Events and alarms list

Generated whenever an Access Configuration is modified.

Generated whenever an Access Policy is modified.

Generated whenever an adapter is added to a host.

Generated whenever an adapter is removed from a host.

Generated whenever a REST API request is received that creates or removes a Control Task.

Generated whenever a trap is received that adds, modifies or removes a host record in the database.

Generated whenever a REST API request is received that adds, modifies or removes a host record in the database.

Generated whenever a trap is received that adds, modifies or removes a user record in the database.

Generated whenever a REST API request is received that adds, modifies or removes a user record in the database.

Admin user created. User types are not included in the event message.

Admin user deleted from the database.

Admin user logged out of the user interface.

Admin user failed to log into the user interface.

Admin user logged into the user interface.

Admin user was logged out of the User Interface based on the settings in Users > Admin Users > Timeout Settings in the Administrative Interface Inactivity Time (Minutes) field.

User has gone into Port Properties for an individual port and successfully turned the Admin Status on or off.

No longer used.

Generated when an agent scans a host and returns MAC addresses that have a Vendor OUI that is not included in the Vendor OUI Management list in FortiNAC.

Indicates whether or not an agent updated successfully.

Message sent from FortiNAC user to one or more hosts. Only hosts running the Persistent Agent can receive messages. This event is not generated if the message fails to send.

Indicates that an event has caused an alarm.

Indicates that password for the appliance and/or the Admin UI are either a default factory password or are not complex enough. It is recommended that you modify the password. Otherwise, your network may be at risk for a security breach.

Generated when contact is lost to the Nessus plugin in a 1200/8200 pair. Requires contact to be established before contact can be lost.

FortiNAC can receive traps from external applications hosted on servers modeled in the Topology tree as Pingable or Server devices. This event is generated when a trap is received. Traps might be used to indicate intrusion or that a threshold has been exceeded.

A Host Application Violation event can be generated at the same time. See Host Application Violation in this list.

Generated based on a trap sent from an external application. Indicates that the condition that caused the Application Violation event is no longer happening and operations can return to normal. For example, if hosts have been marked at risk, they can now be marked safe and can access the network.

A Host Application Violation Reset can be generated at the same time with host specific information. See Host Application Violation Reset in this list.

Successfully verified users credentials with the directory.

Generated whenever an authentication configuration is modified.

Unable to verify users credentials with the directory.

Generated whenever an authentication policy is modified.

User did not authenticate within the alloted time.

Received an authentication trap from the directory.

Generated when a certificate is due to expire within 30 days.

Generated when a certificate is due to expire within 7 days.

Generated when a certificate has expired.

Generated when VPN connection IPsec Phase-2 Tunnel becomes inactive.

Generated when a user tries to configure a Scheduled task that involves applying a CLI Configuration to a group. Indicates whether or not the configuration of the scheduled task was successful.

Indicates failure to substitute the "Port, VLAN, IP, or MAC" data into the CLI.

Event indicates that the BigFix patch management server cannot be reached.

Palo Alto User Agent is a component of the Palo Alto Firewall. If configured FortiNAC sends User ID and IP Address to the Palo Alto User Agent each time a host connects to the network.

Event indicates that the Palo Alto User Agent modeled in the Topology View cannot be reached.

Event indicates that the PatchLink patch management server cannot be reached.

Fortinet SSO Agent is a component of the FortiGate Firewall. If configured FortiNAC sends User ID and IP Address to the Fortinet SSO Agent each time a host connects to the network.

Event indicates that the Fortinet SSO Agent modeled in the Topology View cannot be reached.

Generated if a Custom Script SSO Agent is configured in Topology. FortiNAC sends User ID and IP Address as parameters to the script each time a host connects to the network.

Event indicates that the script configured in the Topology View failed to run.

If configured FortiNAC sends User ID and IP Address to iboss each time a host connects to the network.

Event indicates that the iboss SSO Agent modeled in the Topology View cannot be reached.

Using Guest/Contractor Accounts you can create a batch of conference user accounts. This event is generated when those accounts are created and indicates the number of accounts created.

Contact with a device has been established.

Contact with a device has been lost.

New container has been created in the database. Containers are a grouping mechanism for devices that display in the Topology View.

Container has been deleted from the database. Deleting a container deletes all of the devices it contains.

Generated when a known host connects to the network and its host name is different. Indicates that the host name in the database associated with the MAC address and existing DHCP finger print for that host is different.

Indicates whether or not the scheduled database archive/purge was successful.

Indicates whether or not the scheduled database backup was successful.

Occurs in a High Availability situation when the MasterLoader database is not replicating. Can also be triggered when the database on the secondary server is not running.

Occurs in a High Availability situation when the MasterLoader database is successfully replicated to the secondary server.

User logged off from host.

Unable to log off user from host. User not found.

Host or FortiNAC user has been successfully deleted from the database. If multiple records are deleted at once, a separate event is generated for each record.

Device was restarted using the power switch.

New managed device has been created in the database.

Managed device has been deleted from the database.

Host is using a different operating system than the one with which the host was registered. This could occur on a host with a dual-boot. For example, the host registers with a Windows operating system. The user later boots the host using Linux and tries to access the network. That change would trigger this event. An upgrade within a family of operating systems would not normally trigger this event, such as from Windows XP to Windows Vista.

Operating system is determined by the DHCP fingerprint.

No longer used.

A device has linked to port X on the network.

A device link goes down on a specific port because a device was disconnected from the port.

Generated when a device link goes up on a specific port.

A rogue host has matched a Device Profiling rule allowing it to be assigned a device type and registered.

A rogue host has been registered by device profiling based on a device profiling rule.

Indicates that Device Profiler cannot compare a rogue against a rule because FortiNAC does not have enough information about the rogue, such as a DHCP fingerprint. If Device Profiler cannot compare a rogue against a rule it does not continue processing that rogue, and moves on to the next rogue.

Devices identified by a Device Profiling rule maintain their association with that rule. If enabled, the associated rule and the device are checked periodically to see if the rule is still valid for the device. These event messages indicate whether or not the device matched the associated rule.

Device was restarted from the command line interface.

The connection to a directory, such as Active Directory or LDAP, failed. The directory could have refused the connection because the user name and password were incorrect. This event can be triggered when testing the connection to the directory with the Test button on the Directory Configuration window.

Users can be disabled/enabled in a Directory such as LDAP based on Group membership. When the FortiNAC database synchronizes with the Directory, users that are members of the group are enabled. Users that are not members of the group are disabled.

Indicates whether or not a directory, such as Active Directory or LDAP, synchronized with the user database. Could be caused if FortiNAC fails to connect to the directory. This synchronization is a one time task done when the Directory is configured. See Schedule directory synchronization.

Users can be disabled/enabled in a Directory such as LDAP. When the FortiNAC database synchronizes with the Directory, users can be disabled/enabled based on their Directory setting.

Generated when a user manually disables a host on the Host View. Indicates whether or not the host was successfully disabled.

Indicates whether or not hosts in a group were successfully disabled using a scheduled task.

Indicates whether or not a particular port was disabled by an alarm action.

Indicates whether or not ports in a particular group were disabled by a scheduled task.

Indicates that a user selected from the User View was successfully disabled.

No longer used.

The device discovery process that adds new devices to FortiNAC has completed. IP address range is included in the completion message.

No longer used.

No longer used.

Two users with the same last name and/or ID were found in the Directory. FortiNAC is case in-sensitive. For example, two users with last names listed as SMITH and smith are treated as if they were the same person. The newer of the two users is ignored.

Alarms can be configured to send E-mail Notifications to FortiNAC Admin users. If the Admin user has no e-mail address or the e-mail fails in any other way, this event is generated.

Indicates whether or not a host selected from the Host View was successfully enabled.

Indicates whether or not hosts in a group were successfully enabled using a scheduled task.

Indicates whether or not a particular port has been enabled by an alarm action in response to a previous event.

Indicates whether or not ports in a particular group were enabled by a scheduled task.

Indicates that a user selected from the User View was successfully enabled.

Generated whenever an Endpoint Compliance Configuration is modified.

Generated whenever an Endpoint Compliance Configuration Platform Setting is modified.

Generated whenever an Endpoint Compliance is modified.

Enterasys Dragon is an Intrusion Protection/Detection System. An event is generated when an intruder is detected.

Attempted to disable hosts using an Alarm Action. Hosts failed to be disabled.

Scheduled task that enables port security configuration on all HP/NT devices in an associated group has failed.

Attempted to enable hosts using an Alarm Action. Hosts failed to be enabled.

Scheduled task that enables port security configuration on all HP/NT devices in an associated group has failed.

Generated whenever a high violation event is received from FireEye.

Generated whenever a low violation event is received from FireEye.

Generated whenever a medium violation event is received from FireEye.

Generated whenever a high violation event is received from FortiOS 4.0.

Generated whenever a low violation event is received from FortiOS 4.0.

Generated whenever a medium violation event is received from FortiOS 4.0.

Generated whenever a high violation event is received from FortiOS 5.0.

Generated whenever a low violation event is received from FortiOS 5.0.

Generated whenever a medium violation event is received from FortiOS 5.0.

A host or device has connected with a MAC address that is in the MAC Address Exclusions list. This connection is not being managed by FortiNAC and the host or device has access to the production network. See MAC address exclusion.

A host or device has connected with a MAC address in the Microsoft LLTD or Multicast Address range. Those ranges are managed in the MAC Address Exclusion list. FortiNAC ignores these MAC addressed for 48 hours after the first one is seen and then treats them as rogues unless the configuration is updated on the MAC Address Exclusion list. See MAC address exclusion.

A gaming device was registered by a user.

FortiNAC attempted to perform a scan or scheduled task for a particular group and the group no longer exists in the database. Either recreate the group or remove the scan or scheduled task.

No longer used.

If you are setting up Guest/Contractor users in advance, an event can be generated if you set up more Guest/Contractor users than you have licenses.

No longer used.

If you are setting up Guest/Contractor users in advance, an event can be generated if you set up enough Guest/Contractor users to use 75% of the available licenses.

New guest account is created.

Guest account is deleted.

Generated when the disk usage critical threshold is reached. This threshold is a percentage of the space allocated for the bsc and var partitions. The percentage is calculated for each partition separately. When any one partition reaches the threshold the event is generated. Thresholds calculated for individual partitions are never combined. Therefore if the combined total crosses the threshold, no event is generated. Default = 95%

Generated when the disk usage warning threshold is headteacher threshold is a percentage of the space allocated for the bsc and var partitions. The percentage is calculated for each partition separately. When any one partition reaches the threshold the event is generated. Thresholds calculated for individual partitions are never combined. Therefore if the combined total crosses the threshold, no event is generated. Default = 85%

Host has been removed from the database based on the time or expiration date on the associated Host Properties window. See Properties.

Generated against a FortiNAChost based on the IP, MAC, or ID information contained within an Application Violation trap. If IP, MAC, or User ID match any records in the FortiNAC database, this event is generated. See Application Violation in this list.

Generated against a FortiNAC host based on the IP, MAC, or User ID information contained within an Application Violation Reset trap. If IP, MAC, or User ID match any records in the FortiNAC database, an event is generated. The reset event occurs when the host is no longer in violation. See Application Violation in this list.

An Admin user marked a selected host At Risk or the host failed a scan.

Indicates whether an alarm action triggered by an At Risk host succeeded or failed.

Generated whenever a host fails a scan, but it is not enforced.

Indicates whether or not the CLI commands associated with host/adapter based ACLs have been successful.

Generated whenever a registered host connects to the network.

In an environment where multiple FortiNAC appliances are managed by a FortiNAC Control Manager, hosts and their corresponding information can be copied from one appliance to another based on settings in the FortiNAC Control Manager under System > Settings > Network Control Manager > Server Synchronization. When hosts are copied from one appliance to another this event is generated.

Generated whenever a host is created.

Generated whenever a host is destroyed.

Generated whenever a host is destroyed.

Generated whenever a registered host disconnects from the network.

Indicates that a registered host's name or operating system has changed since the last time it was read by the Persistent or Dissolvable Agent, and that it is possibly a dual boot device. This could also indicate MAC spoofing. An operating system change , such as an upgrade could also trigger this event.

A host failed a scan for an Endpoint Compliance Policy. The policy was configured for delayed remediation indicating that hosts that fail the scan are not sent to remediation for x number of days. The event is generated when the host is marked Pending At Risk.

Scan status "Failure Pending" triggers this event.

Host has gone to the Registration page and the user attempted to register the host. Indicates whether the registration succeeded or failed.

Host rejected because it is missing a MAC address.

Host rejected because there is no VLAN defined for current state.

Generated when a user goes to System > Settings > Control > Quarantine. On the Quarantine view there is a button that allows the user to mark all hosts as Safe. If this button is clicked the event is generated for each host that was affected.

Indicates whether or not an alarm action associated with marking a host as safe has failed. See Host Safe in this list.

Agent has detected that the user has logged on or off the host. Applies only to Windows hosts.

FortiNAC requires the Last name and ID fields for each user. If either of those fields is missing, the user record is incomplete.

Indicates whether or not the Update interface status scheduled task was successful. The task reads and updates the interface status for each port on the devices in the associated groups.

Indicates whether or not a scheduled task has failed. The name of the task is provided.

The MAC Address of the specified host or device is not recognized by FortiNAC because the corresponding Vendor OUI is not in the FortiNAC database. Update the Vendor OUI database either manually or by using Auto-Def Updates. See and .

Indicates whether or not FortiNAC successfully contacted the device to read the list of connected hosts.

Indicates whether FortiNAC successfully read IP Address mappings from a device.

No longer used.

Max % In setting on the Bandwidth window has been met or exceeded.

No longer used.

After the first “Load In Limit Exceeded” event occurs the server does not generate a “Load In Limit Rearmed” event until the percentage of bandwidth bytes in falls below Rearm % In value.

No longer used.

Max % Out setting on the Bandwidth window has been met or exceeded.

No longer used.

After a “Load Out Limit Exceeded” event occurs the server creates a “Load Out Limit Rearmed” event once the percentage of bytes out falls below this the Rearm % Out value.

This event can only be generated accurately when FortiNAC has up-to-date network connectivity data (in order to determine a host's online status). This requires the following:

- Wired network devices are being polled at a regular interval (typically 1 hour).

- Wired network devices are sending either Link Up/Link Down or Mac Notification traps.

- Wireless devices are being polled at a regular interval (typically 15 minutes).

Switch has learned the MAC address of a host that has connected and has added that address to its forwarding table.

Switch has removed the MAC address of a host who has disconnected from its forwarding table.

This event is generated when a MAC notification trap is received for a port in FortiNAC is any of the uplink types.

Generated when management of a device is established.

Generated when management of a device is lost.

No longer used.

Mapping IP addresses to physical addresses for a selected group using a scheduled task failed or succeeded.

Maximum number of attempts to remove a host from a controller's blacklist have been reached and the host remains on the blacklist.

No longer used.

Generated when host connections exceed 6000 or 12000 depending on the size of the appliance.

Concurrent Connection licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable. See Event thresholds.

Concurrent Connection licenses in use has reached 100% of total licenses.

Concurrent Connection licenses in use has reached or exceeded 75% of total licenses. Threshold is configurable. See Event thresholds.

No longer used.

Guest Manager licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable.

No longer used.

Guest Manager licenses in use has reached 100% of total licenses.

No longer used.

Guest Manager licenses in use has reached or exceeded 75% of total licenses. Threshold is configurable.

No longer used.

Access Manager licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable.

No longer used.

Access Manager licenses in use has reached or exceeded 75% of total anesthesiologist is configurable.

No longer used.

Access Manager licenses in use has reached 100% of total licenses. No new accounts can be created.

No longer used.

Device Tracker licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable.

No longer used.

Device Tracker licenses in use has reached or exceeded 75% of total licenses. Threshold is configurable.

No longer used.

Device Tracker licenses in use has reached 100% of total licenses.

No longer used.

Shared Access Tracker licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable.

No longer used.

Shared Access Tracker licenses in use has reached or exceeded 75% of total licenses. Threshold is configurable.

No longer used.

Shared Access Tracker licenses in use has reached 100% of total licenses.

Generated when the maximum number of attempts to remove a MAC address from a device's black list has been exceeded. Currently the maximum is set to 3 attempts.

Generated when the memory usage critical threshold is reached for the appliance. This threshold is a percentage of the total allocated memory. Default = 95% Threshold is configurable. See Event thresholds.

Generated when the memory usage warning threshold is reached for the appliance. This threshold is a percentage of the total allocated memory. Default = 85% Threshold is configurable. See Event thresholds.

Cabletron/Enterasys Event Log Message
OID = 1.3.6.1.4.1.52.1280

Generated when multiple MAC addresses are detected on a port. However, if the port is in the Authorized Access Points group an event is not generated. See Network device .

Generated when a NAT Device (router) is registered.

Generated based on traps received from the NitroGuard Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Topology View.

Generated when a device that has sent at least one CDP announcement has stopped sending those announcements. This is based on the polling time set for the device. For example if the poll time is one hour, a new event message is sent each time the hour elapses with no message from the device.

Indicates that there are no new updates available after the Operating System Update Status scheduled task is run (1pm every Sunday, by default).

Indicates that the Operating System update check failed due to multiple running checks. This may be caused by a configuration or network issue.

Indicates that an Operating System Update was started from the Admin UI. See Updating CentOS.

Indicates that there are updates available after the Operating System Update Status scheduled task is run (1pm every Sunday, by default).

No longer used.

Indicates whether or not communication has been established with the Packeteer PacketShaper software after Packeteer has been modeled in the Topology View.

If Packet Shaper has been configured to generate threshold violation events and if a threshold violation occurs, the event triggers an SNMP trap from PacketShaper to FortiNAC. This trap causes FortiNAC to generate a Packeteer Monitor event.

No longer used.

If a Packeteer product has been configured to generate events for OID 13.6.1.3.6.1.4.1.2334.1.1 and the event triggers an SNMP trap from the Packeteer to FortiNAC. This trap causes FortiNAC to generate a Packeteer Monitor 2 event.

Persistent Agent Contact Status has been restored to normal.

Note: This event is only generated on hosts running Persistent Agent 4.0 or better.

This event can only be generated accurately agents when FortiNAC has up-to-date network connectivity data (in order to determine a host's online status). This requires the following:

- Wired network devices are being polled at a regular interval (typically 1 hour).

- Wired network devices are sending either Link Up/Link Down or Mac Notification traps.

- Wireless devices are being polled at a regular interval (typically 15 minutes).

This event is only generated on hosts running Persistent Agent 4.0 or better.

This event can only be generated accurately when FortiNAC has up-to-date network connectivity data (in order to determine a host's online status). This requires the following:

- Wired network devices are being polled at a regular interval (typically 1 hour).

- Wired network devices are sending either Link Up/Link Down or Mac Notification traps.

- Wireless devices are being polled at a regular interval (typically 15 minutes).

Host was scanned by an Endpoint Compliance Policy. The host does not meet all of the scan requirements, but the scan rules state that a warning be issued instead of making compliance a requirement.

Scan status "Warning" triggers this event.

No longer used.

Indicates whether a scheduled task to poll switches for hosts has succeeded or failed. Switches are contained in a device group and that group is polled.

Indicates whether a CLI configuration applied to a port ran and failed or succeeded.

Failed to enable/disable port because it is in the Authorized Access Points group.

Trap received from the switch each time there is a link up or a link down on a port. Link up and link down happen each time a host is switched from one VLAN to another.

Maximum number of users on a port has been reached.

Trap received from an Enterasys or Cabletron switch indicating that a link is down. This port may have been logically disconnected due to an excessive collision level or it may be physically disconnected.

An administrator modified the uplink setting of a port. The switch name, port and administrator are included in the event.

Scheduled task for a port in the Authorized Access Points group failed.

Indicates that the same MAC address has been detected for more than five minutes on two different devices simultaneously. One is possibly spoofing the other’s MAC address.

This event has been replaced with NAT Device Registered. It remains visible to allow you to restore an old backup and view occurrences of this event. See NAT Device Registered in this list.

Generated on each host. One per MAC address on the NATd host. For example, if a host has both a wired and wireless connection, an event is generated for each.

Generated when the memory usage critical threshold is reached for the process. This threshold is a percentage of the total allocated memory. Default = 95%

Generated when the memory usage warning threshold is reached for the process. This threshold is a percentage of the total allocated memory. Default = 85%

Generated when the process thread count warning threshold is reached. This threshold is a specific number of threads the process is using. Default = 575

This event is disabled by default.

The threshold will dynamically increase by 25 for every 8 CPU cores that are added.

Generated when the process thread count warning threshold is reached. This threshold is a specific number of threads the process is using. Default = 500

This event is disabled by default.

The threshold will dynamically increase by 25 for every 8 CPU cores that are added.

Generated when a user modifies a User/Host Profile. Event message contains user information for the user who made the change, whether the change was an add, remove or replace, and the complete profile after the changes.

Generated when the 60 requests-per-second threshold is exceeded.

This event is disabled by default.

Indicates that the time threshold for a response from the RADIUS server has been exceeded. This threshold is not configurable.

Host has regained contact with the persistent Agent .

Generated when the time to process the remote client exceeds a threshold (set through the "MaxClearTime" attribute on the ASA device).

Lists the file names of all reports that were deleted when reports were purged from the /home/cm/reports directory.

Generated when FortiNAC receives an SNMP failure during communication with a SNMP enabled Network Device. This includes any error message received from the SNMP packet.

Did not receive all data when reading a switch using SNMP. Device name and error code are included in the event message.

FortiNAC has attempted to run a scan using a scheduled task. The scan referred to in the task no longer exists in the database. You must either recreate the scan or remove the scheduled task from the scheduler.

Event triggered when the primary loses contact with the secondary.

Event triggered when a specific service is no longer running. These services are required.

FortiNAC tries to restart the service every 30 seconds.

In a High Availability environment, failover occurs after the fourth failed restart attempt.

For the httpd service: After the system confirms that the httpd service is running, the system also attempts to connect to ports 80 and 443. If the system fails to connect to either port, the httpd service is restarted.

If the primary is unable to communicate with the secondary to confirm it is running, service down will not trigger a failover.

Event triggered when one of the listed services is started. These services are required and must be running in order to use FortiNAC.

Event triggered when the service is down and it is required for FortiNAC to send data to Analytics.

Event triggered when one of the listed the services is no longer running and it is required for the RADIUS Manager.

Event triggered when the service is started. This service is required and must be running in order to use Analytics.

Event triggered when one of the listed services is started. These services are required in order to use RADIUS Manager.

When a host disconnects from a port, the port can be set to return to its default VLAN. Indicates whether or not the port successfully returns to the default VLAN.

Sophos AntiVirus can be configured to send traps to FortiNAC when a virus is found on a host. Host information is included in the trap. If a Sophos Trap is received, this event is generated.

Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Topology View.

Sourcefire IPS Action—Indicates that an action has been triggered by a syslog message from Sourcefire.

SNMP trap has been sent from a StealthWatch device
OID = 1.3.6.1.4.1.8712

Host is receiving a significant number of rejected mail attempts.

Host is operating as an email relay.

A host has exceeded the Concern Index threshold set for it. This usually means that an inside host is no longer operating as it was during the tuning period and should be examined for possible compromise, misuse, or policy violations. An external host with a High Concern index is often attempting to violate your network integrity.

Host is transferring files.

Host is infected with an email worm.

Host has had an excessive number of total flows active.

Indicates that a host exceeds a total number of new flows in a 5-minute period.

The host has attempted to connect on an excessive number of ports on the Target IP. This may indicate a DoS attack or an aggressive scan by the source IP.

The host has sent an excessive number of TCP connection requests (SYN packets) in a 5-minute period. This may indicate a DoS attack or non-stealthy scanning activity

Host has a long duration flow.

A host has scanned and connected on a particular port across more than one subnet. The details section of this alarm specifies the port on which the activity was observed.

Host has scanned and connected on port 5 across more than 1 subnet.

Host has connected to a server in a zone that it is not allowed to access.

Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Topology View. See Syslog management .

Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Topology View. See Syslog management .

Generated when the Enable or Disable HP/NT Port Security scheduled task runs successfully. This task enables or disables port security configuration on all HP/NT devices in the selected group. Port Security is used to disable hosts if DeadEnd VLANs are not used on the network.

Indicates whether or not the FortiNAC user database has successfully synchronized with the selected directory such as LDAP or Active Directory. These events are triggered by the failure or success of the scheduled synchronization set up on the Directory Configuration window. See Directory configuration.

Generated when the FortiNAC server receives an inbound syslog message for a host that is not currently managed by FortiNAC.

Indicates whether a system backup has succeeded. The system backup is run by a scheduled task. The system backup may succeed, but will still fail if remote backup is enabled and fails.

It is recommended that you create an alarm action to send an email if system backup fails.

If Uplink Mode on a Port's properties is set to Dynamic, FortiNAC converts the port to an uplink port when the number of MAC addresses on the port exceeds the System Defined Uplink count and generates this event.

In a High Availability environment, this event indicates that the primary server has failed and the secondary has taken over.

Indicates that the user specified in the event message powered off the FortiNAC server. See Power management

Indicates that the user specified in the event message rebooted the FortiNAC server. See Power management.

Server was restarted because a primary system process was down. Processes include: MasterLoader, IP to MAC, Communication and Nessus.

This event was System Restart in prior versions.

Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Topology View. See Syslog management .

Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Topology View. See Syslog management .

No longer used.

No longer used.

Generated when FortiNAC receives a trap that it cannot interpret from a device. The device's OID is included in the event.

SSID assignment scheduled task maps VLAN IDs to SSIDs. Event indicates whether or not the task succeeded.

Indicates that the user specified in the event message powered off the FortiNAC server. See Power management.

Update Default VLAN Values scheduled task sets the Default VLAN value for the port in FortiNAC device model to the value entered in the scheduled task. Event indicates whether or not the task succeeded.

Indicates that the user specified in the event message rebooted the FortiNAC server. See Power management.

User has been aged out of the database based on the data stored in the Age Time section of the User Properties view.

Network user created in or deleted from the database. This is a non-administrative user.

This event is generated on each host that had been previously NATd but are not any longer. One per MAC address on the NATd host. For example, if a host has both a wired and wireless connection, an event is generated for each.

User has been removed directly from a Directory such as LDAP. When the FortiNAC user database is synchronized with the Directory this discrepancy triggers the event. If Remove User is selected on your Directory configuration, the missing user is removed from the FortiNAC database.

Generated when has verified that the DHCP server is running a valid DHCP server application.

Generated when a new Vendor OUI has been added to the database.

Generated when a Vendor OUI was removed from the database.

VLAN failed to change for port X.

VLAN was changed successfully for X port.

Generated when the host failed the Vulnerability Scan.

Generated when the Vulnerability rescan has finished.

Generated when scan results from the vendor include hosts that were added to the Vulnerability Exceptions Group, indicating which hosts were ignored. Hosts in this group are allowed onto the network, regardless of scan results.

FortiNAC polls the vendor for scan results for a configured scan, but scan results are unavailable because the scan was not run by the vendor.

Generated when the host passed the Vulnerability Scan.

A Vulnerability Scan that was added to FortiNAC was removed from the Vulnerability Scanner.

The IP address targeted by a rescan is not included in the list of Qualysasset IPs.