Events and alarms list
When events are enabled, they can be enabled for All Groups or for a single group. Depending on the event you may not want to enable it for all groups because the volume of events would be overwhelming. For example, if you enabled the host connected event for all groups, you would receive an event message every time someone connects to the network.
When you look at an event in the Event Viewer, additional information is provided about that occurrence of the event. It might include information such as user name, IP address, MAC address or location.
Each event has a corresponding alarm that can be configured. See Map events to alarms.
Event names highlighted in gray are no longer used. However, they are still available in the Event Log to accommodate importing older data that may contain those events.
Events and alarms
Event |
Definition |
||
Access Configuration Modified |
Generated whenever an Access Configuration is modified. |
||
Access Policy Modified |
Generated whenever an Access Policy is modified. |
||
Adapter Created |
Generated whenever an adapter is added to a host. |
||
Adapter Destroyed |
Generated whenever an adapter is removed from a host. |
||
Add/Modify/Remove Blocking via REST API |
Generated whenever a REST API request is received that creates or removes a Control Task. |
||
Add/Modify/Remove Host |
Generated whenever a trap is received that adds, modifies or removes a host record in the database. |
||
Add/Modify/Remove Host via REST API |
Generated whenever a REST API request is received that adds, modifies or removes a host record in the database. |
||
Add/Modify/Remove User |
Generated whenever a trap is received that adds, modifies or removes a user record in the database. |
||
Add/Modify/Remove User via REST API |
Generated whenever a REST API request is received that adds, modifies or removes a user record in the database. |
||
Admin User Created |
Administrative user created. User types are not included in the event message. |
||
Admin User Destroyed |
Administrative user deleted from the database. |
||
Admin User Logged Out |
Administrative user logged out of the user interface. |
||
Admin User Login Failure |
Administrative user failed to log into the user interface. |
||
Admin User Login Success |
Administrative user logged into the user interface. |
||
Admin User Timed Out |
Administrative user was logged out of the User Interface based on the settings in Users & Hosts > Administrators > Timeout Settings in the Administrative Interface Inactivity Time (Minutes) field. |
||
Administrative Status Success |
User has gone into port properties for an individual port and successfully turned the Admin Status on or off. |
||
Agent - Unrecognized Vendor OUI |
No longer used. Generated when an agent scans a host and returns MAC addresses that have a vendor OUI that is not included in the vendor OUI Management list in FortiNAC. |
||
Agent Update Failure |
Indicates whether or not an agent updated successfully. |
||
Agent Message Sent |
Message sent from FortiNAC user to one or more hosts. Only hosts running the Persistent Agent can receive messages. This event is not generated if the message fails to send. |
||
Alarm Created |
Indicates that an event has caused an alarm. |
||
Appliance Weak Password(s) |
Indicates that password for the appliance and/or the admin UI are either a default factory password or are not complex enough. It is recommended that you modify the password. Otherwise, your network may be at risk for a security breach. |
||
Application Server Contact Lost |
Generated when contact is lost to the Nessus plugin in a 1200/8200 pair. Requires contact to be established before contact can be lost. |
||
Application Violation |
FortiNAC can receive traps from external applications hosted on servers modeled in the Topologyas Pingable or Server devices. This event is generated when a trap is received. Traps might be used to indicate intrusion or that a threshold has been exceeded. A Host Application Violation event can be generated at the same time. |
||
Application Violation Reset |
Generated based on a trap sent from an external application. Indicates that the condition that caused the Application Violation event is no longer happening and operations can return to normal. For example, if hosts have been marked at risk, they can now be marked safe and can access the network. A Host Application Violation Reset can be generated at the same time with host specific information. |
||
Authenticated User |
Successfully verified users credentials with the directory. |
||
Authentication Configuration Modified |
Generated whenever an authentication configuration is modified. |
||
Authentication Failure |
Unable to verify users credentials with the directory. |
||
Authentication Policy Modified |
Generated whenever an authentication policy is modified. |
||
Authentication Time-out Failure |
User did not authenticate within the alloted time. |
||
Authentication Trap Receive |
Received an authentication trap from the directory. |
||
Certificate Expiration Warning |
Generated when a certificate is due to expire within 30 days. |
||
Certificate Expiration Warning (CRITICAL) |
Generated when a certificate is due to expire within 7 days. |
||
Certificate Expired |
Generated when a certificate has expired. |
||
cipSecTunnelStop |
Generated when VPN connection IPsec Phase-2 Tunnel becomes inactive. |
||
CLI Configuration Failure |
Generated when a user tries to configure a Scheduled task that involves applying a CLI configuration to a group. Indicates whether or not the configuration of the scheduled task was successful. |
||
CLI Data Substitution Failure |
Indicates failure to substitute the "Port, VLAN, IP, or MAC" data into the CLI. |
||
Communication Lost with |
Event indicates that the BigFix patch management server cannot be reached. |
||
Communication Lost with |
Palo Alto User Agent is a component of the Palo Alto Firewall. If configured FortiNAC sends user ID and IP address to the Palo Alto User Agent each time a host connects to the network. Event indicates that the Palo Alto User Agent modeled in the Inventory cannot be reached. |
||
Communication Lost with |
Event indicates that the PatchLink patch management server cannot be reached. |
||
Communication Lost with |
Fortinet SSO Agent is a component of the FortiGate Firewall. If configured FortiNAC sends user ID and IP address to the Fortinet SSO Agent each time a host connects to the network. Event indicates that the Fortinet SSO Agent modeled in the Inventory cannot be reached. |
||
Communication Lost with |
Generated if a Custom Script SSO Agent is configured in Inventory. FortiNAC sends user ID and IP address as parameters to the script each time a host connects to the network. Event indicates that the script configured in the Inventory failed to run. |
||
Communication Lost with |
If configured FortiNAC sends user ID and IP address to iboss each time a host connects to the network. Event indicates that the iboss SSO Agent modeled in the Inventory cannot be reached. |
||
Conference Created |
Using guest/contractor accounts you can create a batch of conference user accounts. This event is generated when those accounts are created and indicates the number of accounts created. |
||
Contact Established |
Contact with a device has been established. |
||
Contact Lost |
Contact with a device has been lost. |
||
Container Created |
New container has been created in the database. Containers are a grouping mechanism for devices that display in the Inventory. |
||
Container Destroyed |
Container has been deleted from the database. Deleting a container deletes all of the devices it contains. |
||
DHCP Host Name Changed |
Generated when a known host connects to the network and its hostname is different. Indicates that the hostname in the database associated with the MAC address and existing DHCP finger print for that host is different. |
||
Database Archive/Purge Failure |
Indicates whether or not the scheduled database archive/purge was successful. |
||
Database Backup Failure |
Indicates whether or not the scheduled database backup was successful. |
||
Database Replication Error |
Occurs in a high availability situation when the MasterLoader database is not replicating. Can also be triggered when the database on the secondary server is not running. |
||
Database Replication Succeeded |
Occurs in a high availability situation when the MasterLoader database is successfully replicated to the secondary server. |
||
De-authenticated |
User logged off from host. |
||
De-authentication Failure |
Unable to log off user from host. User not found. |
||
Deleted Host Successfully |
Host or FortiNAC user has been successfully deleted from the database. If multiple records are deleted at once, a separate event is generated for each record. |
||
Device Cold Start |
Device was restarted using the power switch. |
||
Device Created |
New managed device has been created in the database. |
||
Device Destroyed |
Managed device has been deleted from the database. |
||
Device Fingerprint Changed |
Host is using a different operating system than the one with which the host was registered. This could occur on a host with a dual-boot. For example, the host registers with a Windows operating system. The user later boots the host using Linux and tries to access the network. That change would trigger this event. An upgrade within a family of operating systems would not normally trigger this event, such as from Windows XP to Windows Vista. Operating system is determined by the DHCP fingerprint. |
||
Device Identity |
No longer used. |
||
Device Link |
A device has linked to port X on the network. |
||
Device Link Down |
A device link goes down on a specific port because a device was disconnected from the port. |
||
Device Link Up |
Generated when a device link goes up on a specific port. |
||
Device Profile Rule Match |
A rogue host has matched a Device Profiling rule allowing it to be assigned a device type and registered. |
||
Device Profiling Automatic |
A rogue host has been registered by device profiling based on a device profiling rule. |
||
Device Profiling Rule Missing Data |
Indicates that device profiler cannot compare a rogue against a rule because FortiNAC does not have enough information about the rogue, such as a DHCP fingerprint. If device profiler cannot compare a rogue against a rule it does not continue processing that rogue, and moves on to the next rogue. |
||
Device Rule Confirmation |
Devices identified by a Device Profiling rule maintain their association with that rule. If enabled, the associated rule and the device are checked periodically to see if the rule is still valid for the device. These event messages indicate whether or not the device matched the associated rule. |
||
Device Warm Start |
Device was restarted from the command line interface. |
||
Directory Connection Failure |
The connection to a directory, such as Active Directory or LDAP, failed. The directory could have refused the connection because the user name and password were incorrect. This event can be triggered when testing the connection to the directory with Test on the Directory Configuration window. |
||
Directory Group Disabled |
Users can be disabled/enabled in a directory, such as LDAP, based on group membership. When the FortiNAC database synchronizes with the directory, users that are members of the group are enabled. Users that are not members of the group are disabled. |
||
Directory Synchronization |
Indicates whether or not a directory, such as Active Directory or LDAP, synchronized with the user database. Could be caused if FortiNAC fails to connect to the directory. This synchronization is a one time task done when the directory is configured. See Schedule synchronization. |
||
Directory User Disabled |
Users can be disabled/enabled in a directory, such as LDAP. When the FortiNAC database synchronizes with the directory, users can be disabled/enabled based on their directory setting. |
||
Disable Host Failure |
Generated when a user manually disables a host on the Host View. Indicates whether or not the host was successfully disabled. |
||
Disable Hosts Failure |
Indicates whether or not hosts in a group were successfully disabled using a scheduled task. |
||
Disable Port Failure |
Indicates whether or not a particular port was disabled by an alarm action. |
||
Disable Ports Failure |
Indicates whether or not ports in a particular group were disabled by a scheduled task. |
||
Disable User Success |
Indicates that a user selected from the user view was successfully disabled. |
||
Disabled Authenticated |
No longer used. |
||
Discovery Completed |
The device discovery process that adds new devices to FortiNAC has completed. IP address range is included in the completion message. |
||
Duplicate Host For Device |
No longer used. |
||
Duplicate Physical Address |
No longer used. |
||
Duplicate Users Found in |
Two users with the same last name and/or ID were found in the directory. FortiNAC is case in-sensitive. For example, two users with last names listed as SMITH and smith are treated as if they were the same person. The newer of the two users is ignored. |
||
Email Failure |
Alarms can be configured to send E-mail Notifications to FortiNAC administrative users. If the administrative user has no e-mail address or the e-mail fails in any other way, this event is generated. |
||
Enable Host Failure |
Indicates whether or not a host selected from the Host View was successfully enabled. |
||
Enable Hosts Failure |
Indicates whether or not hosts in a group were successfully enabled using a scheduled task. |
||
Enable Port Failure |
Indicates whether or not a particular port has been enabled by an alarm action in response to a previous event. |
||
Enable Ports Failure |
Indicates whether or not ports in a particular group were enabled by a scheduled task. |
||
Enable User Success |
Indicates that a user selected from the user view was successfully enabled. |
||
Endpoint Compliance Configuration Modified |
Generated whenever an endpoint compliance configuration is modified. |
||
Endpoint Compliance Configuration Platform Setting Modified |
Generated whenever an endpoint compliance configuration platform setting is modified. |
||
Endpoint Compliance Modified |
Generated whenever an endpoint compliance is modified. |
||
Enterasys Dragon Violation |
Enterasys Dragon is an Intrusion Protection/Detection System. An event is generated when an intruder is detected. |
||
Entitlement Polling Failure |
(Requires version 8.8.10, 9.1.4, 9.2.0 or above) Generated when there is an error communicating or processing license entitlements data from Forticloud over TCP 443. Entitlement polling is required for Subscription Licenses. Refer to the Deployment Guide in the Document Library for Open Port requirements. |
||
Entitlement Polling Success |
(Requires version 8.8.10, 9.1.4, 9.2.0 or above) Generated when communication and processing of license entitlements data from Forticloud successfully completes. |
||
Failed to Disable Adapters |
Attempted to disable hosts using an Alarm Action. Hosts failed to be disabled. |
||
Failed to Disable HP Port |
Scheduled task that enables port security configuration on all HP/NT devices in an associated group has failed. |
||
Failed to Enable Adapters |
Attempted to enable hosts using an Alarm Action. Hosts failed to be enabled. |
||
Failed to Enable HP Port |
Scheduled task that enables port security configuration on all HP/NT devices in an associated group has failed. |
||
FireEye IPS High Violation |
Generated whenever a high violation event is received from FireEye. |
||
FireEye IPS Low Violation |
Generated whenever a low violation event is received from FireEye. |
||
FireEye IPS Medium Violation |
Generated whenever a medium violation event is received from FireEye. |
||
FortiOS 4.0 High Violation |
Generated whenever a high violation event is received from FortiOS 4.0. |
||
FortiOS 4.0 Low Violation |
Generated whenever a low violation event is received from FortiOS 4.0. |
||
FortiOS 4.0 Medium Violation |
Generated whenever a medium violation event is received from FortiOS 4.0. |
||
FortiOS 5.0 High Violation |
Generated whenever a high violation event is received from FortiOS 5.0. |
||
FortiOS 5.0 Low Violation |
Generated whenever a low violation event is received from FortiOS 5.0. |
||
FortiOS 5.0 Medium Violation |
Generated whenever a medium violation event is received from FortiOS 5.0. |
||
Found Ignored MAC address |
A host or device has connected with a MAC address that is in the MAC address Exclusions list. This connection is not being managed by FortiNAC and the host or device has access to the production network. See MAC address exclusion. |
||
Found Microsoft LLTD or Multicast Address |
A host or device has connected with a MAC address in the Microsoft LLTD or Multicast Address range. Those ranges are managed in the MAC address Exclusion list. FortiNAC ignores these MAC addressed for 48 hours after the first one is seen and then treats them as rogues unless the configuration is updated on the MAC address Exclusion list. See MAC address exclusion. |
||
Gaming Device Registration |
A gaming device was registered by a user. |
||
Group Does Not Exist for Scan |
FortiNAC attempted to perform a scan or scheduled task for a particular group and the group no longer exists in the database. Either recreate the group or remove the scan or scheduled task. |
||
Guest/Contractor |
No longer used. If you are setting up Guest/Contractor users in advance, an event can be generated if you set up more Guest/Contractor users than you have licenses. |
||
Guest/Contractor |
No longer used. If you are setting up Guest/Contractor users in advance, an event can be generated if you set up enough Guest/Contractor users to use 75% of the available licenses. |
||
Guest Account Created |
New guest account is created. |
||
Guest Account Deleted |
Guest account is deleted. |
||
Hard Disk Usage Critical |
Generated when the disk usage critical threshold is reached. This threshold is a percentage of the space allocated for the bsc and var partitions. The percentage is calculated for each partition separately. When any one partition reaches the threshold the event is generated. Thresholds calculated for individual partitions are never combined. Therefore if the combined total crosses the threshold, no event is generated. Default = 95% |
||
Hard Disk Usage Warning |
Generated when the disk usage warning threshold is reached. This threshold is a percentage of the space allocated for the bsc and var partitions.The percentage is calculated for each partition separately. When any one partition reaches the threshold the event is generated. Thresholds calculated for individual partitions are never combined. Therefore if the combined total crosses the threshold, no event is generated. Default = 85% |
||
Host Aged Out |
Host has been removed from the database based on the time or expiration date on the associated Host Properties window. See Properties. |
||
Generated against a FortiNAChost based on the IP, MAC, or ID information contained within an Application Violation trap. If IP, MAC address, or user ID match any records in the FortiNAC database, this event is generated. See Application Violation in this list. |
|||
Generated against a FortiNAC host based on the IP, MAC, or user ID information contained within an Application Violation Reset trap. If IP, MAC address, or user ID match any records in the FortiNAC database, an event is generated. The reset event occurs when the host is no longer in violation. See Application Violation in this list. |
|||
Host At Risk |
An administrative user marked a selected host At Risk or the host failed a scan. |
||
Host At Risk Failure |
Indicates whether an alarm action triggered by an At Risk host succeeded or failed. |
||
Host At Risk Status Not Enforced |
Generated whenever a host fails a scan, but it is not enforced. |
||
Host CLI Task Success |
Indicates whether or not the CLI commands associated with host/adapter based ACLs have been successful. |
||
Host Connected |
Generated whenever a registered host connects to the network. |
||
Host Copied From NCS |
In an environment where multiple FortiNAC appliances are managed by a FortiNAC Manager, hosts and their corresponding information can be copied from one appliance to another based on settings in the FortiNAC Manager under System > Settings > Network Control Manager > Server Synchronization. When hosts are copied from one appliance to another this event is generated. |
||
Host Created |
Generated whenever a host is created. |
||
Host Destroyed |
Generated whenever a host is destroyed. |
||
Host Disassociated |
Generated whenever a host is destroyed. |
||
Host Disconnected |
Generated whenever a registered host disconnects from the network. |
||
Host Identity Changed |
Indicates that a registered host's name or operating system has changed since the last time it was read by the Persistent Agent or Dissolvable Agent, and that it is possibly a dual boot device. This could also indicate MAC spoofing. An operating system change , such as an upgrade could also trigger this event. |
||
Host Pending At Risk |
A host failed a scan for an endpoint compliance policy. The policy was configured for delayed remediation indicating that hosts that fail the scan are not sent to remediation for x number of days. The event is generated when the host is marked Pending At Risk. Scan status "Failure Pending" triggers this event. |
||
Host Registration Failure |
Host has gone to the Registration page and the user attempted to register the host. Indicates whether the registration succeeded or failed. |
||
Host Rejected - No MAC |
Host rejected because it is missing a MAC address. |
||
Host Rejected - No VLAN |
Host rejected because there is no VLAN defined for current state. |
||
Generated when a user goes to System > Settings > Control > Quarantine. On the Quarantine view there is a button that allows the user to mark all hosts as Safe. If this button is clicked the event is generated for each host that was affected. |
|||
Host Safe Failure |
Indicates whether or not an alarm action associated with marking a host as safe has failed. See Host Safe in this list. |
||
Host Session Logged On |
Agent has detected that the user has logged on or off the host. Applies only to Windows hosts. |
||
Incomplete User Found in |
FortiNAC requires the Last name and ID fields for each user. If either of those fields is missing, the user record is incomplete. |
||
Interface Status Failure |
Indicates whether or not the Update interface status scheduled task was successful. The task reads and updates the interface status for each port on the devices in the associated groups. |
||
Internal Scheduled Task Failure |
Indicates whether or not a scheduled task has failed. The name of the task is provided. |
||
Invalid Physical Address |
The MAC address of the specified host or device is not recognized by FortiNAC because the corresponding vendor OUI is not in the FortiNAC database. Update the vendor OUI database either manually or by using Auto-Def Updates. See and . |
||
L2 Poll Failed |
Indicates whether or not FortiNAC successfully contacted the device to read the list of connected hosts. |
||
L3 Poll Failed |
Indicates whether FortiNAC successfully read IP address mappings from a device. |
||
Load In Limit Exceeded |
No longer used. Max % In setting on the Bandwidth window has been met or exceeded. |
||
Load In Limit Rearmed |
No longer used. After the first “Load In Limit Exceeded” event occurs the server does not generate a “Load In Limit Rearmed” event until the percentage of bandwidth bytes in falls below Rearm % In value. |
||
Load Out Limit Exceeded |
No longer used. Max % Out setting on the Bandwidth window has been met or exceeded. |
||
Load Out Limit Rearmed |
No longer used. After a “Load Out Limit Exceeded” event occurs the server creates a “Load Out Limit Rearmed” event once the percentage of bytes out falls below this the Rearm % Out value. |
||
Lost Contact with Persistent Agent |
This event can only be generated accurately when FortiNAC has up-to-date network connectivity data (in order to determine a host's online status). This requires the following: - Wired network devices are being polled at a regular interval (typically 1 hour). - Wired network devices are sending either Link Up/Link Down or Mac Notification traps. - Wireless devices are being polled at a regular interval (typically 15 minutes). |
||
MAC Learned |
Generated when MAC Notification "MAC Add" or "MAC Move" syslog messages/SNMP traps are received from supported devices. Occurs when the switch has added to its forwarding table the MAC address of a connecting host. Note: Not generated for infrastructure devices (such as Access Points). |
||
MAC Removed |
Generated when MAC Notification "MAC Delete" or "MAC Move" syslog messages/SNMP traps are received from supported devices. Occurs when the switch has removed the MAC address of a host that has disconnected. Note: Not generated for infrastructure devices (such as Access Points). |
||
MAC change event on uplink |
This event is generated when a MAC notification trap is received for a port in FortiNAC is any of the uplink types. |
||
Management Established |
Generated when management of a device is established. |
||
Management Lost |
Generated when management of a device is lost. |
||
Map IP to MAC Failure |
No longer used. Mapping IP addresses to physical addresses for a selected group using a scheduled task failed or succeeded. |
||
Maximum Blacklist Clear Attempts Reached |
Maximum number of attempts to remove a host from a controller's blacklist have been reached and the host remains on the blacklist. |
||
Maximum Concurrent Physical Address Warning |
No longer used. Generated when host connections exceed 6000 or 12000 depending on the size of the appliance. |
||
Maximum Concurrent Connections Critical |
Concurrent connection licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable. See Event thresholds. |
||
Maximum Concurrent Connections Exceeded |
Concurrent connection licenses in use has reached 100% of total licenses. |
||
Maximum Concurrent Connections Warning |
Concurrent connection licenses in use has reached or exceeded 75% of total licenses. Threshold is configurable. See Event thresholds. |
||
Maximum Guest/Contractor |
No longer used. Guest manager licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable. |
||
Maximum Guest/Contractor Exceeded |
No longer used. Guest manager licenses in use has reached 100% of total licenses. |
||
Maximum Guest/Contractor Warning |
No longer used. Guest manager licenses in use has reached or exceeded 75% of total licenses. Threshold is configurable. |
||
Maximum Hosts Critical |
No longer used. Access Manager licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable. |
||
Maximum Host Warning |
No longer used. Access Manager licenses in use has reached or exceeded 75% of total anesthesiologist is configurable. |
||
Maximum Hosts Exceeded |
No longer used. Access Manager licenses in use has reached 100% of total licenses. No new accounts can be created. |
||
Maximum Known Device |
No longer used. Device Tracker licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable. |
||
Maximum Known Device |
No longer used. Device Tracker licenses in use has reached or exceeded 75% of total licenses. Threshold is configurable. |
||
Maximum Known Devices Exceeded |
No longer used. Device Tracker licenses in use has reached 100% of total licenses. |
||
Maximum User Critical |
No longer used. Shared Access Tracker licenses in use has reached or exceeded 95% of total licenses. Threshold is configurable. |
||
Maximum User Warning |
No longer used. Shared Access Tracker licenses in use has reached or exceeded 75% of total licenses. Threshold is configurable. |
||
Maximum Users Exceeded |
No longer used. Shared Access Tracker licenses in use has reached 100% of total licenses. |
||
Maximum Blacklist Clear Attempts Reached |
Generated when the maximum number of attempts to remove a MAC address from a device's black list has been exceeded. Currently the maximum is set to 3 attempts. |
||
MDM/OT Host Created |
Host was added to the database from MDM/OT Security server import. |
||
MDM/OT Host Destroyed |
Host is deleted from the database because it is no longer found on a poll of the MDM/OT Security server. This can occur if the corresponding record in the MDM/OT Security server database was either removed or disabled. "Remove Hosts Deleted" option in MDM/OT services must be enabled. |
||
MDM/OT Poll Failure |
MDM/OT poll did not complete |
||
MDM/OT Poll Success |
MDM/OT poll completed |
||
MDM/OT Host Compliance Failed |
Host failed MDM/OT scan |
||
MDM/OT Host Compliance Passed |
Host passes MDM/OT scan |
||
Memory Usage Critical |
Generated when the memory usage critical threshold is reached for the appliance. This threshold is a percentage of the total allocated memory. Default = 95% Threshold is configurable. See Event thresholds. |
||
Memory Usage Warning |
Generated when the memory usage warning threshold is reached for the appliance. This threshold is a percentage of the total allocated memory. Default = 85% Threshold is configurable. See Event thresholds. |
||
Message |
Cabletron/Enterasys Event Log Message |
||
Multi-Access Point Detected |
Generated when multiple MAC addresses are detected on a port. However, if the port is in the Authorized Access Points group an event is not generated. See Network device . |
||
Generated when a NAT Device (router) is registered. |
|||
Nitro Security Violation |
Generated based on traps received from the NitroGuard Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Inventory. |
||
No CDP Announcement |
Generated when a device that has sent at least one CDP announcement has stopped sending those announcements. This is based on the polling time set for the device. For example if the poll time is one hour, a new event message is sent each time the hour elapses with no message from the device. |
||
Operating System Is Up to Date |
Indicates that there are no new updates available after the operating system update status task is run (1pm every Sunday, by default). |
||
Operating System Status Check Failure |
Indicates that the operating system update check failed due to multiple running checks. This may be caused by a configuration or network issue. |
||
Operating System Update Initiated |
Indicates that an operating system update was started from the admin UI. See Operating system. |
||
Operating System Updates Available |
Indicates that there are updates available after the operating system update status task is run (1pm every Sunday, by default). |
||
Packeteer Configuration Failure |
No longer used. Indicates whether or not communication has been established with the Packeteer PacketShaper software after Packeteer has been modeled in the Inventory. |
||
Packeteer Monitor |
If Packet Shaper has been configured to generate threshold violation events and if a threshold violation occurs, the event triggers an SNMP trap from PacketShaper to FortiNAC. This trap causes FortiNAC to generate a Packeteer Monitor event. |
||
Packeteer Monitor 2 |
No longer used. If a Packeteer product has been configured to generate events for OID 13.6.1.3.6.1.4.1.2334.1.1 and the event triggers an SNMP trap from the Packeteer to FortiNAC. This trap causes FortiNAC to generate a Packeteer Monitor 2 event. |
||
Persistent Agent Communication Resumed |
Persistent Agent Contact Status has been restored to normal. This event is only generated on hosts running Persistent Agent 4.0 or better. |
||
Persistent Agent Not Communicating |
This event can only be generated accurately agents when FortiNAC has up-to-date network connectivity data (in order to determine a host's online status). This requires the following: - Wired network devices are being polled at a regular interval (typically 1 hour). - Wired network devices are sending either Link Up/Link Down or Mac Notification traps. - Wireless devices are being polled at a regular interval (typically 15 minutes).
|
||
Persistent Agent Scan Not Performed |
This event can only be generated accurately when FortiNAC has up-to-date network connectivity data (in order to determine a host's online status). This requires the following: - Wired network devices are being polled at a regular interval (typically 1 hour). - Wired network devices are sending either Link Up/Link Down or Mac Notification traps. - Wireless devices are being polled at a regular interval (typically 15 minutes). |
||
Policy Warning |
Host was scanned by an endpoint compliance policy. The host does not meet all of the scan requirements, but the scan rules state that a warning be issued instead of making compliance a requirement. Scan status "Warning" triggers this event. |
||
Poll For Hosts Failure |
No longer used. Indicates whether a scheduled task to poll switches for hosts has succeeded or failed. Switches are contained in a device group and that group is polled. |
||
Port CLI Task Failure |
Indicates whether a CLI configuration applied to a port ran and failed or succeeded. |
||
Port in Authorized Access Points Group |
Failed to enable/disable port because it is in the Authorized Access Points group. |
||
Port Link Down |
Trap received from the switch each time there is a link up or a link down on a port. Link up and link down happen each time a host is switched from one VLAN to another. |
||
Port Security Incomplete |
Maximum number of users on a port has been reached. |
||
Port Segmented |
Trap received from an Enterasys or Cabletron switch indicating that a link is down. This port may have been logically disconnected due to an excessive collision level or it may be physically disconnected. |
||
Port Uplink Configuration Modified |
An administrator modified the uplink setting of a port. The switch name, port and administrator are included in the event. |
||
Port in Authorized Access Points Group |
Scheduled task for a port in the Authorized Access Points group failed. |
||
Possible MAC address Spoof |
Indicates that the same MAC address has been detected on two different devices simultaneously. One is possibly spoofing the other’s MAC address. This event is generated based upon the value of the MAC Spoof Time Delay configured under System > Settings > Network device. See Network device for details. |
||
Possible NAT Device, MAC Spoofed |
This event has been replaced with NAT Device Registered. It remains visible to allow you to restore an old backup and view occurrences of this event. See NAT Device Registered in this list. |
||
Possible NAT User |
Generated on each host. One per MAC address on the NATd host. For example, if a host has both a wired and wireless connection, an event is generated for each. |
||
Process Memory Usage Critical |
Generated when the memory usage critical threshold is reached for the process. This threshold is a percentage of the total allocated memory. Default = 95% |
||
Process Memory Usage |
Generated when the memory usage warning threshold is reached for the process. This threshold is a percentage of the total allocated memory. Default = 85% |
||
Process Thread Count Critical |
Generated when the process thread count warning threshold is reached. This threshold is a specific number of threads the process is using. Default = 575 This event is disabled by default. The threshold will dynamically increase by 25 for every 8 CPU cores that are added. |
||
Process Thread Count Warning |
Generated when the process thread count warning threshold is reached. This threshold is a specific number of threads the process is using. Default = 500 This event is disabled by default. The threshold will dynamically increase by 25 for every 8 CPU cores that are added. |
||
Profile Modified |
Generated when a user modifies a user/host profile. Event message contains user information for the user who made the change, whether the change was an add, remove or replace, and the complete profile after the changes. |
||
RADIUS Rate Exceeded |
Generated when the 60 requests-per-second threshold is exceeded. This event is disabled by default. |
||
RADIUS Time Threshold |
Indicates that the time threshold for a response from the RADIUS server has been exceeded. This threshold is not configurable. |
||
Regained Contact with Persistent Agent |
Host has regained contact with the Persistent Agent . |
||
Remote Access Excessive Session Process Time |
Generated when the time to process the remote client exceeds a threshold (set through the "MaxClearTime" attribute on the ASA device). |
||
Reports Purged |
Lists the file names of all reports that were deleted when reports were purged from the /home/cm/reports directory. |
||
REST API Failure |
Error when FortiNAC tries to communicate with the device using REST API. |
||
SNMP Failure |
Generated when FortiNAC receives an SNMP failure during communication with a SNMP enabled Network Device. This includes any error message received from the SNMP packet. |
||
SNMP Read Error |
Did not receive all data when reading a switch using SNMP. Device name and error code are included in the event message. |
||
Scan Does Not Exist For |
FortiNAC has attempted to run a scan using a scheduled task. The scan referred to in the task no longer exists in the database. You must either recreate the scan or remove the scheduled task from the scheduler. |
||
Secondary Contact Lost |
Event triggered when the primary loses contact with the secondary. |
||
Security Risk Host |
Event triggered when a host is marked at risk due to an agent scan failure. Associated events are "Host Passed Security Test" and "Host Security Test - Delayed Failure." |
||
Service Down - Tomcat Admin |
Event triggered when a specific service is no longer running. These services are required. FortiNAC tries to restart the service every 30 seconds. In a high availability environment, failover occurs after the fourth failed restart attempt. For the httpd service: After the system confirms that the httpd service is running, the system also attempts to connect to ports 80 and 443. If the system fails to connect to either port, the httpd service is restarted. If the primary is unable to communicate with the secondary to confirm it is running, service down will not trigger a failover. |
||
Service Started - Tomcat Admin |
Event triggered when one of the listed services is started. These services are required and must be running in order to use FortiNAC. |
||
Service Down - Analytics Agent |
Event triggered when the service is down and it is required for FortiNAC to send data to Analytics. |
||
Service Down - Radius |
Event triggered when one of the listed the services is no longer running and it is required for the RADIUS Manager. |
||
Service Started - Analytics Agent |
Event triggered when the service is started. This service is required and must be running in order to use Analytics. |
||
Service Started -Radius |
Event triggered when one of the listed services is started. These services are required in order to use RADIUS Manager. |
||
Set Default VLAN Failure |
When a host disconnects from a port, the port can be set to return to its default VLAN. Indicates whether or not the port successfully returns to the default VLAN. |
||
Sophos AntiVirus: Virus Found |
Sophos AntiVirus can be configured to send traps to FortiNAC when a virus is found on a host. Host information is included in the trap. If a Sophos Trap is received, this event is generated. |
||
Sourcefire Error |
Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Inventory. Sourcefire IPS Action: Indicates that an action has been triggered by a syslog message from Sourcefire. |
||
SSL Connection Failure |
Device failed to establish trust when connecting to FortiNAC. Must have SSL Certificate Verification option enabled. See Credentials. The event includes the following information:
Certification chain failure example: SSL connection failure for device FGT-3PI-TEST-1 with message SSL certificate is not trusted: Missing Issuers EMAILADDRESS=myemail@mydomain.com, CN=FGTxxxxxxxxxxxxx, OU=Certificate Authority, O=Fortinet, L=Sunnyvale, ST=California, C=US |
||
StealthWatch |
SNMP trap has been sent from a StealthWatch device |
||
StealthWatch Email Rejects |
Host is receiving a significant number of rejected mail attempts. |
||
StealthWatch Email Relay |
Host is operating as an email relay. |
||
StealthWatch High Concern |
A host has exceeded the Concern Index threshold set for it. This usually means that an inside host is no longer operating as it was during the tuning period and should be examined for possible compromise, misuse, or policy violations. An external host with a High Concern index is often attempting to violate your network integrity. |
||
StealthWatch High File Sharing |
Host is transferring files. |
||
StealthWatch High Volume Email |
Host is infected with an email worm. |
||
StealthWatch Max Flows |
Host has had an excessive number of total flows active. |
||
StealthWatch New Flows |
Indicates that a host exceeds a total number of new flows in a 5-minute period. |
||
StealthWatch Port Flood |
The host has attempted to connect on an excessive number of ports on the Target IP. This may indicate a DoS attack or an aggressive scan by the source IP. |
||
StealthWatch SYN Flood |
The host has sent an excessive number of TCP connection requests (SYN packets) in a 5-minute period. This may indicate a DoS attack or non-stealthy scanning activity |
||
StealthWatch Suspect Long Flow |
Host has a long duration flow. |
||
StealthWatch Worm Activity |
A host has scanned and connected on a particular port across more than one subnet. The details section of this alarm specifies the port on which the activity was observed. |
||
StealthWatch Worm Propagation |
Host has scanned and connected on port 5 across more than 1 subnet. |
||
StealthWatch Zone Violations |
Host has connected to a server in a zone that it is not allowed to access. |
||
StoneGate IPS High Violation |
Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Inventory. See Syslog files . |
||
StoneGate Violation |
Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Inventory. See Syslog files . |
||
Success Disabling Port Security |
Generated when the Enable or Disable HP/NT Port Security scheduled task runs successfully. This task enables or disables port security configuration on all HP/NT devices in the selected group. Port Security is used to disable hosts if DeadEnd VLANs are not used on the network. |
||
Sync Initiated |
(FortiNAC versions 9.1.3 and above) Generated when a synchronization of servers by Control Manager has been triggered. Provides server IP, the user who triggered the sync and status. |
||
Synchronize Users with |
Indicates whether or not the FortiNAC user database has successfully synchronized with the selected directory such as LDAP or Active Directory. These events are triggered by the failure or success of the scheduled synchronization set up on the Directory Configuration window. See Configuration. |
||
Syslog Error |
Generated when the FortiNAC server receives an inbound syslog message for a host that is not currently managed by FortiNAC. |
||
System Backup Failure |
Indicates whether a system backup has succeeded. The system backup is run by a scheduled task. The system backup may succeed, but will still fail if remote backup is enabled and fails. It is recommended that you create an alarm action to send an email if system backup fails. |
||
System Created Uplink |
If Uplink Mode on a Port's properties is set to Dynamic, FortiNAC converts the port to an uplink port when the number of MAC addresses on the port exceeds the System Defined Uplink count and generates this event. |
||
System Fail Over |
In a high availability environment, this event indicates that the primary server has failed and the secondary has taken over. |
||
System Power Off |
Indicates that the user specified in the event message powered off the FortiNAC server. See Power management |
||
System Reboot |
Indicates that the user specified in the event message rebooted the FortiNAC server. See Power management. |
||
System Automatically Restarted |
Server was restarted because a primary system process was down. Processes include: MasterLoader, IP to MAC, Communication and Nessus. This event was System Restart in prior versions. |
||
TippingPoint SMS High Violation |
Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Inventory. See Syslog files . |
||
Top Layer IPS High Violation |
Generated based on syslog events received from an Intrusion Protection/Detection system on your network. The IPS/IDS must be modeled in your Inventory. See Syslog files . |
||
Unauthorized SSID/VLAN |
No longer used. |
||
Unauthorized Connection from FortiNAC Appliance |
Enabled by default. An untrusted FortiNAC appliance whose license key contains a Fortinet-issued certificate is attempting to communicate. Probable cause: Configuration for inter-server communication is incomplete. See KB article https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-Communication-between-servers-stops-after/ta-p/251200. |
||
Unauthorized Connection from Legacy FortiNAC Appliance |
Enabled by default. An untrusted FortiNAC appliance using a self-signed certificate is attempting to communicate. Self-signed certificates are used with older appliances that do not have license keys with Fortinet-issued certificates. Probable cause: Configuration for inter-server communication is incomplete. See KB articlehttps://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-Communication-between-servers-stops-after/ta-p/251200. |
||
Unknown User in Group |
No longer used. |
||
Unsupported Trap |
Generated when FortiNAC receives a trap that it cannot interpret from a device. The device's OID is included in the event. |
||
Update SSID Failure |
SSID assignment scheduled task maps VLAN IDs to SSIDs. Event indicates whether or not the task succeeded. |
||
Update VLAN ID Failure |
Indicates that the user specified in the event message powered off the FortiNAC server. See Power management. Update Default VLAN Values scheduled task sets the Default VLAN value for the port in FortiNAC device model to the value entered in the scheduled task. Event indicates whether or not the task succeeded. |
||
User Aged Out |
Indicates that the user specified in the event message rebooted the FortiNAC server. See Power management. User has been aged out of the database based on the data stored in the Age Time section of the User Properties view. |
||
User Created |
Network user created in or deleted from the database. This is a non-administrative user. |
||
User not NATd |
This event is generated on each host that had been previously NATd but are not any longer. One per MAC address on the NATd host. For example, if a host has both a wired and wireless connection, an event is generated for each. |
||
Users Removed From |
User has been removed directly from a directory, such as LDAP. When the FortiNAC user database is synchronized with the directory this discrepancy triggers the event. If Remove User is selected on your directory configuration, the missing user is removed from the FortiNAC database. |
||
Valid DHCP Server |
Generated when has verified that the DHCP server is running a valid DHCP server application. |
||
Vendor OUI Added |
Generated when a new vendor OUI has been added to the database. |
||
Vendor OUI Removed |
Generated when a vendor OUI was removed from the database. |
||
VLAN Switch Failure |
VLAN failed to change for port X. |
||
VLAN Switch Success |
VLAN was changed successfully for X port. |
||
Vulnerability Scan Failed |
Generated when the host failed the vulnerability scan. |
||
Vulnerability Scan Finished |
Generated when the vulnerability rescan has finished. |
||
Vulnerability Scan Ignored |
Generated when scan results from the vendor include hosts that were added to the Vulnerability Exceptions Group, indicating which hosts were ignored. Hosts in this group are allowed onto the network, regardless of scan results. |
||
Vulnerability Scan Incomplete |
FortiNAC polls the vendor for scan results for a configured scan, but scan results are unavailable because the scan was not run by the vendor. |
||
Vulnerability Scan Passed |
Generated when the host passed the vulnerability scan. |
||
Vulnerability Scan Removed |
A vulnerability scan that was added to FortiNAC was removed from the vulnerability scanner. |
||
Vulnerability Scan Request Refused (Qualys Integration only) |
The IP address targeted by a rescan is not included in the list of Qualysasset IPs. |
||
Vulnerability Scan Skipped |
The vulnerability scanner has not run the scan since FortiNAC previously polled it, so FortiNAC skipped the scan during processing. |
||
Vulnerability Scan Started |
Generated when the vulnerability rescan has started. |
||
Vulnerability Scanner Concurrent API Limit Exceeded (Qualys Integration only) |
Exceeded the limit that is set for the number of requests that can be processed concurrently. |
||
Vulnerability Scanner Connection Failure |
The connection to the vulnerability scanner has failed. |
||
Vulnerability Scanner Deleted |
A vulnerability scanner was deleted from FortiNAC. |
||
Vulnerability Scanner Periodic API Limit Exceeded (Qualys Integration only) |
Qualys rejected an API request because the periodic API limit has been exceeded. The event message includes the number of seconds until the scanner will accept an API request. |