For general best practices related to events, see Events in Server & Workload Protection.
To see the firewall events captured by Server & Workload Protection, go to .
Firewall event icons:
- Single event
- Single event with data
- Folded event
- Folded event with data
Note
|
What information is displayed for firewall events?
These columns can be displayed on the firewall events page. You can click Columns
to select which columns are displayed in the table.
- Time: Time the event took place on the computer.
- Computer: The computer on which this event was logged. (If the computer has been removed, this entry will read "Unknown Computer".)
- Reason: Log entries on this page are generated either by firewall rules or by firewall stateful configuration settings. If an entry is generated by a firewall rule, the column entry will be prefaced by "Firewall Rule:" followed by the name of the firewall rule. Otherwise the column entry will display the firewall stateful configuration setting that generated the log entry.
- Tag(s): Event tags that are applied to this event.
- Action: The action taken by the firewall rule or firewall stateful configuration. Possible actions are: Allow, Deny, Force Allow, and Log Only.
- Rank: The ranking system provides a way to quantify the importance of intrusion prevention and firewall events. By assigning "asset values" to computers, and assigning "severity values" to intrusion prevention rules and firewall rules, the importance ("rank") of an event is calculated by multiplying the two values together. This allows you to sort events by rank when viewing intrusion prevention or firewall events.
- Direction: The direction of the affected packet (incoming or outgoing).
- Interface: The MAC address of the interface through which the packet was traveling.
- Frame Type: The frame type of the packet in question. Possible values are "IPV4", "IPV6", "ARP", "REVARP", and "Other: XXXX" where XXXX represents the four digit hex code of the frame type.
- Protocol: Possible values are "ICMP", "ICMPV6", "IGMP", "GGP", "TCP", "PUP", "UDP", "IDP", "ND", "RAW", "TCP+UDP", AND "Other: nnn" where nnn represents a three digit decimal value.
- Flags: Flags set in the packet.
- Source IP: The packet's source IP.
- Source MAC: The packet's source MAC address.
- Source Port: The packet's source port.
- Destination IP: The packet's destination IP address.
- Destination MAC: The packet's destination MAC address.
- Destination Port: The packet's destination port.
- Packet Size: The size of the packet in bytes.
- Repeat Count: The number of times the event was sequentially repeated.
- Time (microseconds): Microsecond resolution for the time the event took place on the computer.
- Event Origin: The Server & Workload Protection component from which the event originated.
The following columns are also available. They display information for events that
are triggered from containers on computers that are protected by agent version 12
FR or newer:
- Interface Type: Container interface type.
- Container Name: Name of the container where the event occurred.
- Container ID: Container ID of the container where the event occurred.
- Image Name: Image name that was used to create the container where the event occurred.
- RepoDigest: A unique digest that identifies the container image.
- Process Name: Name of the process (from the container) that caused the event.
NoteLog-only rules will only generate a log entry if the packet in question is not subsequently
stopped either by a deny rule, or an allow rule that excludes it. If the packet is stopped by one of those two rules, those rules will generate a log entry and not the log-only rule. If no subsequent rules stop the packet, the log-only rule will generate an
entry.
|
List of all firewall events
ID
|
Event
|
Notes
|
100
|
Out Of Connection
|
A packet was received that was not associated with an existing connection.
|
101
|
Invalid Flags
|
Flag(s) set in a packet were invalid. This event can indicate that a flag does not
make sense within the context of a current connection (if any), or that a nonsensical
combination of flags.
"Firewall Stateful Configuration" must be On for connection context to be assessed.
|
102
|
Invalid Sequence
|
A packet with an invalid sequence number or out-of-window data size was encountered.
|
103
|
Invalid ACK
|
A packet with an invalid acknowledgment number was encountered.
|
104
|
Internal Error
|
|
105
|
CE Flags
|
A packet has congestion flags set and the policy's Anti Evasion settings use a custom
configuration where the TCP Congestion Flags property is set to Log or Deny. (See
Configure anti-evasion settings.)
|
106
|
Invalid IP
|
Packet's source IP was not valid.
|
107
|
Invalid IP Datagram Length
|
The length of the IP datagram is less than the length specified in the IP header.
|
108
|
Fragmented
|
A fragmented packet was encountered, and your environment has set IP Packet Inspection
to deny incoming fragmented packets.
|
109
|
Invalid Fragment Offset
|
|
110
|
First Fragment Too Small
|
A fragmented packet was encountered, and the size of the first fragment is less than
the size of a TCP packet (no data).
A packet is dropped with this event when the packet header has the following configuration:
To prevent this event from occurring, configure the policy's Advanced Network Engine
settings to use a lower value for the Minimum Fragment Size property, or set it to
0 to turn off this inspection. (See "Advanced Network Engine Options" in Computer and policy editor settings.)
|
111
|
Fragment Out Of Bounds
|
The offsets(s) specified in a fragmented packet sequence is outside the range of the
maximum size of a datagram.
|
112
|
Fragment Offset Too Small
|
A fragmented packet was encountered, the size of the fragment was less than the size
of a TCP packet (no data).
|
113
|
IPv6 Packet
|
An IPv6 Packet was encountered, and IPv6 blocking is enabled. See the "Block IPv6
on Agents and Appliances verions 9 and later" property in the Advanced Network Engine
Options (see Computer and policy editor settings.)
|
114
|
Max Incoming Connections
|
The number of incoming connections has exceeded the maximum number of connections
allowed. See
the "Enable TCP stateful inspection" property in TCP Packet Inspection.
|
115
|
Max Outgoing Connections
|
The number of outgoing connections has exceeded the maximum number of connections
allowed. See
the "Enable TCP stateful inspection" property in TCP Packet Inspection.
|
116
|
Max SYN Sent
|
The number of half open connections from a single computer exceeds that specified
in the firewall
stateful configuration. See the "Limit the number of half-open
connections from a single computer to" property in TCP Packet Inspection.
|
118
|
IP Version Unknown
|
An IP packet other than IPv4 or IPv6 was encountered.
|
119
|
Invalid Packet Info
|
|
120
|
Internal Engine Error
|
Insufficient system memory. Add more system resources to fix this issue.
|
121
|
Unsolicited UDP
|
Incoming UDP packets that were not solicited by the computer are rejected.
|
122
|
Unsolicited ICMP
|
ICMP stateful has been enabled (in firewall stateful configuration) and an unsolicited
packet that does not match any Force Allow rules was received.
|
123
|
Out Of Allowed Policy
|
The packet does not meet any of the Allow or Force Allow rules and so is implicitly
denied.
|
124
|
Invalid Port Command
|
An invalid FTP port command was encountered in the FTP control channel data stream.
|
125
|
SYN Cookie Error
|
The SYN cookies protection mechanism encountered an error.
|
126
|
Invalid Data Offset
|
Invalid data offset parameter.
|
127
|
No IP Header
|
The packet IP header is invalid or incomplete.
|
128
|
Unreadable Ethernet Header
|
Data contained in this Ethernet frame is smaller than the Ethernet header.
|
129
|
Undefined
|
|
130
|
Same Source and Destination IP
|
Source and destination IPs were identical.
|
131
|
Invalid TCP Header Length
|
|
132
|
Unreadable Protocol Header
|
The packet contains an unreadable TCP, UDP or ICMP header.
|
133
|
Unreadable IPv4 Header
|
The packet contains an unreadable IPv4 header.
|
134
|
Unknown IP Version
|
Unrecognized IP version.
|
135
|
Invalid Adapter Configuration
|
An invalid adapter configuration has been received.
|
136
|
Overlapping Fragment
|
This packet fragment overlaps a previously sent fragment.
|
138
|
Packet on Closed Connection
|
A packet was received belonging to a connection already closed.
|
139
|
Dropped Retransmit
|
The network engine detected a TCP Packet that overlaps with data already received
on the same TCP connection but does not match the already-received data. (The network
engine compares the packet data that was queued in the engine’s connection buffer
to the data in the packet that was re-transmitted.)
The network engine reconstructs the sequenced data stream of each TCP connection it
processes. The sequence number and length in the received packet specify a specific
region in this data stream. The note field in the log indicates the location of the
changed content in the TCP stream: prev-full, prev-part, next-full and next-part:
|
140
|
Undefined
|
|
141
|
Out of Allowed Policy (Open Port)
|
|
142
|
New Connection Initiated
|
|
143
|
Invalid Checksum
|
|
144
|
Invalid Hook Used
|
|
145
|
IP Zero Payload
|
|
146
|
IPv6 Source Is Multicast
|
|
147
|
Invalid IPv6 Address
|
|
148
|
IPv6 Fragment Too Small
|
|
149
|
Invalid Transport Header Length
|
|
150
|
Out of Memory
|
|
151
|
Max TCP Connections
|
The maximum number of TCPconnections has been exceeded. See Increase the maximum allowed TCP connections.
|
152
|
Max UDP Connections
|
|
200
|
Region Too Big
|
A region (edit region, uri etc) exceeded the maximum allowed buffering size (7570
bytes) without being closed. This is usually because the data does not conform to
the protocol.
|
201
|
Insufficient Memory
|
The packet could not be processed properly because resources were exhausted. This
can be because too many concurrent connections require buffering (max 2048) or matching
resources (max 128) at the same time or because of excessive matches in a single IP
packet (max 2048) or simply because the system is out of memory.
|
202
|
Maximum Edits Exceeded
|
The maximum number of edits (32) in a single region of a packet was exceeded.
|
203
|
Edit Too Large
|
Editing attempted to increase the size of the region above the maximum allowed size
(8188 bytes).
|
204
|
Max Matches in Packet Exceeded
|
There are more than 2048 positions in the packet with pattern match occurrences. An
error is returned at this limit and the connection is dropped because this usually
indicates a garbage or evasive packet.
|
205
|
Engine Call Stack Too Deep
|
|
206
|
Runtime Error
|
Runtime error.
|
207
|
Packet Read Error
|
Low level problem reading packet data.
|
257
|
Fail Open: Deny
|
Log the packet that should be dropped but not when Fail-Open feature is on and in
Inline mode.
|
300
|
Unsupported Cipher
|
An unknown or unsupported cipher suite has been requested.
|
301
|
Error Generating Master Key(s)
|
Unable to derive the cryptographic keys, Mac secrets, and initialization vectors from
the master secret.
|
302
|
Record Layer Message (not ready)
|
The SSL state engine has encountered an SSL record before initialization of the session.
|
303
|
Handshake Message (not ready)
|
The SSL state engine has encountered a handshake message after the handshake has been
negotiated.
|
304
|
Out Of Order Handshake Message
|
A well formatted handshake message has been encountered out of sequence.
|
305
|
Memory Allocation Error
|
The packet could not be processed properly because resources were exhausted. This
can be because too many concurrent connections require buffering (max 2048) or matching
resources (max 128) at the same time or because of excessive matches in a single IP
packet (max 2048) or simply because the system is out of memory.
|
306
|
Unsupported SSL Version
|
A client attempted to negotiate an SSL V2 session.
|
307
|
Error Decrypting Pre-master Key
|
Unable to un-wrap the pre-master secret from the ClientKeyExchange message.
|
308
|
Client Attempted to Rollback
|
A client attempted to rollback to an earlier version of the SSL protocol than that
which was specified in the ClientHello message.
|
309
|
Renewal Error
|
An SSL session was being requested with a cached session key that could not be located.
|
310
|
Key Exchange Error
|
The server is attempting to establish an SSL session with temporarily generated key.
|
311
|
Maximum SSL Key Exchanges Exceeded
|
The maximum number of concurrent key exchange requests was exceeded.
|
312
|
Key Too Large
|
The master secret keys are larger than specified by the protocol identifier.
|
313
|
Invalid Parameters In Handshake
|
An invalid or unreasonable value was encountered while trying to decode the handshake
protocol.
|
314
|
No Sessions Available
|
|
315
|
Compression Method Unsupported
|
|
316
|
Unsupported Application-Layer Protocol
|
An unknown or unsupported SSL Application-Layer Protocol has been requested.
|
385
|
Fail Open: Deny
|
Log the packet that should be dropped but not when Fail-Open feature is on and in
Tap mode.
|
500
|
URI Path Depth Exceeded
|
Too many "/" separators. Max 100 path depth.
|
501
|
Invalid Traversal
|
Tried to use "../" above root.
|
502
|
Illegal Character in URI
|
Illegal character used in uri.
|
503
|
Incomplete UTF8 Sequence
|
URI ended in middle of utf8 sequence.
|
504
|
Invalid UTF8 encoding
|
Invalid or non-canonical encoding attempt.
|
505
|
Invalid Hex Encoding
|
%nn where nn are not hex digits.
|
506
|
URI Path Length Too Long
|
Path length is greater than 512 characters.
|
507
|
Invalid Use of Character
|
Use of disabled characters
|
508
|
Double Decoding Exploit
|
Double decoding exploit attempt (%25xx, %25%xxd, etc).
|
700
|
Invalid Base64 Content
|
Packet content that was expected to be encoded in Base64 format was not encoded correctly.
|
710
|
Corrupted Deflate/GZIP Content
|
Packet content that was expected to be encoded in Base64 format was not encoded correctly.
|
711
|
Incomplete Deflate/GZIP Content
|
Incomplete Deflate/GZIP content
|
712
|
Deflate/GZIP Checksum Error
|
Deflate/GZIP checksum error.
|
713
|
Unsupported Deflate/GZIP Dictionary
|
Unsupported Deflate/GZIP dictionary.
|
714
|
Unsupported GZIP Header Format/Method
|
Unsupported GZIP header format or method.
|
801
|
Protocol Decoding Search Limit Exceeded
|
A protocol decoding rule defined a limit for a search or pdu object but the object
was not found before the limit was reached.
|
802
|
Protocol Decoding Constraint Error
|
A protocol decoding rule decoded data that did not meet the protocol content constraints.
|
803
|
Protocol Decoding Engine Internal Error
|
|
804
|
Protocol Decoding Structure Too Deep
|
A protocol decoding rule encountered a type definition and packet content that caused
the maximum type nesting depth (16) to be exceeded.
|
805
|
Protocol Decoding Stack Error
|
A rule programming error attempted to cause recursion or use to many nested procedure
calls.
|
806
|
Infinite Data Loop Error
|