This article applies to:
Question:
What are the firewall status codes?
Notes:
Status Codes are numeric responses to attempts made to logon to the network to perform an activity or access a service.
You will find text files containing status codes in the root directory of your WebTrends Firewall Suite installation or in the \modules\firewall
subdirectory of the Firewall Reporting Center root directory. There are separate text files for each type of firewall.
Examples:
Cisco PIX Firewall Status Codes
(CiscoMessages.txt)
// format of the file: event type, status code: message
// order of event type bytes: level, security, remote, VPN
// level can be 0 (info), 1 (warning/error), 2 (critical)
0000,101001: Cable OK.
2000,101002: Cable bad.
2000,101003: Cable not connected on my side.
2000,101004: Cable not connected on other side.
2000,101005: Error reading cable.
2000,102001: Power failure.
2000,103001: No response from other firewall.
000,103002: Other firewall interface OK.
2000,103003: Other firewall interface fail.
2000,103004: Other firewall says I failed.
2000,103005: Other firewall reports other failed.
000,104001: Switching active.
000,104002: Switching standby.
2000,104003: Switching fail.
000,104004: Switching OK.
2000,105001: Failover disable.
000,105002: Failover enable.
000,105003: Monitoring on interface waiting.
000,105004: Monitoring on interface OK.
2000,105005: Monitoring on interface bad.
2100,106001: Deny inbound TCP.
2100,106002: Deny outbound TCP.
2100,106003: Deny TCP access from Java.
2100,106004: Deny use of network.
2100,106005: Deny send.
2100,106006: Deny inbound UDP.
2100,106007: Deny inbound UDP in DNS.
2100,106008: Translate denied by outbound ACL.
2100,106009: Translate denied by outbound ACL.
2100,106010: Inbound denied.
2100,106011: No routing to arrival interface.
2100,106012: Deny a packet with IP options.
0000,107001: User ping.
1000,108001: SMTP made a no-op out of a command.
1000,108002: SMTP changed a command.
1000,108003: Bad check sum in SMTP command.
1000,108004: Bad check sum in SMTP response.
2000,108005: Out of SMTP connections.
0000,109001: Beginning an authenticated session.
2000,109002: Authentication failed due to server error.
2000,109003: Authentication failed, no server available.
2000,109004: Authentication failed due to internal error.
0000,109005: Authentication succeeded.
2100,109006: Authentication failed due to user error.
0000,109007: Authentication permitted by server.
2100,109008: Authentication denied by server.
2100,109009: Authentication denied - user not authenticated.
2000,109010: Out of slots for pending authentications.
2000,110001: No route.
2000,110002: No ARP.
2000,110003: No interface configured.
0010,111001: Configuration write to target.
0010,111002: Configuration read from target.
0010,111003: Configuration erased.
0010,111004: Configuration ended.
0010,111005: Configuration written OK.
0010,111006: Configuration login.
0010,111007: Configuration begin.
0010,199001: PIX reloaded from CI.
0010,199002: PIX startup completed.
0000,199003: Reducing link MTU.
0000,112001: PIX clear complete.
2000,201001: PIX out of connections.
2000,201002: Connection slots in use.
2000,201003: Connection exceeds embryonic threshold.
2100,201004: Connection failed.
2100,201005: No FTP data connection made.
2100,201006: No rcmd back connection made.
2100,202001: Out of translation slots.
2100,202002: No outgoing translation slot.
2100,202003: No translation made.
2100,202004: No port-mapped translation made.
2100,202005: No translate allocated.
2100,202006: No translation allowed.
2100,203001: ESP error.
2100,204001: SMTP error command.
2100,204002: SMTP error respond.
2000,208005: PIX clear error.
0000,302001: TCP connection started.
0000,302002: TCP connection ended.
0000,302003: H245 back connection.
0000,302004: H323 back connection.
0000,302005: UDP connection started.
0000,302006: UDP connection ended.
0000,302007: Conduit connection started.
0000,302008: Conduit connection ended.
0000,303001: FTP 1.
0000,303002: FTP Storeflag IP.
0000,304001: URL accessed.
2100,304002: URL access denied.
1000,304003: URL server request timed out.
1000,304004: URL server request failed.
0000,304005: URL server request pending.
0000,305001: Port-mapped translation built.
0000,305002: Translate start.
0000,305003: Translate end.
0000,306001: Ethernet status changed.
2100,307001: Telnet access denied.
0000,307002: Telnet access permitted.
2100,307003: Telnet login failed.
2100,308001: Enable password incorrect.
2110,309001: Deny manager access.
0010,309002: Permit manager access.
1000,310001: Lack of CPU realtime.
2000,701001: Out of TCP user objects.
2000,709001: Bad CI for replicate.
2000,709002: CI has no failover configured.
0010,709003: Beginning configuration replication, sending to mate.
0010,709004: End configuration replication (ACT).
0010,709005: Beginning configuration replication, receiving from mate.
0010,709006: End configuration replication (STB).
Lucent Status Codes
(LucentMessages.txt)
// format of the file: event type, status code, sub-code: message
// order of event type bytes: security, remote, VPN
000,0,0: Session start
000,1,0: Session end
000,2,0: Packet audit
000,3,0: Session start mapped
000,4,0: General firewall event
000,4,1: Boot firewall
000,4,2: Flush cache
000,4,3: Load zone
000,4,4: Load table
000,4,5: Switchover new policy
000,4,6: Load dynamic rule
000,4,7: Load dynamic host
000,4,8: Load dynamic service
000,4,9: Audit ping
000,4,10: Abort load
100,5,0: Errors
000,6,0: End user authentication
100,7,0: Failed administrator host authentication
001,8,0: IPSEC
010,9,0: Session summary stats
010,10,0: Administrator login
010,11,0: Administrator logout
010,12,0: Add Administrator account
010,13,0: Modify Administrator account
010,14,0: Delete Administrator account
010,15,0: Add zone table entry
010,16,0: Modify zone table entry
010,17,0: Delete zone table entry
010,18,0: Add brick table entry
010,19,0: Modify brick table entry
010,20,0: Delete brick table entry
110,21,0: Firewall alarm
110,22,0: ISMS alarm
000,23,0: Session full (firewall)
010,24,0: Firewall status
010,25,0: ISMS subsystem information message
010,26,0: Add zone to ISMS
010,27,0: Delete zone to ISMS
010,28,0: Modify zone in the ISMS
010,29,0: Add firewall
010,30,0: Delete firewall
010,31,0: Modify firewall
010,32,0: Audit GUI request
010,33,0: Audit GUI request for file modification
010,34,0: Administrator login failed
010,35,0: Alarm alert status
Raptor Status Codes
(RaptorMessage.txt)
// format of the file: event type, status code: message
// order of event type bytes: security, remote, VPN
000,101: Eagle Network Security Management System starting up.
000,102: Shutdown command received.
000,103: Closing connection.
000,104: Reread of new config file successful.
000,105: Connection for incoming to outgoing.
000,106: Trace.
000,107: Closing log file.
000,108: Starting new log file.
000,109: Rereading configuration file.
001,110: User authenticated.
000,111: FTP file transfer.
000,112: Rule expired, rescanning rules.
000,113: Received mobile connection.
010,115: Remote management connection.
010,116: Remote management completed.
000,117: Daemon starting.
000,118: Daemon exiting.
000,119: Read of protocol request.
001,120: Information.
000,121: General traffic.
000,122: Daemon listening on port.
001,123: NAT Address Mapping added.
001,124: NAT Address Mapping freed.
000,127: Connection Request.
001,201: Access denied.
000,202: Access denied.
000,203: User password changed.
000,204: User password added.
001,208: VPN packet does not match any tunnel.
001,209: VPN packet not valid for tunnel.
101,211: VPN authentication failed.
001,212: IP packet not allowed on tunnel.
001,213: IP packet not allowed on implicit tunnel.
001,215: VPN packet not forwarded as it does not match any defined tunnel.
000,216: Access denied.
000,217: Cannot lookup hostname.
000,218: Invalid protocol.
000,219: Cant parse URL.
000,220: Local web server cant handle request.
000,221: Possible spoofed IP packet dropped.
001,222: VPN packet error.
001,223: VPN packet error.
000,224: User count is over 80% of limit.
100,225: Possible spoofed IP packet.
000,226: IP packet dropped.
001,227: VPN packet dropped.
000,228: Cant connect to port.
000,229: IP packet dropped.
001,230: Packet not allowed on tunnel with endpoints.
000,231: Failed on connection.
000,232: Sending ICMP type.
000,233: Packet dropped.
000,234: Network error detected.
000,301: Internal warning.
000,303: Service already running.
000,304: Protocol mismatch.
000,305: Ignoring multiple entry.
000,306: Overlapping time range.
100,307: Config file not from Authorization machine.
000,308: Cant lookup host name.
000,309: Warning in config file.
100,310: Cant verify reverse address.
000,311: Cant verify Ethernet address for host.
000,312: Bogus response to name lookup.
000,313: Invalid password or authentication.
000,314: Warning in User Database.
000,315: Warning in User Database.
000,316: Warning in User Database.
000,317: Warning in User Database.
000,318: Warning in User Database.
000,323: readeagle service already running.
000,331: No rules for eagles in config file.
000,333: Cant open eagle file.
000,334: Denied access to command.
001,335: VPN packet dropped because VPN is not enabled.
001,336: VPN packet received with invalid format or length.
001,337: Could not queue decapsulated VPN packet to IP input queue.
001,338: UDP packet dropped because UDP is disabled for VPN.
000,341: Child process killed.
000,342: Child process exited.
000,343: ACE warning or DNS warning.
000,344: Non-transparent call.
100,347: Possible port scan.
000,401: Internal error.
000,402: Cant get config file filename.
000,403: Cant read config file filename.
000,404: Error in config file.
000,405: Reread of filename failed.
000,406: Cannot open audio file.
000,407: Cant open lock file traceroute.
000,408: File is not a valid audio file.
000,409: File sample rate not available.
000,410: File encoding not available.
000,411: Unable to open notify.
000,412: Unrecognized transport.
000,413: Config file errors.
000,415: Syntax error in date/time string.
000,416: Syntax error in expression.
000,417: Cant connect to host port.
000,418: Cant lookup host.
000,419: Bad server port.
000,420: Cant open config file.
000,421: Missing server host.
000,422: Bad port.
000,423: Bad protocol.
000,424: Cant use TCP port.
000,425: Cant lookup service.
000,430: Cant lookup Eagle hostname.
010,431: Managed Eagle couldnt read the location of its controlling Eagle.
000,432: Bad hostname.
000,433: Cant connect to host.
000,434: Error reading config file.
000,435: Cant execute service to read config file.
010,440: Config load failed.
001,441: Illegal parameter in VPN configuration file.
001,442: VPN - could not attach to data link driver.
000,444: Error in password file.
000,445: Cant read password file.
000,446: No entry for host in password file.
000,450: Remote management failed.
000,451: Bad port in configuration file.
000,452: Cant lookup proxy name.
000,454: Cant open file.
000,455: Child process exited.
000,456: HTTPS service not supported.
000,457: System timezone, time, or date is not correctly set.
100,501: Access from incoming to outgoing.
100,502: Ethernet address mismatch.
100,503: Reverse address doesnt match.
100,504: Unknown entity connected to readeagle.
100,505: Unauthorized process killed.
100,506: Unauthorized user logged off.
110,510: Remote management - incorrect data checksum.
110,511: Remote management - incorrect challenge.
110,512: Unauthorized remote connect attempt.
100,513: Saved trace file.
100,514: Protocol violation.
100,515: Attempt to use firewall proxies to connect to Eagle control ports.
100,524: Not enough disk space for logging.
000,601: Child process killed.
000,602: Child process exited.
000,603: Fork failed.
000,604: Bad message priority.
000,605: Cant execute service.
000,606: Failed to notify.
000,607: Daemon exited on signal.
000,609: Syslog daemon is not running.
000,610: Internal error.
000,611: User count limit reached.
000,701: Cant allocate memory.
000,702: Quitting because of config errors.
000,704: Expiration date reached.
000,705: Invalid license key.
000,706: Module not licensed.
000,707: Service not installed.
Firewall Status Code Filter
Use the Firewall Status Code filter to include or exclude status codes from the analysis and reporting for this profile. Status Codes are numeric responses to attempts made to logon to the network to perform an activity or access a service.
Firewall Actions Filter
The Firewall Actions filter applies to Check Point FireWall-1 actions only. Other Firewalls filter for Status Codes.
Use the Firewall Actions filter to include or exclude firewall actions (such as responses to logon attempts, data transfers) from the analysis and reporting for this profile. Select the actions that you want to filter. A check indicates that this item is included or excluded .
You may chose from the following:
- Accept
- Reject
- Drop
- Encrypt
- Decrypt
- Key exchange
- Successful client authentication
- Failed client authentication
- This article was previously published as:
- NETIQKB1345