Appendix D – FortiClient Log Messages
Appendix D – FortiClient Log Messages
| Client Feature | ID | Level | Format | Description |
| AntiVirus | 0x00017913 | Warning | Found malware by [AntiVirus scan|AntiVirus realtime protection] in [filesystem|email] | This message is logged when a malware is found. |
| AntiVirus | 0x00017914 | Warning | Found suspicious by [AntiVirus scan|AntiVirus realtime protection] in [filesystem|disk|email] | This message is logged when a suspicious is found. |
| AntiVirus | 0x00017915 | Info | User enabled Realtime AntiVirus protection | Logged when someone enables Realtime AntiVirus. |
| AntiVirus | 0x00017916 | Warning | User disabled Realtime AntiVirus protection | Logged when someone disables Realtime AntiVirus. |
| AntiVirus | 0x00017917 | Info | Communication error | |
| AntiVirus | 0x00017918 | Warning | AntiVirus realtime protection killed malware process : [process name] | A malware process killed a malware process. |
| AntiVirus | 0x0001791d | Info | av_task scan is started | This message is logged if AV scanning is started. |
| AntiVirus | 0x0001791e | Info | av_task scan is stopped | This message is logged if AV scanning is stopped. |
| AntiVirus | 0x00017919 | Info | av_task scan thread is suspended | This message is logged if AV scanning is paused. |
| AntiVirus | 0x0001791a | Info | av_task scan thread is resumed | This message when AV scanning is resumed. |
| AntiVirus | 0x0001791b | Warning | av_task killed suspicious process : <filename or process name> | <filename or process name> is a suspicious process and has been terminated. |
| AntiVirus | 0x0001791c | Info | Cannot start scan task |
| Client Feature | ID | Level | Format | Description |
| AntiVirus | 0x0001791f | Error | Scheduled scan failed: Path to file/folder no longer exists. | Path not found. |
| AntiVirus | 0x00017920 | Warning | AntiVirus scan was stopped by a user before it finished. | The user specified stopped an AntiVirus scan |
| AntiVirus | 0x00017921 | Warning | Failed to connect to FortiSandbox server. | The sandbox server is unavialable |
| Webfilter | 0x000178f4 | Info | User enabled Webfilter | Logged when someone enables webfiltering. |
| Webfilter | 0x000178f5 | Warning | User disabled Webfilter | Logged when someone disables webfiltering. |
| Webfilter | 0x000178f6 | Warning | user’s access to the url [action and reason] | the action to the user’s access |
| Webfilter | 0x000178f7 | Info | user’s access to the url [action and reason] | the action to the user’s access |
| Webfilter | 0x000178f8 | Warning | The Webfilter Violation report was cleared [user name] | Logged when someone clears the webfilter violation report. |
| Webfilter | 0x000178f9 | Warning | Unable to create proxy/webfilter communication socket. | FortiClient will not be able to determine the FortiGuard rating of URLs. |
| Webfilter | 0x000178fa | Warning | Unable to retrieve the webfilter UDP port number. | FortiClient will not be able to determine the FortiGuard rating of URLs. |
| Webfilter | 0x000178fb | Warning | status=warn [logged on user] temporarily disabled blocking of category [category id] ([category name]) to access [url] | The user [logged on user] proceeded to the url [url] after acknowledging a warning message. |
| Application FireWall | 0x00017980 | Warning | Firewall action | |
| Application FireWall | 0x00017981 | Info | Firewall action | |
| Application FireWall | 0x00017982 | Info | User enabled Firewall | User enabled Firewall |
| Client Feature | ID | Level | Format | Description |
| Application FireWall | 0x00017983 | Warning | User disabled Firewall | User disabled Firewall |
| Application FireWall | 0x00017984 | Warning | The Application Firewall report was cleared | Logged when someone clears the application firewall report. |
| Application FireWall | 0x00017985 | Warning | The application firewall has been disabled because it’s driver could not be loaded | Logged when application firewall driver could not be loaded with error 127 (The specified procedure could not be found). |
| IKE VPN | 0x00017930 | Info | VPN tunnel status | VPN tunnel status |
| IKE VPN | 0x00017940 | Info | IKE phase1 authentication fail as peer’s certificate is not verified. | IKE phase1 authentication fail as peer’s certificate is not verified. |
| IKE VPN | 0x00017941 | Info | IKE phase1 authentication fail as the preshare key mismatch. | IKE phase1 authentication fail as the preshare key mismatch. |
| IKE VPN | 0x00017931 | Warning | No response from the peer | |
| IKE VPN | 0x00017932 | Warning | No response from the peer | |
| IKE VPN | 0x00017933 | Warning | Received delete payload from peer check xauth password. | Received delete payload from peer check xauth password. |
| IKE VPN | 0x00017934 | Error | Failed to acquire an IP address. | Failed to acquire an IP address for the virtual adapter. |
| IKE VPN | 0x00017935 | Error | ike error | |
| IKE VPN | 0x00017936 | Info | negotiation information | |
| IKE VPN | 0x00017937 | Error | negotiation error | |
| IKE VPN | 0x00017938 | Error | replayed packet detected (packet dropped) |
| Client Feature | ID | Level | Format | Description |
| IKE VPN | 0x00017939 | Info | VPN user accept the banner and continue with the tunnel setup | The VPN user accept the banner warning |
| IKE VPN | 0x0001793a | Info | VPN user choose disconnect the tunnel or no response | The VPN user reject the banner warning and disconnect the tunnel |
| IKE VPN | 0x0001793b | Info | locip=<ip address> locport=<port number> remip=<ip address> remport=<port number> outif=<interface> vpntunnel=<tunnel name> action=install_sa | |
| IKE VPN | 0x0001793c | Info | VPN before logon was enabled | Logged when someone enables VPN before logon. |
| IKE VPN | 0x0001793d | Info | VPN before logon was disabled | Logged when someone disables VPN before logon. |
| IKE VPN | 0x0001793e | Error | VPN cannot connect because an authorization rule failed. | Logged when a VPN authorization rule failed. |
| IKE VPN | 0x0001793f | Warning | A required application is not running. | VPN cannot connect because the specified application is not running. |
| SSL VPN | 0x00017958 | Info | SSLVPN tunnel status | SSLVPN tunnel status |
| Wan Acceleration | 0x00017a71 | Info | User enabled WAN Acceleration | User enabled WAN Accel-
eration |
| Wan Acceleration | 0x00017a70 | Info | User disabled WAN Acceleration | User disabled WAN Acceleration |
| Wan Acceleration | 0x0000b000 | Error | Network registry keys are missing | When enumerating the network interface subkeys |
| Wan Acceleration | 0x0000b001 | Error | Network adapter is missing a description | When enumerating the network interfaces |
| Wan Acceleration | 0x0000b002 | Error | Error opening redirector device | Wan acceleration will not function. |
| Wan Acceleration | 0x0000b003 | Info | WAN Acceleration was enabled by [user name] | Logged when someone enables WAN Acceleration. |
| Client Feature | ID | Level | Format | Description |
| Wan Acceleration | 0x0000b004 | Info | WAN Acceleration was disabled by [user name] | Logged when someone disables WAN Acceleration. |
| Vulnerability
Scan |
0x00017908 | Info | The vulnerability scan status has changed | A vulnerability scan status change |
| Vulnerability
Scan |
0x00017909 | Info | A vulnerability scan result has been logged | A Vulnerability scan result log |
| Vulnerability
Scan |
0x0001790a | Info | Remediating vulnerability | The details of the vulnerability being remediated is described by the log fields |
| EndPoint Con-
trol |
0x00017ab6 | Info | upload logs | |
| EndPoint Con-
trol |
0x00017ab7 | Info | Endpoint control policy synchronization was enabled | Logged when someone
enables Endpoint control policy synchronization. |
| EndPoint Con-
trol |
0x00017ab8 | Warning | Endpoint control policy synchronization was disabled | Logged when someone disables Endpoint control policy synchronization. |
| EndPoint Con-
trol |
0x00017ab9 | Info | Endpoint Control Status changed to [status] | Endpoint Control Status Changed |
| EndPoint Con-
trol |
0x00017aba | Warning | OffNet configuration version [version] doesn’t match FortiGate configuration version [version] | OffNet configuration version doesn’t match FortiGate configuration version |
| EndPoint Con-
trol |
0x00017abb | Info | Endpoint Control Registration
Status changed to [status] with FGT [serial] |
|
| EndPoint Con-
trol |
0x00017abc | Info | Endpoint Quarantine Status changed to [status] | Endpoint Quarantine Status Changed |
| Update | 0x00017a2a | Info | Customer initiated a software update request. | Logged when a user presses the gui’s update button. |
| Update | 0x00017a37 | Info | Checking for updates. | Checking for updates. |
| Update | 0x00017a2c | Info | Update allowed only if you have a valid license | Update allowed only if you have a valid license |
| Client Feature | ID | Level | Format | Description |
| Update | 0x00017a38 | Info | Software update started. | Software update started. |
| Update | 0x00017a2d | Info | Software updates are disabled. | Software updates from FortiGuard have been disabled. |
| Update | 0x00017a2e | Info | Software updates from FortiGuard have been disabled because this client is managed. | Software updates from FortiGuard have been disabled. |
| Update | 0x00017a2f | Info | Software updates require administrative privileges. | The user does not have sufficient privileges to perform software updates. |
| Update | 0x00017a30 | Info | Software update successful. | Software update successful. |
| Update | 0x00017a31 | Info | Software update failed. | Software update failed. |
| Update | 0x00017a32 | Info | Unable to perform software update. Registry does not contain image id to download. | The image id that is expected to be in the registry is missing. |
| Update | 0x00017a33 | Info | Update <module description> successful | |
| Update | 0x0001798a | Info | Update success | Update was successful. |
| Update | 0x00017a34 | Error | Unable to load AV engine | Failed to load the av engine |
| Update | 0x00017a35 | Error | Error patching AV signature. | Error patching AV signature. |
| Update | 0x00017a36 | Error | Unable to load FASLE engine | Unable to load FASLE engine |
| Update | 0x00017a39 | Info | Update successful | |
| Scheduler | 0x00017a20 | Info | Forcefully kill a child process after grace period expires | A scheduler owned child process failed to stop when instructed to do so |
| Client Feature | ID | Level | Format | Description |
| Scheduler | 0x00017a21 | Error | The scheduler cannot start the scheduled task because the task’s license is expired. | The scheduler cannot start the scheduled task because the task’s license is expired. |
| Scheduler | 0x00017a68 | Info | FortiClient is starting up | FortiClient is starting up |
| Scheduler | 0x00017a69 | Info | %s is shutting down | FortiClient is shutting down |
| FortiProxy | 0x00017a49 | Info | Fortiproxy is enabled | Fortiproxy is enabled |
| FortiProxy | 0x00017a48 | Warning | Fortiproxy is disabled | Fortiproxy is disabled |
| FortiShield | 0x00017a53 | Info | FortiShield is enabled | FortiShield is enabled |
| FortiShield | 0x00017a52 | Warning | FortiShield is disabled | FortiShield is disabled |
| FortiShield | 0x00017a54 | Info | The console was locked | The console password was locked. |
| FortiShield | 0x00017a55 | Warning | The console was unlocked | The console password was unlocked. |
| FortiShield | 0x00017a56 | Warning | The console password was removed | The console password was removed. |
| FortiShield | 0x00017a57 | Warning | FortiShield blocked application: [application path] from modifying: [file or registry path] | FortiShield has prevented an application from modifying a file or registry setting protected by FortiClient. |
| Application
Database |
0x0000d001 | Error | <context> <file reference> db error – creating new database. | A critical error occurred. The application database will not work. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Client Feature | ID | Level | Format | Description |
| Application
Database |
0x0000d003 | Error | <context> <file reference> db error – BIND command. | A critical error occurred. The application database will not work. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d004 | Error | <context> <file reference> db error – opening database. | A critical error occurred. The application database is not present. An attempt to automatically regenerate it will occur. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d005 | Error | <context> <file reference> db error – preparing sql statement. | The sql statement used is invalid. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d006 | Error | <context> <file reference> db error – unable to find fingerprint. | The fingerprint does not exist in the database. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d007 | Error | <context> <file reference> db error – invalid md5. | The parameter supplied is not an MD5. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Client Feature | ID | Level | Format | Description |
| Application
Database |
0x0000d008 | Error | <context> <file reference> db error – row not found. | The requested row does not exist. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d00a | Error | <context> <file reference> Can’t open file. | The file cannot be opened. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d00b | Error | <context> <file reference>
Unable to extract vendor id. |
The files is not digitally signed |
| Application
Database |
0x0000d00e | Error | <context> <file reference> Can’t access file because of sharing violation. | Can’t access file because of sharing violation. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d00f | Error | <context> <file reference> Can’t open driver. | Can’t open the apd driver. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d010 | Error | <context> <file reference> Can’t start driver. | Can’t start the apd driver. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d011 | Error | <context> <file reference> Driver io error. | APD driver io error. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Client Feature | ID | Level | Format | Description |
| Application
Database |
0x0000d016 | Error | <context> <file reference> Server-side pipe error. | A communication error occurred. It is probably temporary. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d017 | Error | <context> <file reference> Pipe server initialization error. | A communication initialization error occurred. It is probably temporary. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d018 | Error | <context> <file reference> Pipe server creation error. | A communication initialization error occurred. It is probably temporary. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d019 | Error | <context> <file reference>
Unable to bypass fortishield. |
Failed to bypass self-protection. The daemon might not function normally after this. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d01a | Error | <context> <file reference> Invalid arguments. | Invalid command line options supplied. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Client Feature | ID | Level | Format | Description |
| Application
Database |
0x0000d01c | Error | <context> <file reference> Unable to allocate memory for vendor id cache. | Low memory. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d01d | Error | <context> <file reference>
Vendor id cache not initialized. |
This is probably temporary. An attempt will be made later to read/write to the cache. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d01e | Error | <context> <file reference>
Unable to open vendor id cache shared memory. |
Application detection will not be functioning normally. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d01f | Error | <context> <file reference>
Unable to open mutex to access vendor id shared memory. |
Application detection will not be functioning normally. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Config
Import/Export |
0x00017a5c | Info | A configuration file is exported to [location] | Logged when someone exports a config file. |
| Config
Import/Export |
0x00017a5d | Info | A configuration file is imported from [location] | Logged when someone imports a config file. |
| Config
Import/Export |
0x00017a72 | Info | Policy ‘[name]’ was received and applied | Logged when push configuration is received. |
| Single SignOn Mobility
Agent |
0x00017ad4 | Info | Single Sign-On event | Single Sign-On event. |
| Client Feature | ID | Level | Format | Description |
| Single SignOn Mobility
Agent |
0x00017ad5 | Info | Single Sign-On Mobility Agent was enabled | Logged when someone enables Single Sign-On Mobility Agent. |
| Single SignOn Mobility
Agent |
0x00017ad6 | Warning | Single Sign-On Mobility Agent was disabled | Logged when someone disables Single Sign-On Mobility Agent. |
| Single SignOn Mobility
Agent |
0x00017ad7 | Info | Single Sign-On Mobility Agent is starting… | |
| Single SignOn Mobility
Agent |
0x00017ad8 | Info | Single Sign-On Mobility Agent is stopping… | |
| UI | 0x00017a66 | Warning | Logs were cleared | Logged when logs are cleared. |
| UI | 0x00017a67 | Info | Alerts were cleared | Logged when alerts are cleared by a user. |
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos
Leave a Reply