Gaia Syslog Messages. Technical Reference Guide. 25 February 2014. Classification: [Protected]



Similar documents
How To Backup a SmartCenter

Endpoint Security VPN for Mac

HOST AUTO CONFIGURATION (BOOTP, DHCP)

Endpoint Security VPN for Windows 32-bit/64-bit

Security Gateway for OpenStack

A DHCP Primer. Dario Laverde, 2002 Dario Laverde

Scaling the Network: Subnetting and Other Protocols. Networking CS 3470, Section 1

Endpoint Security VPN for Mac

Chapter 1 Introduction to Network Maintenance Objectives

Security Gateway Virtual Appliance R75.40

- The PIX OS Command-Line Interface -

Clustering. Configuration Guide IPSO 6.2

Monitoring Techniques for Cisco Network Registrar

Application Protocols for TCP/IP Administration

Remote Access Clients for Windows

Lab 5-5 Configuring the Cisco IOS DHCP Server

Security Gateway R75. for Amazon VPC. Getting Started Guide

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

Rebasoft Auditor Quick Start Guide

Chapter 9 Monitoring System Performance

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

GLBP - Gateway Load Balancing Protocol

DHCP Server. Heng Sovannarith

7750 SR OS System Management Guide

Vanguard Applications Ware IP and LAN Feature Protocols. Firewall

VMware Identity Manager Connector Installation and Configuration

Chapter 6 Using Network Monitoring Tools

Chapter 4 Managing Your Network

vcloud Director User's Guide

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version Rev.

Efficient Addressing. Outline. Addressing Subnetting Supernetting CS 640 1

Configuring Syslog Server on Cisco Routers with Cisco SDM

emerge 50P emerge 5000P

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Using WhatsUp IP Address Manager 1.0

HOMEROOM SERVER INSTALLATION & NETWORK CONFIGURATION GUIDE

SonicWALL Global Management System Reporting Guide Standard Edition

FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3

Investigation of DHCP Packets using Wireshark

Chapter 6 Using Network Monitoring Tools

Pharos Control User Guide

Configuring the Firewall Management Interface

NMS300 Network Management System

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

Configuring PA Firewalls for a Layer 3 Deployment

DC Agent Troubleshooting

7450 ESS OS System Management Guide. Software Version: 7450 ESS OS 10.0 R1 February 2012 Document Part Number: * *

Barracuda Link Balancer

Hyper-V Installation Guide for Snare Server

High Availability. Vyatta System

CTS2134 Introduction to Networking. Module Network Security

ProCurve Networking. Hardening ProCurve Switches. Technical White Paper

User Guide to the Snare Agent Management Console in Snare Server v7.0

Symantec Mobile Management for Configuration Manager

Cisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)

LANDesk Management Suite 8.7 Extended Device Discovery

Firmware Release Notes

Appendix A Using Syslog

HP A-IMC Firewall Manager

Chapter 8 Advanced Configuration

Configuring System Message Logging

Multifunctional Broadband Router User Guide. Copyright Statement

How to Configure Dynamic DNS on a Virtual Access Router

Configuring System Message Logging

How To Check If Your Router Is Working Properly

Snare Agent Management Console User Guide to the Snare Agent Management Console in Snare Server v6

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

R75. Installation and Upgrade Guide

HP IMC Firewall Manager

DDoS Protection on the Security Gateway

Monitor Print Popup for Mac. Product Manual.

NETASQ SSO Agent Installation and deployment

Network Simulator Lab Study Plan

System Admin Module User Guide. Schmooze Com Inc.

Multi-Homing Gateway. User s Manual

Web Authentication Proxy on a Wireless LAN Controller Configuration Example

Savvius Insight Initial Configuration

IP Filter/Firewall Setup

Securing Networks with PIX and ASA

Lab Organizing CCENT Objectives by OSI Layer

Error and Event Log Messages

Web Browser Interface User s Guide

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Configuring Infoblox DHCP

CCT vs. CCENT Skill Set Comparison

Multi-Domain Security Management

User Manual. ALLO STM Appliance (astm) Version 2.0

Chapter 4 Customizing Your Network Settings

LevelOne. User Manual. FBR-1430 VPN Broadband Router, 1W 4L V1.0

Chapter 8 Monitoring and Logging

DHCP Failover. Necessary for a secure and stable network. DHCP Failover White Paper Page 1

Configuring DHCP. DHCP Server Overview

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

XMS Quick Start Guide

Integrating Juniper Netscreen (ScreenOS)

PIX/ASA 7.x with Syslog Configuration Example

LogLogic Microsoft Domain Name System (DNS) Log Configuration Guide

Barracuda Link Balancer Administrator s Guide

Transcription:

Gaia s Technical Reference Guide 25 February 2014 Classification: [Protected]

2014 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: (http://supportcontent.checkpoint.com/documentation_download?id=24459) To learn more, visit the Check Point Support Center (http://supportcenter.checkpoint.com). Revision History Date 25 February 2014 Updated Message Format (on page 5) 23 April 2013 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=feedback on Gaia s Technical Reference Guide).

Contents Important Information... 3 Important Gaia s... 5 Syslog Overview... 5 Message Format... 5 General Messages... 5 Login and Logout Messages... 6 Configuration Change Messages... 7 Interface Messages... 7 DHCP Server Messages... 8 DHCP Client Messages... 8 Device Maintenance Messages... 9 Upgrade and Downgrade Messages... 10 User Management Messages... 10 Protocol Messages... 10 IGMP... 10 Multicast Forwarding Cache (MFC)... 11 OSPF... 11 PIM... 11 VRRP... 12

Important Gaia s Important Gaia s This document gives important syslog messages, logged by Check Point Gaia appliances, version R76. Syslog Overview The syslog protocol lets a machine send system notification messages to a remote syslog server or to a local /var/log/messages file. These messages are used to monitor the status of an appliance and to troubleshoot issues. Message Format Format of a syslog message: <Date> <Time> <Daemon/Process><Process ID>: <Syslog message> Where: Date Time Timestamp of the logged syslog message Daemon/Process Source of the syslog message Process ID PID of the daemon/process that generates syslog messages; optional Syslog message Logged information Message Level Parameter The system uses the Level parameter to classify the notification messages. These are the values for this parameter: Possible Values LOG_EMERG LOG_ALERT LOG_CRIT LOG_ERR LOG_NOTICE LOG_INFO LOG_DEBUG A panic condition An alert notification like corruption in database Critical conditions like hard disk errors Errors Notifications Informational messages Debugging messages General Messages These are key syslog messages logged by Check Point R76 appliances. s are not given for intuitive messages. A string in angle brackets (< >) represents text variable text. For example, given the syslog message " HTTP login denied from <IP address> for <username>", the actual message on the appliance would be: " HTTP login denied from 192.168.1.1 for bob " Gaia s Technical Reference Guide 5

Important Gaia s Login and Logout Messages httpd2: Session had expired for user: <username> HTTP login denied from <ip address> for <username> User entry created for "<username> " in the password database HTTP login from <IP address> as <username> HTTP logout from <IP address> as <username> Telnet from <IP address> User <username> logged in with <read/write> permission WebUI session expired for <username> WebUI access denied from <IP address> for <username> Password change for <username> succeeded WebUI access to the appliance WebUI logout from the appliance Telnet connection from<ip address> to the appliance was successful User <username> logged into Check Point CLI shell User <username> logged out from CLI shell User <username> logged out due to an error from CLI shell authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user> Failed password for admin from <ip> port <port_num> ssh2 FAILED LOGIN >num> FROM <ip> FOR <user>, Authentication failure PAM_unix: (<program name>) session opened for user admin by (uid=0) PAM_unix: (<program name>) session closed for user <username> PAM_unix: check pass; user unknown Number of login failures from <ip> for <user> (excluding ssh connection) Session opened for SSH (or other program) Session closed for SSH (or other program) Invalid user sshd-x: Accepted password for <username> from <IP address> port <SSH client port> ssh2 sshd-x: Failed password for <username> from <IP address> port <SSH client port> ssh2 Gaia s Technical Reference Guide 6

Important Gaia s Configuration Change Messages Configuration change messages are logged in a configuration database binding format. <username> <from IP address> t +interface:<ifname> <value> <username> <from IP address> t -interface:<ifname> The t flag indicates transient changes. Configuration is in the memory database only. (For example, when Apply is clicked in the WebUI.) The plus ( + ) flag indicates that a setting was added to the database. The minus ( - ) flag indicates that a setting was deleted from the database. <username> <from IP address> p +interface:<ifname> <value> <username> <from IP address> p -interface:<ifname> Examples of configuration change messages: admin localhost t +interface:eth-s1p1c0:ipaddr:1.1.1.1:mask 24 admin localhost t +ifphys:<ifname>:speed 100M admin localhost t +snmp:interface:<ifname>:trapstate off admin localhost t +ip:arp:keep_time 60 admin localhost t -resolv:domain:1 admin localhost t -resolv:resolver:2 admin localhost t -resolv:resolver:3 admin localhost p -hosts:test.checkpoint.com admin localhost p +snap:show:fcd:desc t admin localhost p +snap:show:fcd:desc:sfsa t admin localhost p +webuiparams:logincount:admin 3 nobody localhost t +timezone Asia/Jerusalem nobody localhost p +process:dhcpd t nobody localhost p +cron:admin:job:new_bash_session:minutes nobody localhost p +cron:admin:job:new_bash_session:months all nobody localhost p -dhcp:dhcpd:dynamic:192.168.192.0:maxlease 86400 Interface Messages The p flag indicates permanent changes. Configuration is in the memory database and in /config file. (For example, when Save is clicked in the WebUI.) xpand[<pid>]: Interface <IF_NAME> set to up xpand[<pid>]: Interface <IF_NAME> set to down Interface s state was changed to up Interface s state was changed to down Gaia s Technical Reference Guide 7

Important Gaia s DHCP Server Messages Packet from unknown subnet: <Ip address> DHCPDISCOVER from <MAC address> via <server interface name>: network <subnet>: no free leases All IP addresses in the appliance's server address pool are exhausted DHCPDISCOVER from <MAC address> via <server interface name> DHCPOFFER on <IP address offered> to <client MAC address> via <interface name> DHCPREQUEST for <requested IP address> (<server IP address>) from <client's MAC address> via <server interface name> DHCPACK on <requested IP address> to <client MAC address> via <server interface name> DHCPREQUEST for <requested IP address> from <client MAC address> via <server interface name>: lease <requested IP address> unavailable DHCPNAK on <requested IP address> to <client MAC address> via <server interface name> DHCPREQUEST for <requested IP address> from <client MAC address> via <server interface name>: ignored (not authoritative) DHCPRELEASE of <IP address> from <client MAC address> via <server interface name> (not found) Abandoning IP address <IP address>: pinged before offer DHCP server does not have an address pool configured for the requested IP address DHCP server does not have an address pool configured for the requested IP address IP address is already in use: abandon the lease DHCPREQUEST for <requested IP address> from <client MAC address> via <server interface name>: unknown lease <IP address> DHCP Client Messages DHCPACK from <IP address> DHCPNAK from <IP address> No DHCPOFFERS received bound to <IP address> -- renewal in <number> seconds BOOTREPLY from <IP address> rejected Gaia s Technical Reference Guide 8

Important Gaia s <DHCP type> from <IP address> rejected DHCPDISCOVER on <client interface name> to <IP broadcast address> port 67 interval <number> DHCP message type: DHCP OFFER DHCP NACK DHCP ACK DHCPOFFER from <server IP address> DHCPREQUEST on <client interface name> to <IP broadcast address> port 67 DHCPDECLINE on <client interface name> to <server IP address> port 67 DHCPRELEASE on <client interface name> to <server IP address> port 67 DHCPACK from <server IP address> Device Maintenance Messages shutting down for system reboot Appliance was rebooted by user <username> Configuration changed from <IP address> by user <username> Boot image will be <Image name> reboot with image <image name> Time shift detected!!! sshd-x: Server listening on <IP address> port 22. clish :Processing : set time <time> BACKUP operation started. Xpand: BACKUP operation has finished successfully. Errors: none backup_set_proc: will delete: state->s_file_name:<file full path>.tgz, val:<file name>.tgz Starting backup operation Deleting backup file Gaia s Technical Reference Guide 9

Important Gaia s Upgrade and Downgrade Messages Start verification [Q]You are about to start upgrade to R76 Gaia. Are you sure you want to continue (yes/no)? LAST TS: 7" xpand: Gaia DB Upgrade successful Xpand: admin localhost p +upgrade:package:<new version> t User Management Messages clish[<pid>]: cmd by <USER_NAME>: Processing : add user <USER_NAME> uid <UID> homedir <HOME_DIR> xpand[<pid>]: Deleting User entry for "<USER_NAME>" from the password database xpand[<pid>]: User entry created for <USER_NAME> in the password database On WebUI and clish On WebUI and clish clish[<pid>]: cmd by <USER_NAME>: Processing : delete group <GROUP_NAME> member <USER_NAME> clish[<pid>]: cmd by <USER_NAME>: Processing : add group <GROUP_NAME> member <USER_NAME> clish[<pid>]: cmd by <USER_NAME>: Processing : add group <GROUP_NAME> gid <GROUP_ID> clish[<pid>]: cmd by <USER_NAME>: Processing : delete group <GROUP_NAME> clish[<pid>]: cmd by <USER_NAME>: Processing : add user <USER_NAME> uid <UID> homedir <HOME_DIR> Protocol Messages IGMP igmp_recv_leave_group: ignoringleave group from <IP address>, group <multicast address> is not in active group database igmp_recv: packet from non-local neighbor <IP address> igmp_recv_leave_group: malformed leave group group address (<IP address>) Gaia s Technical Reference Guide 10

Important Gaia s Multicast Forwarding Cache (MFC) mfc_resolve_sg: no multicast routing enabled on <logical interface name> for (<multicast group address>, <source IP address>) mfc_resolve_sg: duplicate xresolve for (<multicast group address>, <source IP address>)/<prefix length> OSPF OSPF IO: <IP address>-><multicast address> unknown area ID <IP address> in Hello packet OSPF IO: Hello interval mismatch on interface <IP address>(<interface name>) got <hello interval> expected <hello interval> OSPF IO: <IP address>-><multicast address>: authentication failed (10) in Hello packet PIM PIM: No cluster IP found for interface <logical interface name> pim_dm_recv_state_refresh: ignoring state refresh message <IP address>,<multicast group address>/<prefix> received on <interface name> ttl:0 Local address<ip address>configured for interface <interface name> is not a valid non-virtual address pim_dm_rt_lookup: Route lookup for source <IP address> failed PIM: Begin of instance 0 termination pim_sm_instance_terminate: termination of instance 0 PIM: No valid non-virtual address found for interface ser-s3p1c0 Gaia s Technical Reference Guide 11

Important Gaia s VRRP firewall state not okay: cannot continue as master interface <interface name>,vrid <vrid>: state=init interface <interface name>,vrid <vrid>: state=backup interface <interface name>,vrid <vrid>: firewall state not okay: cannot become master interface <interface name>,vrid <vrid>: state=master VRRP Router is shutting down due to: <reason> VRRP Router is shutting down due to: <reason> If we now monitor Firewall and before we did not, and if Firewall is installed, see if another master is already there. See if the Firewall sync interface is ready. VRRP router with Interface and VRRP vrid is in INIT state. VRRP router with Interface and VRRP vrid is in INIT state. VRRP router with Interface and VRRP vrid is in BACKUP state. VRRP router with Interface and VRRP vrid is in MASTER state. Reason for VRRP router shutting down: 1. HDD failure 2. Cold Start delay Reason codes: 1 VRRP ID 2 VRRP Priority 3 Advertisement interval 4 Routerdead interval 5 No preempt 6 VRRP IP address 7 Authentication 8 Monitor 9 VMAC vrrp_recv: packet received on interface (<interface name>) with no VRRP state, ignoring vrrp_recv: discarded truncated IP packet from <Source IP address> vrrp_recv: discarded packet from <Source IP address> bad VRRP checksum vrrp_recv: discarded packet from<source IP address> due to packet header truncated vrrp_recv: discard VRRP version <version> packet from <Source IP address> vrrp_recv: discarded unknown VRID <vrrp id> packet from <Source IP address> vrrp_recv: discarded local loopback for VRID <vrrp id> from <Source IP address> Gaia s Technical Reference Guide 12

Important Gaia s vrrp_recv: discarded packet from<source IP address> with TTL <ttl> vrrp_recv: discarded truncated VRRP packet from <Source IP address> (got <vrrp packet length>, expected <vrrp packet length>) vrrp_recv: discarded packet from<source IP address> with NoAuthentication, expected <Auth type> vrrp_recv: discarded packet from<source IP address> with SimpleTextPassword, expected <Auth type> rrp_recv: discarded packet from <Source IP address> with incorrect SimpleTextPassword vrrp_recv: discarded packet from <Source IP address> with unknown authentication type(<auth type in hex>) vrrp_recv: discarded packet from<source IP address> attempting to take over interface <interface name>, VRID <vrrp id> while local router is master The remote router tried to take over a virtual router while the local router is master. Gaia s Technical Reference Guide 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information