting.

Disable Host Failure
Disable Host Success

Generated when a user manually disables a host on the Host View. Indicates whether or not the host was successfully disabled.

Disable Hosts Failure
Disable Hosts Success

Indicates whether or not hosts in a group were successfully disabled using a scheduled task.

Disable Port Failure
Disable Port Success

Indicates whether or not a particular port was disabled by an alarm action.

Disable Ports Failure
Disable Ports Success

Indicates whether or not ports in a particular group were disabled by a scheduled task.

Disable User Success

Indicates that a user selected from the user view was successfully disabled.

Disabled Authenticated

No longer used.

Disassociate Host Disassociated

Discovery Completed

The device discovery process that adds new devices to FortiNAC has completed. IP address range is included in the completion message.

Duplicate Host For Device

No longer used.

Duplicate Physical Address

No longer used.

Duplicate Users Found in
Directory

Two users with the same last name and/or ID were found in the directory. FortiNAC is case in-sensitive. For example, two users with last names listed as SMITH and smith are treated as if they were the same person. The newer of the two users is ignored.

Email Failure

Alarms can be configured to send E-mail Notifications to FortiNAC administrative users. If the administrative user has no e-mail address or the e-mail fails in any other way, this event is generated.

Enable Host Failure
Enable Host Success

Indicates whether or not a host selected from the Host View was successfully enabled.

Enable Hosts Failure
Enable Hosts Success

Indicates whether or not hosts in a group were successfully enabled using a scheduled task.

Enable Port Failure
Enable Port Success

Indicates whether or not a particular port has been enabled by an alarm action in response to a previous event.

Enable Ports Failure
Enable Ports Success

Indicates whether or not ports in a particular group were enabled by a scheduled task.

Enable User Success

Indicates that a user selected from the user view was successfully enabled.

Endpoint Compliance Configuration Modified

Generated whenever an endpoint compliance configuration is modified.

Endpoint Compliance Configuration Platform Setting Modified

Generated whenever an endpoint compliance configuration platform setting is modified.

Endpoint Compliance Modified

Generated whenever an endpoint compliance is modified.

Enterasys Dragon Violation

Enterasys Dragon is an Intrusion Protection/Detection System. An event is generated when an intruder is detected.

Entitlement Polling Failure

(Requires version 8.8.10, 9.1.4, 9.2.0 or above) Generated when there is an error communicating or processing license entitlements data from Forticloud over TCP 443. Entitlement polling is required for Subscription Licenses. Refer to the Deployment Guide in the Document Library for Open Port requirements.

Entitlement Polling Success

(Requires version 8.8.10, 9.1.4, 9.2.0 or above) Generated when communication and processing of license entitlements data from Forticloud successfully completes.

Failed to Disable Adapters

Attempted to disable hosts using an Alarm Action. Hosts failed to be disabled.

Failed to Disable HP Port
Security

Scheduled task that enables port security configuration on all HP/NT devices in an associated group has failed.

Failed to Enable Adapters

Attempted to enable hosts using an Alarm Action. Hosts failed to be enabled.

Failed to Enable HP Port
Security

Scheduled task that enables port security configuration on all HP/NT devices in an associated group has failed.

FireEye IPS High Violation

Generated whenever a high violation event is received from FireEye.

FireEye IPS Low Violation

Generated whenever a low violation event is received from FireEye.

FireEye IPS Medium Violation

Generated whenever a medium violation event is received from FireEye.

Firewall Session Poll Failed

Firewall Session Poll Succeeded

For details see Firewall session polling.

FORTIGATE-6.0_HIGH_SEVERITY

FORTIGATE-6.0_LOW_SEVERITY

FORTIGATE-6.0_MEDIUM_SEVERITY

FortiNAC received a FortiGate security alert.Fort details see Security Incidents.

FortiOS 4.0 High Violation

Generated whenever a high violation event is received from FortiOS 4.0.

FortiOS 4.0 Low Violation

Generated whenever a low violation event is received from FortiOS 4.0.

FortiOS 4.0 Medium Violation

Generated whenever a medium violation event is received from FortiOS 4.0.

FortiOS 5.0 High Violation

Generated whenever a high violation event is received from FortiOS 5.0.

FortiOS 5.0 Low Violation

Generated whenever a low violation event is received from FortiOS 5.0.

FortiOS 5.0 Medium Violation

Generated whenever a medium violation event is received from FortiOS 5.0.

Found Ignored MAC address

A host or device has connected with a MAC address that is in the MAC address Exclusions list. This connection is not being managed by FortiNAC and the host or device has access to the production network. See MAC address exclusion.

Found Microsoft LLTD or Multicast Address

A host or device has connected with a MAC address in the Microsoft LLTD or Multicast Address range. Those ranges are managed in the MAC address Exclusion list. FortiNAC ignores these MAC addressed for 48 hours after the first one is seen and then treats them as rogues unless the configuration is updated on the MAC address Exclusion list. See MAC address exclusion.

Gaming Device Registration

A gaming device was registered by a user.

Generate/Revoke Certificates via REST API For details see section Certificate in the REST API reference manual. https://docs.fortinet.com/document/fortinac-f/7.4.0/rest-api/309424/certificate

Group Does Not Exist for Scan

FortiNAC attempted to perform a scan or scheduled task for a particular group and the group no longer exists in the database. Either recreate the group or remove the scan or scheduled task.

Guest Account Created

New guest account is created.

Guest Account Deleted

Guest account is deleted.

Guest/Contractor
Pre-allocation Critical

No longer used.

If you are setting up Guest/Contractor users in advance, an event can be generated if you set up more Guest/Contractor users than you have licenses.

Guest/Contractor
Pre-allocation Warning

No longer used.

If you are setting up Guest/Contractor users in advance, an event can be generated if you set up enough Guest/Contractor users to use 75% of the available licenses.

Hard Disk Usage Critical

Generated when the disk usage critical threshold is reached. This threshold is a percentage of the space allocated for the bsc and var partitions. The percentage is calculated for each partition separately. When any one partition reaches the threshold the event is generated. Thresholds calculated for individual partitions are never combined. Therefore if the combined total crosses the threshold, no event is generated. Default = 95%

Hard Disk Usage Warning

Generated when the disk usage warning threshold is reached. This threshold is a percentage of the space allocated for the bsc and var partitions. The percentage is calculated for each partition separately. When any one partition reaches the threshold the event is generated. Thresholds calculated for individual partitions are never combined. Therefore if the combined total crosses the threshold, no event is generated. Default = 85%

Host Aged Out

Host has been removed from the database based on the time or expiration date on the associated Host Properties window. See Properties.

Host Application Violation

Generated against a FortiNAChost based on the IP, MAC, or ID information contained within an Application Violation trap. If IP, MAC address, or user ID match any records in the FortiNAC database, this event is generated. See Application Violation in this list.

Host Application Violation Reset

Generated against a FortiNAC host based on the IP, MAC, or user ID information contained within an Application Violation Reset trap. If IP, MAC address, or user ID match any records in the FortiNAC database, an event is generated. The reset event occurs when the host is no longer in violation. See Application Violation in this list.

Host At Risk

An administrative user marked a selected host At Risk or the host failed a scan.

Host At Risk Failure
Host At Risk Success

Indicates whether an alarm action triggered by an At Risk host succeeded or failed.

Host At Risk Status Not Enforced

Generated whenever a host fails a scan, but it is not enforced.

Host CLI Task Success
Host CLI Task Failure

Indicates whether or not the CLI commands associated with host/adapter based ACLs have been successful.

Host Connected

Generated whenever a registered host connects to the network.

Host Copied From NCS

In an environment where multiple FortiNAC appliances are managed by a FortiNAC Manager, hosts and their corresponding information can be copied from one appliance to another based on settings in the FortiNAC Manager under System > Settings > Network Control Manager > Server Synchronization. When hosts are copied from one appliance to another this event is generated.

Host Created

Generated whenever a host is created.

Host Destroyed

Generated whenever a host is destroyed.

Host Disassociated

Generated whenever a host is destroyed.

Host Disconnected

Generated whenever a registered host disconnects from the network.

Host Identity Changed

Indicates that a registered host's name or operating system has changed since the last time it was read by the Persistent Agent or Dissolvable Agent, and that it is possibly a dual boot device. This could also indicate MAC spoofing. An operating system change , such as an upgrade could also trigger this event.

Host Pending At Risk

A host failed a scan for an endpoint compliance policy. The policy was configured for delayed remediation indicating that hosts that fail the scan are not sent to remediation for x number of days. The event is generated when the host is marked Pending At Risk.

Scan status "Failure Pending" triggers this event.

Host Registration Failure
Host Registration Success

Host has gone to the Registration page and the user attempted to register the host. Indicates whether the registration succeeded or failed.

Host Rejected - No MAC

Host rejected because it is missing a MAC address.

Host Rejected - No VLAN

Host rejected because there is no VLAN defined for current state.

Host Safe

Generated when a user goes to System > Settings > Control > Quarantine. On the Quarantine view there is a button that allows the user to mark all hosts as Safe. If this button is clicked the event is generated for each host that was affected.

Host Safe Failure
Host Safe Success

Indicates whether or not an alarm action associated with marking a host as safe has failed. See Host Safe in this list.

Host Session Logged On
Host Session Logged Off

Agent has detected that the user has logged on or off the host. Applies only to Windows hosts.

Host Session changed Remote Control status A Windows Session for an Active Directory user has changed remote control status. It is either now remotely controlled or no longer remotely controlled
Host Session Connected to Console A Windows Session for an Active Directory user connected to the Console.Event is generated on the Adapter
Host Session Disconnected from Console A Windows Session for an Active Directory user was disconnected from the Console.Event is generated on the Adapter
Host Session Locked A Session for an Active Directory user was locked. The session is still active and this is not equivalent to a logout.Event is generated on the Adapter
Host Session Remotely Connected Connected to remote desktop
Host Session Remotely Disconnected Disconnected from remote desktop
Host Session Unlocked A Session for an Active Directory user was unlocked. The session is still active and this is not equivalent to a login.Event is generated on the Adapter

Incomplete User Found in
Directory

FortiNAC requires the Last name and ID fields for each user. If either of those fields is missing, the user record is incomplete.

Interface Status Failure
Interface Status Success

Indicates whether or not the Update interface status scheduled task was successful. The task reads and updates the interface status for each port on the devices in the associated groups.

Internal Scheduled Task Failure
Internal Scheduled Task
Success

Indicates whether or not a scheduled task has failed. The name of the task is provided.

Invalid Physical Address

The MAC address of the specified host or device is not recognized by FortiNAC because the corresponding vendor OUI is not in the FortiNAC database. Update the vendor OUI database either manually or by using Auto-Def Updates. See and .

L2 Poll Failed
L2 Poll Succeeded

Indicates whether or not FortiNAC successfully contacted the device to read the list of connected hosts.

L3 Poll Failed
L3 Poll Succeeded

Indicates whether FortiNAC successfully read IP address mappings from a device.

Load In Limit Exceeded

No longer used.

Max % In setting on the Bandwidth window has been met or exceeded.

Load In Limit Rearmed

No longer used.

After the first “Load In Limit Exceeded” event occurs the server does not generate a “Load In Limit Rearmed” event until the percentage of bandwidth bytes in falls below Rearm % In value.

Load Out Limit Exceeded

No longer used.

Max % Out setting on the Bandwidth window has been met or exceeded.

Load Out Limit Rearmed

No longer used.

After a “Load Out Limit Exceeded” event occurs the server creates a “Load Out Limit Rearmed” event once the percentage of bytes out falls below this the Rearm % Out value.

Local Host Session changed Remote Control status A Windows Session for a Local user has changed remote control status. It is either now remotely controlled or no longer remotely controlled
Local Host Session Connected to Console A Session for a Local user connected to the Console.Event is generated on the Adapter.
Local Host Session Disconnected from Console A Session for a Local user was disconnected from the Console.Event is generated on the Adapter.
Local Host Session Remotely Connected A Remote Windows Session connected.
Local Host Session Remotely Disconnected A Remote Windows Session disconnected.
Local Host Session Unlocked A Session for a Local User was unlocked.

Lost Contact with Persistent Agent

This event can only be generated accurately when FortiNAC has up-to-date network connectivity data (in order to determine a host's online status). This requires the following:

- Wired network devices are being polled at a regular interval (typically 1 hour).

- Wired network devices are sending either Link Up/Link Down or Mac Notification traps.

- Wireless devices are being polled at a regular interval (typically 15 minutes).

MAC change event on uplink

This event is generated when a MAC notification trap is received for a port in FortiNAC is any of the uplink types.

MAC Learned

Generated when MAC Notification "MAC Add" or "MAC Move" syslog messages/SNMP traps are received from supported devices. Occurs when the switch has added to its forwarding table the MAC address of a connecting host.

Note: Not generated for infrastructure devices (such as Access Points).

MAC Removed

Generated when MAC Notification "MAC Delete" or "MAC Move" syslog messages/SNMP traps are received from supported devices. Occurs when the switch has removed the MAC address of a host that has disconnected.

Note: Not generated for infrastructure devices (such as Access Points).

Management Established

Generated when management of a device is established.

Management Lost

Generated when management of a device is lost.

Map IP to MAC Failure
Map IP to MAC Success

No longer used.

Mapping IP addresses to physical addresses for a selected group using a scheduled task failed or succeeded.

Maximum Blacklist Clear Attempts Reached

Generated when the maximum number of attempts to remove a MAC address from a device's black list has been exceeded. Currently the maximum is set to 3 attempts.

Maximum Blacklist Clear Attempts Reached

Maximum number of attempts to remove a host from a controller's blacklist have been reached and the host remains on the blacklist.

Maximum Concurrent Connections Critical

Concurrent connection licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable. See Event thresholds.

Maximum Concurrent Connections Exceeded

Concurrent connection licenses in use has reached 100% of total licenses.

Maximum Concurrent Connections Warning

Concurrent connection licenses in use has reached or exceeded 75% of total licenses. Threshold is configurable. See Event thresholds.

Maximum Concurrent Physical Address Warning

No longer used.

Generated when host connections exceed 6000 or 12000 depending on the size of the appliance.

Maximum Guest/Contractor
Critical

No longer used.

Guest manager licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable.

Maximum Guest/Contractor Exceeded

No longer used.

Guest manager licenses in use has reached 100% of total licenses.

Maximum Guest/Contractor Warning

No longer used.

Guest manager licenses in use has reached or exceeded 75% of total licenses. Threshold is configurable.

Maximum Host Warning

No longer used.

Access Manager licenses in use has reached or exceeded 75% of total anesthesiologist is configurable.

Maximum Hosts Critical

No longer used.

Access Manager licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable.

Maximum Hosts Exceeded

No longer used.

Access Manager licenses in use has reached 100% of total licenses. No new accounts can be created.

Maximum Known Device
Critical

No longer used.

Device Tracker licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable.

Maximum Known Device
Warning

No longer used.

Device Tracker licenses in use has reached or exceeded 75% of total licenses. Threshold is configurable.

Maximum Known Devices Exceeded

No longer used.

Device Tracker licenses in use has reached 100% of total licenses.

Maximum User Critical

No longer used.

Shared Access Tracker licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable.

Maximum User Warning

No longer used.

Shared Access Tracker licenses in use has reached or exceeded 75% of total licenses. Threshold is configurable.

Maximum Users Exceeded

No longer used.

Shared Access Tracker licenses in use has reached 100% of total licenses.

MDM Host Compliance Failed

Host failed MDM scan

MDM Host Compliance Passed

Host passes MDM scan

MDM Host Created

Host was added to the database from MDM import

MDM Host Destroyed

Host is deleted from the database because it is no longer found on a poll of the MDM. This can occur if the corresponding record in the MDM database was either removed or disabled. "Remove Hosts Deleted from MDM Server" option in MDM services must be enabled.

MDM Poll Failure

MDM poll did not complete

MDM Poll Success

MDM poll completed

Memory Usage Critical

Generated when the memory usage critical threshold is reached for the appliance. This threshold is a percentage of the total allocated memory. Default = 95% Threshold is configurable. See Event thresholds.

Memory Usage Warning

Generated when the memory usage warning threshold is reached for the appliance. This threshold is a percentage of the total allocated memory. Default = 85% Threshold is configurable. See Event thresholds.

Message

Cabletron/Enterasys Event Log Message
OID = 1.3.6.1.4.1.52.1280

Multi-Access Point Detected

Generated when multiple MAC addresses are detected on a port. However, if the port is in the Authorized Access Points group an event is not generated. See Network device .

Multihomed Host Detected

Multihomed Host Fixed

Triggers when Detect Multihoming is enabled in scan and host has multiple adapters connected to the network. See Create or edit a configuration. See also KB article https://community.fortinet.com/t5/FortiNAC/Technical-Tip-SSID-AP-check-and-Multihome-detection-with/ta-p/282330

NAT Device Registered

Generated when a NAT Device (router) is registered.

Nitro Security Violation
Nitro Threat Level 1 - 6

Generated based on traps received from the NitroGuard Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Inventory.

No CDP Announcement

Generated when a device that has sent at least one CDP announcement has stopped sending those announcements. This is based on the polling time set for the device. For example if the poll time is one hour, a new event message is sent each time the hour elapses with no message from the device.

Operating System Is Up to Date

Indicates that there are no new updates available after the operating system update status task is run (1pm every Sunday, by default).

Operating System Status Check Failure

Indicates that the operating system update check failed due to multiple running checks. This may be caused by a configuration or network issue.

Operating System Update Initiated

Indicates that an operating system update was started from the admin UI. See Operating system.

Operating System Updates Available

Indicates that there are updates available after the operating system update status task is run (1pm every Sunday, by default).

Packeteer Configuration Failure
Packeteer Configuration
Success

No longer used.

Indicates whether or not communication has been established with the Packeteer PacketShaper software after Packeteer has been modeled in the Inventory.

Packeteer Monitor

If Packet Shaper has been configured to generate threshold violation events and if a threshold violation occurs, the event triggers an SNMP trap from PacketShaper to FortiNAC. This trap causes FortiNAC to generate a Packeteer Monitor event.

Packeteer Monitor 2

No longer used.

If a Packeteer product has been configured to generate events for OID 13.6.1.3.6.1.4.1.2334.1.1 and the event triggers an SNMP trap from the Packeteer to FortiNAC. This trap causes FortiNAC to generate a Packeteer Monitor 2 event.

PaloAlto Firewall High Violation

PaloAlto Firewall Low Violation

PaloAlto Firewall Medium Violation

FortiNAC received a violation syslog message from Palo Alto (High Violation, Medium Violation or Low Violation). See Palo Alto Networks Integration https://docs.fortinet.com/document/fortinac-f/7.2.0/palo-alto-networks-integration/341880/syslog-management#/document/fortinac-f/7.2.0/palo-alto-networks-integration/341880/syslog-management#_Toc130369411

PatchLink Compliant

PatchLink Non Compliant

Indicates whether or not Patchlink detected endpoint within compliance. For details see Patch management. https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/420671/patch-management

Persistent Agent Communication Resumed

Persistent Agent Contact Status has been restored to normal.

This event is only generated on hosts running Persistent Agent 4.0 or better.

Persistent Agent Not Communicating

This event can only be generated accurately agents when FortiNAC has up-to-date network connectivity data (in order to determine a host's online status). This requires the following:

- Wired network devices are being polled at a regular interval (typically 1 hour).

- Wired network devices are sending either Link Up/Link Down or Mac Notification traps.

- Wireless devices are being polled at a regular interval (typically 15 minutes).

Note

This event is only generated on hosts running Persistent Agent 4.0 or better.

Persistent Agent Scan Not Performed

This event can only be generated accurately when FortiNAC has up-to-date network connectivity data (in order to determine a host's online status). This requires the following:

- Wired network devices are being polled at a regular interval (typically 1 hour).

- Wired network devices are sending either Link Up/Link Down or Mac Notification traps.

- Wireless devices are being polled at a regular interval (typically 15 minutes).

Policy Warning

Host was scanned by an endpoint compliance policy. The host does not meet all of the scan requirements, but the scan rules state that a warning be issued instead of making compliance a requirement.

Scan status "Warning" triggers this event.

Poll For Hosts Failure
Poll For Hosts Success

No longer used.

Indicates whether a scheduled task to poll switches for hosts has succeeded or failed. Switches are contained in a device group and that group is polled.

Port CLI Task Failure
Port CLI Task Success

Indicates whether a CLI configuration applied to a port ran and failed or succeeded.

Port in Authorized Access Points Group

Scheduled task for a port in the Authorized Access Points group failed.

Port in Authorized Access Points Group

Failed to enable/disable port because it is in the Authorized Access Points group.

Port Link Down
Port Link Up

Trap received from the switch each time there is a link up or a link down on a port. Link up and link down happen each time a host is switched from one VLAN to another.

Port Security Incomplete

Maximum number of users on a port has been reached.

Port Segmented

Trap received from an Enterasys or Cabletron switch indicating that a link is down. This port may have been logically disconnected due to an excessive collision level or it may be physically disconnected.

Port Uplink Configuration Modified

An administrator modified the uplink setting of a port. The switch name, port and administrator are included in the event.

Possible MAC address Spoof

Indicates that the same MAC address has been detected on two different devices simultaneously. One is possibly spoofing the other’s MAC address. This event is generated based upon the value of the MAC Spoof Time Delay configured under System > Settings > Network device. See Network device for details.

Possible NAT Device, MAC Spoofed

This event has been replaced with NAT Device Registered. It remains visible to allow you to restore an old backup and view occurrences of this event. See NAT Device Registered in this list.

Possible NAT User

Generated on each host. One per MAC address on the NATd host. For example, if a host has both a wired and wireless connection, an event is generated for each.

Process Memory Usage Critical

Generated when the memory usage critical threshold is reached for the process. This threshold is a percentage of the total allocated memory. Default = 95%

Process Memory Usage
Warning

Generated when the memory usage warning threshold is reached for the process. This threshold is a percentage of the total allocated memory. Default = 85%

Process Thread Count Critical

Generated when the process thread count warning threshold is reached. This threshold is a specific number of threads the process is using. Default = 575

This event is disabled by default.

The threshold will dynamically increase by 25 for every 8 CPU cores that are added.

Process Thread Count Warning

Generated when the process thread count warning threshold is reached. This threshold is a specific number of threads the process is using. Default = 500

This event is disabled by default.

The threshold will dynamically increase by 25 for every 8 CPU cores that are added.

Profile Modified

Generated when a user modifies a user/host profile. Event message contains user information for the user who made the change, whether the change was an add, remove or replace, and the complete profile after the changes.

RADIUS Rate Exceeded

Generated when the 60 requests-per-second threshold is exceeded.

This event is disabled by default.

RADIUS Time Threshold

Indicates that the time threshold for a response from the RADIUS server has been exceeded. This threshold is not configurable.

Regained Contact with Persistent Agent

Host has regained contact with the Persistent Agent .

Remote Access Excessive Session Process Time

Generated when the time to process the remote client exceeds a threshold (set through the "MaxClearTime" attribute on the ASA device).

Reports Purged

Lists the file names of all reports that were deleted when reports were purged from the /home/cm/reports directory.

REST API Failure

Error when FortiNAC tries to communicate with the device using REST API.

Scan Does Not Exist For
Scheduler Task

FortiNAC has attempted to run a scan using a scheduled task. The scan referred to in the task no longer exists in the database. You must either recreate the scan or remove the scheduled task from the scheduler.

Secondary Contact Lost

Event triggered when the primary loses contact with the secondary.

Security Risk Host

Event triggered when a host is marked at risk due to an agent scan failure.

Associated events are "Host Passed Security Test" and "Host Security Test - Delayed Failure."

Service Down - Analytics Agent

Event triggered when the service is down and it is required for FortiNAC to send data to Analytics.

Service Down - Radius
Service Down - Samba
Service Down - Winbind

Event triggered when one of the listed the services is no longer running and it is required for the RADIUS Manager.

Service Down - Tomcat Admin
Service Down - Tomcat Portal
Service Down -dhcpd
Service Down -httpd
Service Down -mysqld
Service Down -named
Service Down -sshd

Event triggered when a specific service is no longer running. These services are required.

FortiNAC tries to restart the service every 30 seconds.

In a high availability environment, failover occurs after the fourth failed restart attempt.

For the httpd service: After the system confirms that the httpd service is running, the system also attempts to connect to ports 80 and 443. If the system fails to connect to either port, the httpd service is restarted.

If the primary is unable to communicate with the secondary to confirm it is running, service down will not trigger a failover.

Service Started - Analytics Agent

Event triggered when the service is started. This service is required and must be running in order to use Analytics.

Service Started - Tomcat Admin
Service Started - Tomcat Portal
Service Started -dhcpd
Service Started -httpd
Service Started -mysqld
Service Started -named
Service Started -sshd

Event triggered when one of the listed services is started. These services are required and must be running in order to use FortiNAC.

Service Started -Radius
Service Started - Samba
Service Started - Winbind

Event triggered when one of the listed services is started. These services are required in order to use RADIUS Manager.

Set Default VLAN Failure
Set Default VLAN Success

When a host disconnects from a port, the port can be set to return to its default VLAN. Indicates whether or not the port successfully returns to the default VLAN.

SNMP Failure

Generated when FortiNAC receives an SNMP failure during communication with a SNMP enabled Network Device. This includes any error message received from the SNMP packet.

SNMP Read Error

Did not receive all data when reading a switch using SNMP. Device name and error code are included in the event message.

Sophos AntiVirus: Virus Found

Sophos AntiVirus can be configured to send traps to FortiNAC when a virus is found on a host. Host information is included in the trap. If a Sophos Trap is received, this event is generated.

Sourcefire Error
Sourcefire IPS Action
Sourcefire IPS High Violation
Sourcefire IPS Low Violation
Sourcefire IPS Medium Violation

Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Inventory.

Sourcefire IPS Action: Indicates that an action has been triggered by a syslog message from Sourcefire.

StealthWatch

SNMP trap has been sent from a StealthWatch device
OID = 1.3.6.1.4.1.8712

StealthWatch Email Rejects

Host is receiving a significant number of rejected mail attempts.

StealthWatch Email Relay

Host is operating as an email relay.

StealthWatch High Concern

A host has exceeded the Concern Index threshold set for it. This usually means that an inside host is no longer operating as it was during the tuning period and should be examined for possible compromise, misuse, or policy violations. An external host with a High Concern index is often attempting to violate your network integrity.

StealthWatch High File Sharing

Host is transferring files.

StealthWatch High Volume Email

Host is infected with an email worm.

StealthWatch Max Flows
Initiated

Host has had an excessive number of total flows active.

StealthWatch New Flows

Indicates that a host exceeds a total number of new flows in a 5-minute period.

StealthWatch Port Flood

The host has attempted to connect on an excessive number of ports on the Target IP. This may indicate a DoS attack or an aggressive scan by the source IP.

StealthWatch Suspect Long Flow

Host has a long duration flow.

StealthWatch SYN Flood

The host has sent an excessive number of TCP connection requests (SYN packets) in a 5-minute period. This may indicate a DoS attack or non-stealthy scanning activity

StealthWatch Worm Activity

A host has scanned and connected on a particular port across more than one subnet. The details section of this alarm specifies the port on which the activity was observed.

StealthWatch Worm Propagation

Host has scanned and connected on port 5 across more than 1 subnet.

StealthWatch Zone Violations

Host has connected to a server in a zone that it is not allowed to access.

StoneGate IPS High Violation
StoneGate IPS Low Violation
StoneGate IPS Medium Violation

Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Inventory. See Syslog files .

StoneGate Violation

Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Inventory. See Syslog files .

Success Disabling Port Security
Success Enabling Port Security

Generated when the Enable or Disable HP/NT Port Security scheduled task runs successfully. This task enables or disables port security configuration on all HP/NT devices in the selected group. Port Security is used to disable hosts if DeadEnd VLANs are not used on the network.

Sync Initiated

(FortiNAC versions 9.1.3 and above) Generated when a synchronization of servers by Control Manager has been triggered. Provides server IP, the user who triggered the sync and status.

Synchronize Users with
Directory Failure
Synchronize Users with
Directory Success

Indicates whether or not the FortiNAC user database has successfully synchronized with the selected directory such as LDAP or Active Directory. These events are triggered by the failure or success of the scheduled synchronization set up on the Directory Configuration window. See Configuration.

Syslog Error

Generated when the FortiNAC server receives an inbound syslog message for a host that is not currently managed by FortiNAC.

System Automatically Restarted

Server was restarted because a primary system process was down. Processes include: MasterLoader, IP to MAC, Communication and Nessus.

This event was System Restart in prior versions.

System Backup Failure
System Backup Success

Indicates whether a system backup has succeeded. The system backup is run by a scheduled task. The system backup may succeed, but will still fail if remote backup is enabled and fails.

It is recommended that you create an alarm action to send an email if system backup fails.

System Created Uplink

If Uplink Mode on a Port's properties is set to Dynamic, FortiNAC converts the port to an uplink port when the number of MAC addresses on the port exceeds the System Defined Uplink count and generates this event.

System Fail Over

In a high availability environment, this event indicates that the primary server has failed and the secondary has taken over.

System Power Off

Indicates that the user specified in the event message powered off the FortiNAC server. See Power management

System Reboot

Indicates that the user specified in the event message rebooted the FortiNAC server. See Power management.

TippingPoint SMS High Violation
TippingPoint SMS Low Violation
TippingPoint SMS Medium
Violation

Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Inventory. See Syslog files .

Top Layer IPS High Violation
Top Layer IPS Low Violation
Top Layer IPS Medium Violation

Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Inventory. See Syslog files .

Unauthorized SSID/VLAN

No longer used.

Unknown User in Group

No longer used.

Unsupported Trap

Generated when FortiNAC receives a trap that it cannot interpret from a device. The device's OID is included in the event.

Update SSID Failure
Update SSID Success

SSID assignment scheduled task maps VLAN IDs to SSIDs. Event indicates whether or not the task succeeded.

Update VLAN ID Failure
Update VLAN ID Success

Indicates that the user specified in the event message powered off the FortiNAC server. See Power management.

Update Default VLAN Values scheduled task sets the Default VLAN value for the port in FortiNAC device model to the value entered in the scheduled task. Event indicates whether or not the task succeeded.

User Connected to Host Console A user connected to the console. Eventis generated on the User
User De-authenticated on Adapter The same event as De-authenticated but generated on the Adapter
User Disconnected from Host Console A Windows Session for an Active Directory user connected to the Console.Event is generated on the User
User Locked Session A Session for an Active Directory user was locked. The session is still active and this is not equivalent to a logout.Event is generated on the User
User Remotely Connected to Host A Remote Windows Session connected to a Host.Event is generated on the User
User Remotely Disconnected from Host A Remote Windows Session dicconnected from a Host.Event is generated on the User
User Session changed Remote Control status A Windows Session for a Local user has changed remote control status. It is either now remotely controlled or no longer remotely controlled. Event is generated on the User.
User Unlocked Session A Session for an Active Directory user was unlocked. The session is still active and this is not equivalent to a login.Event is generated on the User

Events and alarms list

Events and alarms list

When events are enabled, they can be enabled for All Groups or for a single group. Depending on the event you may not want to enable it for all groups because the volume of events would be overwhelming. For example, if you enabled the host connected event for all groups, you would receive an event message every time someone connects to the network.

When you look at an event in the Event Viewer, additional information is provided about that occurrence of the event. It might include information such as user name, IP address, MAC address or location.

Each event has a corresponding alarm that can be configured. See Map events to alarms.

Event names highlighted in gray are no longer used. However, they are still available in the Event Log to accommodate importing older data that may contain those events.

Events and alarms

Event

Definition

Access Configuration Modified

Generated whenever an Access Configuration is modified.

Access Policy Modified

Generated whenever an Access Policy is modified.

Adapter Created

Generated whenever an adapter is added to a host.

Adapter Destroyed

Generated whenever an adapter is removed from a host.

Adapter Connected to a disallowed SSID

Adapter Disconnected from disallowed SSID

Adapter connected to/disconnected from SSID not included in the list defined under Restrict Wireless Connections to Specific SSIDs. See Create or edit a configuration. See also KB article https://community.fortinet.com/t5/FortiNAC/Technical-Tip-SSID-AP-check-and-Multihome-detection-with/ta-p/282330

Add/Modify/Remove Blocking via REST API

Generated whenever a REST API request is received that creates or removes a Control Task.

Add/Modify/Remove Host

Generated whenever a trap is received that adds, modifies or removes a host record in the database.

Add/Modify/Remove Host via REST API

Generated whenever a REST API request is received that adds, modifies or removes a host record in the database.

Add/Modify/Remove User

Generated whenever a trap is received that adds, modifies or removes a user record in the database.

Add/Modify/Remove User via REST API

Generated whenever a REST API request is received that adds, modifies or removes a user record in the database.

Admin User Created

Administrative user created. User types are not included in the event message.

Admin User Destroyed

Administrative user deleted from the database.

Admin User Logged Out

Administrative user logged out of the user interface.

Admin User Login Failure

Administrative user failed to log into the user interface.

Admin User Login Success

Administrative user logged into the user interface.

Admin User Timed Out

Administrative user was logged out of the User Interface based on the settings in Users & Hosts > Administrators > Timeout Settings in the Administrative Interface Inactivity Time (Minutes) field.

Admin Profile Modified Generates when the Admin Profile has been changed.Reports user and the change made to the profile.

Administrative Status Success

User has gone into port properties for an individual port and successfully turned the Admin Status on or off.

Agent - Unrecognized Vendor OUI

No longer used.

Generated when an agent scans a host and returns MAC addresses that have a vendor OUI that is not included in the vendor OUI Management list in FortiNAC.

Agent Message Sent

Message sent from FortiNAC user to one or more hosts. Only hosts running the Persistent Agent can receive messages. This event is not generated if the message fails to send.

Agent Update Failure
Agent Update Success

Indicates whether or not an agent updated successfully.

Alarm Created

Indicates that an event has caused an alarm.

Appliance Weak Password(s)

Indicates that password for the appliance and/or the admin UI are either a default factory password or are not complex enough. It is recommended that you modify the password. Otherwise, your network may be at risk for a security breach.

Application Server Contact Lost

Generated when contact is lost to the Nessus plugin in a 1200/8200 pair. Requires contact to be established before contact can be lost.

Application Violation

FortiNAC can receive traps from external applications hosted on servers modeled in the Topologyas Pingable or Server devices. This event is generated when a trap is received. Traps might be used to indicate intrusion or that a threshold has been exceeded.

A Host Application Violation event can be generated at the same time.

Application Violation Reset

Generated based on a trap sent from an external application. Indicates that the condition that caused the Application Violation event is no longer happening and operations can return to normal. For example, if hosts have been marked at risk, they can now be marked safe and can access the network.

A Host Application Violation Reset can be generated at the same time with host specific information.

Authenticated User

Successfully verified users credentials with the directory.

Authentication Configuration Modified

Generated whenever an authentication configuration is modified.

Authentication Failure

Unable to verify users credentials with the directory.

Authentication Policy Modified

Generated whenever an authentication policy is modified.

Authentication Time-out Failure

User did not authenticate within the alloted time.

Authentication Trap Receive

Received an authentication trap from the directory.

Auto-Definition Synchronizer Failure FotiNAC unable to perform Auto-Definition update with fnac-updates.fortinet.net.
Auto-Definition Synchronizer Success FotiNAC successfully performed Auto-Definition update with fnac-updates.fortinet.net.

BigFix High Violation

BigFix Medium Violation

BigFix Low Violation

Endpoint violation reported by BigFix. For details see Patch management.

Certificate Expiration Warning

Generated when a certificate is due to expire within 30 days.

Certificate Expiration Warning (CRITICAL)

Generated when a certificate is due to expire within 7 days.

Certificate Expired

Generated when a certificate has expired.

cipSecTunnelStop

Generated when VPN connection IPsec Phase-2 Tunnel becomes inactive.

CLI Configuration Failure
CLI Configuration Success

Generated when a user tries to configure a Scheduled task that involves applying a CLI configuration to a group. Indicates whether or not the configuration of the scheduled task was successful.

CLI Data Substitution Failure

Indicates failure to substitute the "Port, VLAN, IP, or MAC" data into the CLI.

Communication Lost with
BigFix Server

Event indicates that the BigFix patch management server cannot be reached.

Communication Lost with
iboss

If configured FortiNAC sends user ID and IP address to iboss each time a host connects to the network.

Event indicates that the iboss SSO Agent modeled in the Inventory cannot be reached.

Communication Lost with
Palo Alto User Agent

Palo Alto User Agent is a component of the Palo Alto Firewall. If configured FortiNAC sends user ID and IP address to the Palo Alto User Agent each time a host connects to the network.

Event indicates that the Palo Alto User Agent modeled in the Inventory cannot be reached.

Communication Lost with
PatchLink Server

Event indicates that the PatchLink patch management server cannot be reached.

Communication Lost with
RADIUS/SSO Agent

Fortinet SSO Agent is a component of the FortiGate Firewall. If configured FortiNAC sends user ID and IP address to the Fortinet SSO Agent each time a host connects to the network.

Event indicates that the Fortinet SSO Agent modeled in the Inventory cannot be reached.

Communication Lost with
Script

Generated if a Custom Script SSO Agent is configured in Inventory. FortiNAC sends user ID and IP address as parameters to the script each time a host connects to the network.

Event indicates that the script configured in the Inventory failed to run.

Conference Created

Using guest/contractor accounts you can create a batch of conference user accounts. This event is generated when those accounts are created and indicates the number of accounts created.

Contact Established

Contact with a device has been established.

Contact Lost

Contact with a device has been lost.

Container Created

New container has been created in the database. Containers are a grouping mechanism for devices that display in the Inventory.

Container Destroyed

Container has been deleted from the database. Deleting a container deletes all of the devices it contains.

Database Archive/Purge Failure
Database Archive/Purge Success

Indicates whether or not the scheduled database archive/purge was successful.

Database Backup Failure
Database Backup Success

Indicates whether or not the scheduled database backup was successful.

Database Replication Error

Occurs in a high availability situation when the MasterLoader database is not replicating. Can also be triggered when the database on the secondary server is not running.

Database Replication Succeeded

Occurs in a high availability situation when the MasterLoader database is successfully replicated to the secondary server.

De-authenticated

User logged off from host.

De-authentication Failure

Unable to log off user from host. User not found.

Deleted Host Successfully

Host or FortiNAC user has been successfully deleted from the database. If multiple records are deleted at once, a separate event is generated for each record.

Device Cold Start

Device was restarted using the power switch.

Device Created

New managed device has been created in the database.

Device Destroyed

Managed device has been deleted from the database.

Device Fingerprint Changed

Host is using a different operating system than the one with which the host was registered. This could occur on a host with a dual-boot. For example, the host registers with a Windows operating system. The user later boots the host using Linux and tries to access the network. That change would trigger this event. An upgrade within a family of operating systems would not normally trigger this event, such as from Windows XP to Windows Vista.

Operating system is determined by the DHCP fingerprint.

Device Identity

No longer used.

Device Link

A device has linked to port X on the network.

Device Link Down

A device link goes down on a specific port because a device was disconnected from the port.

Device Link Up

Generated when a device link goes up on a specific port.

Device Profile Rule Match

A rogue host has matched a Device Profiling rule allowing it to be assigned a device type and registered.

Device Profiling Automatic
Registration

A rogue host has been registered by device profiling based on a device profiling rule.

Device Profiling Rule Missing Data

Indicates that device profiler cannot compare a rogue against a rule because FortiNAC does not have enough information about the rogue, such as a DHCP fingerprint. If device profiler cannot compare a rogue against a rule it does not continue processing that rogue, and moves on to the next rogue.

Device Rule Confirmation
Failure
Device Rule Confirmation
Success

Devices identified by a Device Profiling rule maintain their association with that rule. If enabled, the associated rule and the device are checked periodically to see if the rule is still valid for the device. These event messages indicate whether or not the device matched the associated rule.

Device Warm Start

Device was restarted from the command line interface.

DHCP Host Name Changed

Generated when a known host connects to the network and its hostname is different. Indicates that the hostname in the database associated with the MAC address and existing DHCP finger print for that host is different.

Directory Connection Failure

The connection to a directory, such as Active Directory or LDAP, failed. The directory could have refused the connection because the user name and password were incorrect. This event can be triggered when testing the connection to the directory with Test on the Directory Configuration window.

Directory Group Disabled
Directory Group Enabled

Users can be disabled/enabled in a directory, such as LDAP, based on group membership. When the FortiNAC database synchronizes with the directory, users that are members of the group are enabled. Users that are not members of the group are disabled.

Directory Synchronization
Failure
Directory Synchronization
Success

Indicates whether or not a directory, such as Active Directory or LDAP, synchronized with the user database. Could be caused if FortiNAC fails to connect to the directory. This synchronization is a one time task done when the directory is configured. See Schedule synchronization.

Directory User Disabled
Directory User Enabled

Users can be disabled/enabled in a directory, such as LDAP. When the FortiNAC database synchronizes with the directory, users can be disabled/enabled based on their directory setting.

Disable Host Failure
Disable Host Success

Generated when a user manually disables a host on the Host View. Indicates whether or not the host was successfully disabled.

Disable Hosts Failure
Disable Hosts Success

Indicates whether or not hosts in a group were successfully disabled using a scheduled task.

Disable Port Failure
Disable Port Success

Indicates whether or not a particular port was disabled by an alarm action.

Disable Ports Failure
Disable Ports Success

Indicates whether or not ports in a particular group were disabled by a scheduled task.

Disable User Success

Indicates that a user selected from the user view was successfully disabled.

Disabled Authenticated

No longer used.

Disassociate Host Disassociated

Discovery Completed

The device discovery process that adds new devices to FortiNAC has completed. IP address range is included in the completion message.

Duplicate Host For Device

No longer used.

Duplicate Physical Address

No longer used.

Duplicate Users Found in
Directory

Two users with the same last name and/or ID were found in the directory. FortiNAC is case in-sensitive. For example, two users with last names listed as SMITH and smith are treated as if they were the same person. The newer of the two users is ignored.

Email Failure

Alarms can be configured to send E-mail Notifications to FortiNAC administrative users. If the administrative user has no e-mail address or the e-mail fails in any other way, this event is generated.

Enable Host Failure
Enable Host Success

Indicates whether or not a host selected from the Host View was successfully enabled.

Enable Hosts Failure
Enable Hosts Success

Indicates whether or not hosts in a group were successfully enabled using a scheduled task.

Enable Port Failure
Enable Port Success

Indicates whether or not a particular port has been enabled by an alarm action in response to a previous event.

Enable Ports Failure
Enable Ports Success

Indicates whether or not ports in a particular group were enabled by a scheduled task.

Enable User Success

Indicates that a user selected from the user view was successfully enabled.

Endpoint Compliance Configuration Modified

Generated whenever an endpoint compliance configuration is modified.

Endpoint Compliance Configuration Platform Setting Modified

Generated whenever an endpoint compliance configuration platform setting is modified.

Endpoint Compliance Modified

Generated whenever an endpoint compliance is modified.

Enterasys Dragon Violation

Enterasys Dragon is an Intrusion Protection/Detection System. An event is generated when an intruder is detected.

Entitlement Polling Failure

(Requires version 8.8.10, 9.1.4, 9.2.0 or above) Generated when there is an error communicating or processing license entitlements data from Forticloud over TCP 443. Entitlement polling is required for Subscription Licenses. Refer to the Deployment Guide in the Document Library for Open Port requirements.

Entitlement Polling Success

(Requires version 8.8.10, 9.1.4, 9.2.0 or above) Generated when communication and processing of license entitlements data from Forticloud successfully completes.

Failed to Disable Adapters

Attempted to disable hosts using an Alarm Action. Hosts failed to be disabled.

Failed to Disable HP Port
Security

Scheduled task that enables port security configuration on all HP/NT devices in an associated group has failed.

Failed to Enable Adapters

Attempted to enable hosts using an Alarm Action. Hosts failed to be enabled.

Failed to Enable HP Port
Security

Scheduled task that enables port security configuration on all HP/NT devices in an associated group has failed.

FireEye IPS High Violation

Generated whenever a high violation event is received from FireEye.

FireEye IPS Low Violation

Generated whenever a low violation event is received from FireEye.

FireEye IPS Medium Violation

Generated whenever a medium violation event is received from FireEye.

Firewall Session Poll Failed

Firewall Session Poll Succeeded

For details see Firewall session polling.

FORTIGATE-6.0_HIGH_SEVERITY

FORTIGATE-6.0_LOW_SEVERITY

FORTIGATE-6.0_MEDIUM_SEVERITY

FortiNAC received a FortiGate security alert.Fort details see Security Incidents.

FortiOS 4.0 High Violation

Generated whenever a high violation event is received from FortiOS 4.0.

FortiOS 4.0 Low Violation

Generated whenever a low violation event is received from FortiOS 4.0.

FortiOS 4.0 Medium Violation

Generated whenever a medium violation event is received from FortiOS 4.0.

FortiOS 5.0 High Violation

Generated whenever a high violation event is received from FortiOS 5.0.

FortiOS 5.0 Low Violation

Generated whenever a low violation event is received from FortiOS 5.0.

FortiOS 5.0 Medium Violation

Generated whenever a medium violation event is received from FortiOS 5.0.

Found Ignored MAC address

A host or device has connected with a MAC address that is in the MAC address Exclusions list. This connection is not being managed by FortiNAC and the host or device has access to the production network. See MAC address exclusion.

Found Microsoft LLTD or Multicast Address

A host or device has connected with a MAC address in the Microsoft LLTD or Multicast Address range. Those ranges are managed in the MAC address Exclusion list. FortiNAC ignores these MAC addressed for 48 hours after the first one is seen and then treats them as rogues unless the configuration is updated on the MAC address Exclusion list. See MAC address exclusion.

Gaming Device Registration

A gaming device was registered by a user.

Generate/Revoke Certificates via REST API For details see section Certificate in the REST API reference manual. https://docs.fortinet.com/document/fortinac-f/7.4.0/rest-api/309424/certificate

Group Does Not Exist for Scan

FortiNAC attempted to perform a scan or scheduled task for a particular group and the group no longer exists in the database. Either recreate the group or remove the scan or scheduled task.

Guest Account Created

New guest account is created.

Guest Account Deleted

Guest account is deleted.

Guest/Contractor
Pre-allocation Critical

No longer used.

If you are setting up Guest/Contractor users in advance, an event can be generated if you set up more Guest/Contractor users than you have licenses.

Guest/Contractor
Pre-allocation Warning

No longer used.

If you are setting up Guest/Contractor users in advance, an event can be generated if you set up enough Guest/Contractor users to use 75% of the available licenses.

Hard Disk Usage Critical

Generated when the disk usage critical threshold is reached. This threshold is a percentage of the space allocated for the bsc and var partitions. The percentage is calculated for each partition separately. When any one partition reaches the threshold the event is generated. Thresholds calculated for individual partitions are never combined. Therefore if the combined total crosses the threshold, no event is generated. Default = 95%

Hard Disk Usage Warning

Generated when the disk usage warning threshold is reached. This threshold is a percentage of the space allocated for the bsc and var partitions. The percentage is calculated for each partition separately. When any one partition reaches the threshold the event is generated. Thresholds calculated for individual partitions are never combined. Therefore if the combined total crosses the threshold, no event is generated. Default = 85%

Host Aged Out

Host has been removed from the database based on the time or expiration date on the associated Host Properties window. See Properties.

Host Application Violation

Generated against a FortiNAChost based on the IP, MAC, or ID information contained within an Application Violation trap. If IP, MAC address, or user ID match any records in the FortiNAC database, this event is generated. See Application Violation in this list.

Host Application Violation Reset

Generated against a FortiNAC host based on the IP, MAC, or user ID information contained within an Application Violation Reset trap. If IP, MAC address, or user ID match any records in the FortiNAC database, an event is generated. The reset event occurs when the host is no longer in violation. See Application Violation in this list.

Host At Risk

An administrative user marked a selected host At Risk or the host failed a scan.

Host At Risk Failure
Host At Risk Success

Indicates whether an alarm action triggered by an At Risk host succeeded or failed.

Host At Risk Status Not Enforced

Generated whenever a host fails a scan, but it is not enforced.

Host CLI Task Success
Host CLI Task Failure

Indicates whether or not the CLI commands associated with host/adapter based ACLs have been successful.

Host Connected

Generated whenever a registered host connects to the network.

Host Copied From NCS

In an environment where multiple FortiNAC appliances are managed by a FortiNAC Manager, hosts and their corresponding information can be copied from one appliance to another based on settings in the FortiNAC Manager under System > Settings > Network Control Manager > Server Synchronization. When hosts are copied from one appliance to another this event is generated.

Host Created

Generated whenever a host is created.

Host Destroyed

Generated whenever a host is destroyed.

Host Disassociated

Generated whenever a host is destroyed.

Host Disconnected

Generated whenever a registered host disconnects from the network.

Host Identity Changed

Indicates that a registered host's name or operating system has changed since the last time it was read by the Persistent Agent or Dissolvable Agent, and that it is possibly a dual boot device. This could also indicate MAC spoofing. An operating system change , such as an upgrade could also trigger this event.

Host Pending At Risk

A host failed a scan for an endpoint compliance policy. The policy was configured for delayed remediation indicating that hosts that fail the scan are not sent to remediation for x number of days. The event is generated when the host is marked Pending At Risk.

Scan status "Failure Pending" triggers this event.

Host Registration Failure
Host Registration Success

Host has gone to the Registration page and the user attempted to register the host. Indicates whether the registration succeeded or failed.

Host Rejected - No MAC

Host rejected because it is missing a MAC address.

Host Rejected - No VLAN

Host rejected because there is no VLAN defined for current state.

Host Safe

Generated when a user goes to System > Settings > Control > Quarantine. On the Quarantine view there is a button that allows the user to mark all hosts as Safe. If this button is clicked the event is generated for each host that was affected.

Host Safe Failure
Host Safe Success

Indicates whether or not an alarm action associated with marking a host as safe has failed. See Host Safe in this list.

Host Session Logged On
Host Session Logged Off

Agent has detected that the user has logged on or off the host. Applies only to Windows hosts.

Host Session changed Remote Control status A Windows Session for an Active Directory user has changed remote control status. It is either now remotely controlled or no longer remotely controlled
Host Session Connected to Console A Windows Session for an Active Directory user connected to the Console.Event is generated on the Adapter
Host Session Disconnected from Console A Windows Session for an Active Directory user was disconnected from the Console.Event is generated on the Adapter
Host Session Locked A Session for an Active Directory user was locked. The session is still active and this is not equivalent to a logout.Event is generated on the Adapter
Host Session Remotely Connected Connected to remote desktop
Host Session Remotely Disconnected Disconnected from remote desktop
Host Session Unlocked A Session for an Active Directory user was unlocked. The session is still active and this is not equivalent to a login.Event is generated on the Adapter

Incomplete User Found in
Directory

FortiNAC requires the Last name and ID fields for each user. If either of those fields is missing, the user record is incomplete.

Interface Status Failure
Interface Status Success

Indicates whether or not the Update interface status scheduled task was successful. The task reads and updates the interface status for each port on the devices in the associated groups.

Internal Scheduled Task Failure
Internal Scheduled Task
Success

Indicates whether or not a scheduled task has failed. The name of the task is provided.

Invalid Physical Address

The MAC address of the specified host or device is not recognized by FortiNAC because the corresponding vendor OUI is not in the FortiNAC database. Update the vendor OUI database either manually or by using Auto-Def Updates. See and .

L2 Poll Failed
L2 Poll Succeeded

Indicates whether or not FortiNAC successfully contacted the device to read the list of connected hosts.

L3 Poll Failed
L3 Poll Succeeded

Indicates whether FortiNAC successfully read IP address mappings from a device.

Load In Limit Exceeded

No longer used.

Max % In setting on the Bandwidth window has been met or exceeded.

Load In Limit Rearmed

No longer used.

After the first “Load In Limit Exceeded” event occurs the server does not generate a “Load In Limit Rearmed” event until the percentage of bandwidth bytes in falls below Rearm % In value.

Load Out Limit Exceeded

No longer used.

Max % Out setting on the Bandwidth window has been met or exceeded.

Load Out Limit Rearmed

No longer used.

After a “Load Out Limit Exceeded” event occurs the server creates a “Load Out Limit Rearmed” event once the percentage of bytes out falls below this the Rearm % Out value.

Local Host Session changed Remote Control status A Windows Session for a Local user has changed remote control status. It is either now remotely controlled or no longer remotely controlled
Local Host Session Connected to Console A Session for a Local user connected to the Console.Event is generated on the Adapter.
Local Host Session Disconnected from Console A Session for a Local user was disconnected from the Console.Event is generated on the Adapter.
Local Host Session Remotely Connected A Remote Windows Session connected.
Local Host Session Remotely Disconnected A Remote Windows Session disconnected.
Local Host Session Unlocked A Session for a Local User was unlocked.

Lost Contact with Persistent Agent

This event can only be generated accurately when FortiNAC has up-to-date network connectivity data (in order to determine a host's online status). This requires the following:

- Wired network devices are being polled at a regular interval (typically 1 hour).

- Wired network devices are sending either Link Up/Link Down or Mac Notification traps.

- Wireless devices are being polled at a regular interval (typically 15 minutes).

MAC change event on uplink

This event is generated when a MAC notification trap is received for a port in FortiNAC is any of the uplink types.

MAC Learned

Generated when MAC Notification "MAC Add" or "MAC Move" syslog messages/SNMP traps are received from supported devices. Occurs when the switch has added to its forwarding table the MAC address of a connecting host.

Note: Not generated for infrastructure devices (such as Access Points).

MAC Removed

Generated when MAC Notification "MAC Delete" or "MAC Move" syslog messages/SNMP traps are received from supported devices. Occurs when the switch has removed the MAC address of a host that has disconnected.

Note: Not generated for infrastructure devices (such as Access Points).

Management Established

Generated when management of a device is established.

Management Lost

Generated when management of a device is lost.

Map IP to MAC Failure
Map IP to MAC Success

No longer used.

Mapping IP addresses to physical addresses for a selected group using a scheduled task failed or succeeded.

Maximum Blacklist Clear Attempts Reached

Generated when the maximum number of attempts to remove a MAC address from a device's black list has been exceeded. Currently the maximum is set to 3 attempts.

Maximum Blacklist Clear Attempts Reached

Maximum number of attempts to remove a host from a controller's blacklist have been reached and the host remains on the blacklist.

Maximum Concurrent Connections Critical

Concurrent connection licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable. See Event thresholds.

Maximum Concurrent Connections Exceeded

Concurrent connection licenses in use has reached 100% of total licenses.

Maximum Concurrent Connections Warning

Concurrent connection licenses in use has reached or exceeded 75% of total licenses. Threshold is configurable. See Event thresholds.

Maximum Concurrent Physical Address Warning

No longer used.

Generated when host connections exceed 6000 or 12000 depending on the size of the appliance.

Maximum Guest/Contractor
Critical

No longer used.

Guest manager licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable.

Maximum Guest/Contractor Exceeded

No longer used.

Guest manager licenses in use has reached 100% of total licenses.

Maximum Guest/Contractor Warning

No longer used.

Guest manager licenses in use has reached or exceeded 75% of total licenses. Threshold is configurable.

Maximum Host Warning

No longer used.

Access Manager licenses in use has reached or exceeded 75% of total anesthesiologist is configurable.

Maximum Hosts Critical

No longer used.

Access Manager licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable.

Maximum Hosts Exceeded

No longer used.

Access Manager licenses in use has reached 100% of total licenses. No new accounts can be created.

Maximum Known Device
Critical

No longer used.

Device Tracker licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable.

Maximum Known Device
Warning

No longer used.

Device Tracker licenses in use has reached or exceeded 75% of total licenses. Threshold is configurable.

Maximum Known Devices Exceeded

No longer used.

Device Tracker licenses in use has reached 100% of total licenses.

Maximum User Critical

No longer used.

Shared Access Tracker licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable.

Maximum User Warning

No longer used.

Shared Access Tracker licenses in use has reached or exceeded 75% of total licenses. Threshold is configurable.

Maximum Users Exceeded

No longer used.

Shared Access Tracker licenses in use has reached 100% of total licenses.

MDM Host Compliance Failed

Host failed MDM scan

MDM Host Compliance Passed

Host passes MDM scan

MDM Host Created

Host was added to the database from MDM import

MDM Host Destroyed

Host is deleted from the database because it is no longer found on a poll of the MDM. This can occur if the corresponding record in the MDM database was either removed or disabled. "Remove Hosts Deleted from MDM Server" option in MDM services must be enabled.

MDM Poll Failure

MDM poll did not complete

MDM Poll Success

MDM poll completed

Memory Usage Critical

Generated when the memory usage critical threshold is reached for the appliance. This threshold is a percentage of the total allocated memory. Default = 95% Threshold is configurable. See Event thresholds.

Memory Usage Warning

Generated when the memory usage warning threshold is reached for the appliance. This threshold is a percentage of the total allocated memory. Default = 85% Threshold is configurable. See Event thresholds.

Message

Cabletron/Enterasys Event Log Message
OID = 1.3.6.1.4.1.52.1280

Multi-Access Point Detected

Generated when multiple MAC addresses are detected on a port. However, if the port is in the Authorized Access Points group an event is not generated. See Network device .

Multihomed Host Detected

Multihomed Host Fixed

Triggers when Detect Multihoming is enabled in scan and host has multiple adapters connected to the network. See Create or edit a configuration. See also KB article https://community.fortinet.com/t5/FortiNAC/Technical-Tip-SSID-AP-check-and-Multihome-detection-with/ta-p/282330

NAT Device Registered

Generated when a NAT Device (router) is registered.

Nitro Security Violation
Nitro Threat Level 1 - 6

Generated based on traps received from the NitroGuard Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Inventory.

No CDP Announcement

Generated when a device that has sent at least one CDP announcement has stopped sending those announcements. This is based on the polling time set for the device. For example if the poll time is one hour, a new event message is sent each time the hour elapses with no message from the device.

Operating System Is Up to Date

Indicates that there are no new updates available after the operating system update status task is run (1pm every Sunday, by default).

Operating System Status Check Failure

Indicates that the operating system update check failed due to multiple running checks. This may be caused by a configuration or network issue.

Operating System Update Initiated

Indicates that an operating system update was started from the admin UI. See Operating system.

Operating System Updates Available

Indicates that there are updates available after the operating system update status task is run (1pm every Sunday, by default).

Packeteer Configuration Failure
Packeteer Configuration
Success

No longer used.

Indicates whether or not communication has been established with the Packeteer PacketShaper software after Packeteer has been modeled in the Inventory.

Packeteer Monitor

If Packet Shaper has been configured to generate threshold violation events and if a threshold violation occurs, the event triggers an SNMP trap from PacketShaper to FortiNAC. This trap causes FortiNAC to generate a Packeteer Monitor event.

Packeteer Monitor 2

No longer used.

If a Packeteer product has been configured to generate events for OID 13.6.1.3.6.1.4.1.2334.1.1 and the event triggers an SNMP trap from the Packeteer to FortiNAC. This trap causes FortiNAC to generate a Packeteer Monitor 2 event.

PaloAlto Firewall High Violation

PaloAlto Firewall Low Violation

PaloAlto Firewall Medium Violation

FortiNAC received a violation syslog message from Palo Alto (High Violation, Medium Violation or Low Violation). See Palo Alto Networks Integration https://docs.fortinet.com/document/fortinac-f/7.2.0/palo-alto-networks-integration/341880/syslog-management#/document/fortinac-f/7.2.0/palo-alto-networks-integration/341880/syslog-management#_Toc130369411

PatchLink Compliant

PatchLink Non Compliant

Indicates whether or not Patchlink detected endpoint within compliance. For details see Patch management. https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/420671/patch-management

Persistent Agent Communication Resumed

Persistent Agent Contact Status has been restored to normal.

This event is only generated on hosts running Persistent Agent 4.0 or better.

Persistent Agent Not Communicating

This event can only be generated accurately agents when FortiNAC has up-to-date network connectivity data (in order to determine a host's online status). This requires the following:

- Wired network devices are being polled at a regular interval (typically 1 hour).

- Wired network devices are sending either Link Up/Link Down or Mac Notification traps.

- Wireless devices are being polled at a regular interval (typically 15 minutes).

Note

This event is only generated on hosts running Persistent Agent 4.0 or better.

Persistent Agent Scan Not Performed

This event can only be generated accurately when FortiNAC has up-to-date network connectivity data (in order to determine a host's online status). This requires the following:

- Wired network devices are being polled at a regular interval (typically 1 hour).

- Wired network devices are sending either Link Up/Link Down or Mac Notification traps.

- Wireless devices are being polled at a regular interval (typically 15 minutes).

Policy Warning

Host was scanned by an endpoint compliance policy. The host does not meet all of the scan requirements, but the scan rules state that a warning be issued instead of making compliance a requirement.

Scan status "Warning" triggers this event.

Poll For Hosts Failure
Poll For Hosts Success

No longer used.

Indicates whether a scheduled task to poll switches for hosts has succeeded or failed. Switches are contained in a device group and that group is polled.

Port CLI Task Failure
Port CLI Task Success

Indicates whether a CLI configuration applied to a port ran and failed or succeeded.

Port in Authorized Access Points Group

Scheduled task for a port in the Authorized Access Points group failed.

Port in Authorized Access Points Group

Failed to enable/disable port because it is in the Authorized Access Points group.

Port Link Down
Port Link Up

Trap received from the switch each time there is a link up or a link down on a port. Link up and link down happen each time a host is switched from one VLAN to another.

Port Security Incomplete

Maximum number of users on a port has been reached.

Port Segmented

Trap received from an Enterasys or Cabletron switch indicating that a link is down. This port may have been logically disconnected due to an excessive collision level or it may be physically disconnected.

Port Uplink Configuration Modified

An administrator modified the uplink setting of a port. The switch name, port and administrator are included in the event.

Possible MAC address Spoof

Indicates that the same MAC address has been detected on two different devices simultaneously. One is possibly spoofing the other’s MAC address. This event is generated based upon the value of the MAC Spoof Time Delay configured under System > Settings > Network device. See Network device for details.

Possible NAT Device, MAC Spoofed

This event has been replaced with NAT Device Registered. It remains visible to allow you to restore an old backup and view occurrences of this event. See NAT Device Registered in this list.

Possible NAT User

Generated on each host. One per MAC address on the NATd host. For example, if a host has both a wired and wireless connection, an event is generated for each.

Process Memory Usage Critical

Generated when the memory usage critical threshold is reached for the process. This threshold is a percentage of the total allocated memory. Default = 95%

Process Memory Usage
Warning

Generated when the memory usage warning threshold is reached for the process. This threshold is a percentage of the total allocated memory. Default = 85%

Process Thread Count Critical

Generated when the process thread count warning threshold is reached. This threshold is a specific number of threads the process is using. Default = 575

This event is disabled by default.

The threshold will dynamically increase by 25 for every 8 CPU cores that are added.

Process Thread Count Warning

Generated when the process thread count warning threshold is reached. This threshold is a specific number of threads the process is using. Default = 500

This event is disabled by default.

The threshold will dynamically increase by 25 for every 8 CPU cores that are added.

Profile Modified

Generated when a user modifies a user/host profile. Event message contains user information for the user who made the change, whether the change was an add, remove or replace, and the complete profile after the changes.

RADIUS Rate Exceeded

Generated when the 60 requests-per-second threshold is exceeded.

This event is disabled by default.

RADIUS Time Threshold

Indicates that the time threshold for a response from the RADIUS server has been exceeded. This threshold is not configurable.

Regained Contact with Persistent Agent

Host has regained contact with the Persistent Agent .

Remote Access Excessive Session Process Time

Generated when the time to process the remote client exceeds a threshold (set through the "MaxClearTime" attribute on the ASA device).

Reports Purged

Lists the file names of all reports that were deleted when reports were purged from the /home/cm/reports directory.

REST API Failure

Error when FortiNAC tries to communicate with the device using REST API.

Scan Does Not Exist For
Scheduler Task

FortiNAC has attempted to run a scan using a scheduled task. The scan referred to in the task no longer exists in the database. You must either recreate the scan or remove the scheduled task from the scheduler.

Secondary Contact Lost

Event triggered when the primary loses contact with the secondary.

Security Risk Host

Event triggered when a host is marked at risk due to an agent scan failure.

Associated events are "Host Passed Security Test" and "Host Security Test - Delayed Failure."

Service Down - Analytics Agent

Event triggered when the service is down and it is required for FortiNAC to send data to Analytics.

Service Down - Radius
Service Down - Samba
Service Down - Winbind

Event triggered when one of the listed the services is no longer running and it is required for the RADIUS Manager.

Service Down - Tomcat Admin
Service Down - Tomcat Portal
Service Down -dhcpd
Service Down -httpd
Service Down -mysqld
Service Down -named
Service Down -sshd

Event triggered when a specific service is no longer running. These services are required.

FortiNAC tries to restart the service every 30 seconds.

In a high availability environment, failover occurs after the fourth failed restart attempt.

For the httpd service: After the system confirms that the httpd service is running, the system also attempts to connect to ports 80 and 443. If the system fails to connect to either port, the httpd service is restarted.

If the primary is unable to communicate with the secondary to confirm it is running, service down will not trigger a failover.

Service Started - Analytics Agent

Event triggered when the service is started. This service is required and must be running in order to use Analytics.

Service Started - Tomcat Admin
Service Started - Tomcat Portal
Service Started -dhcpd
Service Started -httpd
Service Started -mysqld
Service Started -named
Service Started -sshd

Event triggered when one of the listed services is started. These services are required and must be running in order to use FortiNAC.

Service Started -Radius
Service Started - Samba
Service Started - Winbind

Event triggered when one of the listed services is started. These services are required in order to use RADIUS Manager.

Set Default VLAN Failure
Set Default VLAN Success

When a host disconnects from a port, the port can be set to return to its default VLAN. Indicates whether or not the port successfully returns to the default VLAN.

SNMP Failure

Generated when FortiNAC receives an SNMP failure during communication with a SNMP enabled Network Device. This includes any error message received from the SNMP packet.

SNMP Read Error

Did not receive all data when reading a switch using SNMP. Device name and error code are included in the event message.

Sophos AntiVirus: Virus Found

Sophos AntiVirus can be configured to send traps to FortiNAC when a virus is found on a host. Host information is included in the trap. If a Sophos Trap is received, this event is generated.

Sourcefire Error
Sourcefire IPS Action
Sourcefire IPS High Violation
Sourcefire IPS Low Violation
Sourcefire IPS Medium Violation

Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Inventory.

Sourcefire IPS Action: Indicates that an action has been triggered by a syslog message from Sourcefire.

StealthWatch

SNMP trap has been sent from a StealthWatch device
OID = 1.3.6.1.4.1.8712

StealthWatch Email Rejects

Host is receiving a significant number of rejected mail attempts.

StealthWatch Email Relay

Host is operating as an email relay.

StealthWatch High Concern

A host has exceeded the Concern Index threshold set for it. This usually means that an inside host is no longer operating as it was during the tuning period and should be examined for possible compromise, misuse, or policy violations. An external host with a High Concern index is often attempting to violate your network integrity.

StealthWatch High File Sharing

Host is transferring files.

StealthWatch High Volume Email

Host is infected with an email worm.

StealthWatch Max Flows
Initiated

Host has had an excessive number of total flows active.

StealthWatch New Flows

Indicates that a host exceeds a total number of new flows in a 5-minute period.

StealthWatch Port Flood

The host has attempted to connect on an excessive number of ports on the Target IP. This may indicate a DoS attack or an aggressive scan by the source IP.

StealthWatch Suspect Long Flow

Host has a long duration flow.

StealthWatch SYN Flood

The host has sent an excessive number of TCP connection requests (SYN packets) in a 5-minute period. This may indicate a DoS attack or non-stealthy scanning activity

StealthWatch Worm Activity

A host has scanned and connected on a particular port across more than one subnet. The details section of this alarm specifies the port on which the activity was observed.

StealthWatch Worm Propagation

Host has scanned and connected on port 5 across more than 1 subnet.

StealthWatch Zone Violations

Host has connected to a server in a zone that it is not allowed to access.

StoneGate IPS High Violation
StoneGate IPS Low Violation
StoneGate IPS Medium Violation

Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Inventory. See Syslog files .

StoneGate Violation

Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Inventory. See Syslog files .

Success Disabling Port Security
Success Enabling Port Security

Generated when the Enable or Disable HP/NT Port Security scheduled task runs successfully. This task enables or disables port security configuration on all HP/NT devices in the selected group. Port Security is used to disable hosts if DeadEnd VLANs are not used on the network.

Sync Initiated

(FortiNAC versions 9.1.3 and above) Generated when a synchronization of servers by Control Manager has been triggered. Provides server IP, the user who triggered the sync and status.

Synchronize Users with
Directory Failure
Synchronize Users with
Directory Success

Indicates whether or not the FortiNAC user database has successfully synchronized with the selected directory such as LDAP or Active Directory. These events are triggered by the failure or success of the scheduled synchronization set up on the Directory Configuration window. See Configuration.

Syslog Error

Generated when the FortiNAC server receives an inbound syslog message for a host that is not currently managed by FortiNAC.

System Automatically Restarted

Server was restarted because a primary system process was down. Processes include: MasterLoader, IP to MAC, Communication and Nessus.

This event was System Restart in prior versions.

System Backup Failure
System Backup Success

Indicates whether a system backup has succeeded. The system backup is run by a scheduled task. The system backup may succeed, but will still fail if remote backup is enabled and fails.

It is recommended that you create an alarm action to send an email if system backup fails.

System Created Uplink

If Uplink Mode on a Port's properties is set to Dynamic, FortiNAC converts the port to an uplink port when the number of MAC addresses on the port exceeds the System Defined Uplink count and generates this event.

System Fail Over

In a high availability environment, this event indicates that the primary server has failed and the secondary has taken over.

System Power Off

Indicates that the user specified in the event message powered off the FortiNAC server. See Power management

System Reboot

Indicates that the user specified in the event message rebooted the FortiNAC server. See Power management.

TippingPoint SMS High Violation
TippingPoint SMS Low Violation
TippingPoint SMS Medium
Violation

Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Inventory. See Syslog files .

Top Layer IPS High Violation
Top Layer IPS Low Violation
Top Layer IPS Medium Violation

Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Inventory. See Syslog files .

Unauthorized SSID/VLAN

No longer used.

Unknown User in Group

No longer used.

Unsupported Trap

Generated when FortiNAC receives a trap that it cannot interpret from a device. The device's OID is included in the event.

Update SSID Failure
Update SSID Success

SSID assignment scheduled task maps VLAN IDs to SSIDs. Event indicates whether or not the task succeeded.

Update VLAN ID Failure
Update VLAN ID Success

Indicates that the user specified in the event message powered off the FortiNAC server. See Power management.

Update Default VLAN Values scheduled task sets the Default VLAN value for the port in FortiNAC device model to the value entered in the scheduled task. Event indicates whether or not the task succeeded.

User Connected to Host Console A user connected to the console. Eventis generated on the User
User De-authenticated on Adapter The same event as De-authenticated but generated on the Adapter
User Disconnected from Host Console A Windows Session for an Active Directory user connected to the Console.Event is generated on the User
User Locked Session A Session for an Active Directory user was locked. The session is still active and this is not equivalent to a logout.Event is generated on the User
User Remotely Connected to Host A Remote Windows Session connected to a Host.Event is generated on the User
User Remotely Disconnected from Host A Remote Windows Session dicconnected from a Host.Event is generated on the User
User Session changed Remote Control status A Windows Session for a Local user has changed remote control status. It is either now remotely controlled or no longer remotely controlled. Event is generated on the User.
User Unlocked Session A Session for an Active Directory user was unlocked. The session is still active and this is not equivalent to a login.Event is generated on the User