Views:
For general best practices related to events, see Events in Server & Workload Protection.
To see the firewall events captured by Server & Workload Protection, go to Events & Reports Events Firewall Events.
Firewall event icons:
  • generic_single_event=fc583fcd-9c53-469c-8bcb-5ee489c8701b.png Single event
  • generic_event_w_data=43cee9a6-4704-4930-9e37-dffdf976028b.png Single event with data
  • generic_repeated_event=b1bad8d8-631d-4fca-ae43-3f83000dcc46.png Folded event
  • generic_repeated_event_w_data=6d923c87-c0fe-49d8-8662-739a19157744.png Folded event with data
Note
Note
  1. To search by user name on the Firewall Events tab, you must use the advanced search option.
  2. Event folding occurs when multiple events of the same type occur in succession. This saves disk space and protects against DoS attacks that may attempt to overload the logging mechanism.

What information is displayed for firewall events?

These columns can be displayed on the firewall events page. You can click Columns to select which columns are displayed in the table.
  • Time: Time the event took place on the computer.
  • Computer: The computer on which this event was logged. (If the computer has been removed, this entry will read "Unknown Computer".)
  • Reason: Log entries on this page are generated either by firewall rules or by firewall stateful configuration settings. If an entry is generated by a firewall rule, the column entry will be prefaced by "Firewall Rule:" followed by the name of the firewall rule. Otherwise the column entry will display the firewall stateful configuration setting that generated the log entry.
  • Tag(s): Event tags that are applied to this event.
  • Action: The action taken by the firewall rule or firewall stateful configuration. Possible actions are: Allow, Deny, Force Allow, and Log Only.
  • Rank: The ranking system provides a way to quantify the importance of intrusion prevention and firewall events. By assigning "asset values" to computers, and assigning "severity values" to intrusion prevention rules and firewall rules, the importance ("rank") of an event is calculated by multiplying the two values together. This allows you to sort events by rank when viewing intrusion prevention or firewall events.
  • Direction: The direction of the affected packet (incoming or outgoing).
  • Interface: The MAC address of the interface through which the packet was traveling.
  • Frame Type: The frame type of the packet in question. Possible values are "IPV4", "IPV6", "ARP", "REVARP", and "Other: XXXX" where XXXX represents the four digit hex code of the frame type.
  • Protocol: Possible values are "ICMP", "ICMPV6", "IGMP", "GGP", "TCP", "PUP", "UDP", "IDP", "ND", "RAW", "TCP+UDP", AND "Other: nnn" where nnn represents a three digit decimal value.
  • Flags: Flags set in the packet.
  • Source IP: The packet's source IP.
  • Source MAC: The packet's source MAC address.
  • Source Port: The packet's source port.
  • Destination IP: The packet's destination IP address.
  • Destination MAC: The packet's destination MAC address.
  • Destination Port: The packet's destination port.
  • Packet Size: The size of the packet in bytes.
  • Repeat Count: The number of times the event was sequentially repeated.
  • Time (microseconds): Microsecond resolution for the time the event took place on the computer.
  • Event Origin: The Server & Workload Protection component from which the event originated.
The following columns are also available. They display information for events that are triggered from containers on computers that are protected by agent version 12 FR or newer:
  • Interface Type: Container interface type.
  • Container Name: Name of the container where the event occurred.
  • Container ID: Container ID of the container where the event occurred.
  • Image Name: Image name that was used to create the container where the event occurred.
  • RepoDigest: A unique digest that identifies the container image.
  • Process Name: Name of the process (from the container) that caused the event.
Note
Note
Log-only rules will only generate a log entry if the packet in question is not subsequently stopped either by a deny rule, or an allow rule that excludes it. If the packet is stopped by one of those two rules, those rules will generate a log entry and not the log-only rule. If no subsequent rules stop the packet, the log-only rule will generate an entry.

List of all firewall events

ID
Event
Notes
100
Out Of Connection
A packet was received that was not associated with an existing connection.
101
Invalid Flags
Flag(s) set in a packet were invalid. This event can indicate that a flag does not make sense within the context of a current connection (if any), or that a nonsensical combination of flags.
"Firewall Stateful Configuration" must be On for connection context to be assessed.
102
Invalid Sequence
A packet with an invalid sequence number or out-of-window data size was encountered.
103
Invalid ACK
A packet with an invalid acknowledgment number was encountered.
104
Internal Error
105
CE Flags
A packet has congestion flags set and the policy's Anti Evasion settings use a custom configuration where the TCP Congestion Flags property is set to Log or Deny. (See Configure anti-evasion settings.)
106
Invalid IP
Packet's source IP was not valid.
107
Invalid IP Datagram Length
The length of the IP datagram is less than the length specified in the IP header.
108
Fragmented
A fragmented packet was encountered, and your environment has set IP Packet Inspection to deny incoming fragmented packets.
109
Invalid Fragment Offset
110
First Fragment Too Small
A fragmented packet was encountered, and the size of the first fragment is less than the size of a TCP packet (no data).
A packet is dropped with this event when the packet header has the following configuration:
  • Fragment Offset = 0 (The fragment is the first in the packet)
  • Total length (maximum combined header length) < 120 bytes (the default allowed minimum fragment size)
To prevent this event from occurring, configure the policy's Advanced Network Engine settings to use a lower value for the Minimum Fragment Size property, or set it to 0 to turn off this inspection. (See "Advanced Network Engine Options" in Computer and policy editor settings.)
111
Fragment Out Of Bounds
The offsets(s) specified in a fragmented packet sequence is outside the range of the maximum size of a datagram.
112
Fragment Offset Too Small
A fragmented packet was encountered, the size of the fragment was less than the size of a TCP packet (no data).
113
IPv6 Packet
An IPv6 Packet was encountered, and IPv6 blocking is enabled. See the "Block IPv6 on Agents and Appliances verions 9 and later" property in the Advanced Network Engine Options (see Computer and policy editor settings.)
114
Max Incoming Connections
The number of incoming connections has exceeded the maximum number of connections allowed. See the "Enable TCP stateful inspection" property in TCP Packet Inspection.
115
Max Outgoing Connections
The number of outgoing connections has exceeded the maximum number of connections allowed. See the "Enable TCP stateful inspection" property in TCP Packet Inspection.
116
Max SYN Sent
The number of half open connections from a single computer exceeds that specified in the firewall stateful configuration. See the "Limit the number of half-open connections from a single computer to" property in TCP Packet Inspection.
118
IP Version Unknown
An IP packet other than IPv4 or IPv6 was encountered.
119
Invalid Packet Info
120
Internal Engine Error
Insufficient system memory. Add more system resources to fix this issue.
121
Unsolicited UDP
Incoming UDP packets that were not solicited by the computer are rejected.
122
Unsolicited ICMP
ICMP stateful has been enabled (in firewall stateful configuration) and an unsolicited packet that does not match any Force Allow rules was received.
123
Out Of Allowed Policy
The packet does not meet any of the Allow or Force Allow rules and so is implicitly denied.
124
Invalid Port Command
An invalid FTP port command was encountered in the FTP control channel data stream.
125
SYN Cookie Error
The SYN cookies protection mechanism encountered an error.
126
Invalid Data Offset
Invalid data offset parameter.
127
No IP Header
The packet IP header is invalid or incomplete.
128
Unreadable Ethernet Header
Data contained in this Ethernet frame is smaller than the Ethernet header.
129
Undefined
130
Same Source and Destination IP
Source and destination IPs were identical.
131
Invalid TCP Header Length
132
Unreadable Protocol Header
The packet contains an unreadable TCP, UDP or ICMP header.
133
Unreadable IPv4 Header
The packet contains an unreadable IPv4 header.
134
Unknown IP Version
Unrecognized IP version.
135
Invalid Adapter Configuration
An invalid adapter configuration has been received.
136
Overlapping Fragment
This packet fragment overlaps a previously sent fragment.
138
Packet on Closed Connection
A packet was received belonging to a connection already closed.
139
Dropped Retransmit
The network engine detected a TCP Packet that overlaps with data already received on the same TCP connection but does not match the already-received data. (The network engine compares the packet data that was queued in the engine’s connection buffer to the data in the packet that was re-transmitted.)
The network engine reconstructs the sequenced data stream of each TCP connection it processes. The sequence number and length in the received packet specify a specific region in this data stream. The note field in the log indicates the location of the changed content in the TCP stream: prev-full, prev-part, next-full and next-part:
  • "prev-full" and "prev-part": The changed area is in the packet that immediately precedes the retransmitted packet in the sequenced data stream. "prev-full" indicates that the changed area is completely contained in the packet which immediately precedes the retransmitted packet in the sequenced data stream. Otherwise, the note is "prev-part".
  • "next-full" and "next-part": The changed area is in the packet that immediately follows the retransmitted packet in the sequenced data stream. "next-full" indicates that the changed area is completely contained in the packet that immediately follows the retransmitted packet in the sequenced data stream. Otherwise, the note is "next-part".
140
Undefined
141
Out of Allowed Policy (Open Port)
142
New Connection Initiated
143
Invalid Checksum
144
Invalid Hook Used
145
IP Zero Payload
146
IPv6 Source Is Multicast
147
Invalid IPv6 Address
148
IPv6 Fragment Too Small
149
Invalid Transport Header Length
150
Out of Memory
151
Max TCP Connections
The maximum number of TCPconnections has been exceeded. See Increase the maximum allowed TCP connections.
152
Max UDP Connections
200
Region Too Big
A region (edit region, uri etc) exceeded the maximum allowed buffering size (7570 bytes) without being closed. This is usually because the data does not conform to the protocol.
201
Insufficient Memory
The packet could not be processed properly because resources were exhausted. This can be because too many concurrent connections require buffering (max 2048) or matching resources (max 128) at the same time or because of excessive matches in a single IP packet (max 2048) or simply because the system is out of memory.
202
Maximum Edits Exceeded
The maximum number of edits (32) in a single region of a packet was exceeded.
203
Edit Too Large
Editing attempted to increase the size of the region above the maximum allowed size (8188 bytes).
204
Max Matches in Packet Exceeded
There are more than 2048 positions in the packet with pattern match occurrences. An error is returned at this limit and the connection is dropped because this usually indicates a garbage or evasive packet.
205
Engine Call Stack Too Deep
206
Runtime Error
Runtime error.
207
Packet Read Error
Low level problem reading packet data.
257
Fail Open: Deny
Log the packet that should be dropped but not when Fail-Open feature is on and in Inline mode.
300
Unsupported Cipher
An unknown or unsupported cipher suite has been requested.
301
Error Generating Master Key(s)
Unable to derive the cryptographic keys, Mac secrets, and initialization vectors from the master secret.
302
Record Layer Message (not ready)
The SSL state engine has encountered an SSL record before initialization of the session.
303
Handshake Message (not ready)
The SSL state engine has encountered a handshake message after the handshake has been negotiated.
304
Out Of Order Handshake Message
A well formatted handshake message has been encountered out of sequence.
305
Memory Allocation Error
The packet could not be processed properly because resources were exhausted. This can be because too many concurrent connections require buffering (max 2048) or matching resources (max 128) at the same time or because of excessive matches in a single IP packet (max 2048) or simply because the system is out of memory.
306
Unsupported SSL Version
A client attempted to negotiate an SSL V2 session.
307
Error Decrypting Pre-master Key
Unable to un-wrap the pre-master secret from the ClientKeyExchange message.
308
Client Attempted to Rollback
A client attempted to rollback to an earlier version of the SSL protocol than that which was specified in the ClientHello message.
309
Renewal Error
An SSL session was being requested with a cached session key that could not be located.
310
Key Exchange Error
The server is attempting to establish an SSL session with temporarily generated key.
311
Maximum SSL Key Exchanges Exceeded
The maximum number of concurrent key exchange requests was exceeded.
312
Key Too Large
The master secret keys are larger than specified by the protocol identifier.
313
Invalid Parameters In Handshake
An invalid or unreasonable value was encountered while trying to decode the handshake protocol.
314
No Sessions Available
315
Compression Method Unsupported
316
Unsupported Application-Layer Protocol
An unknown or unsupported SSL Application-Layer Protocol has been requested.
385
Fail Open: Deny
Log the packet that should be dropped but not when Fail-Open feature is on and in Tap mode.
500
URI Path Depth Exceeded
Too many "/" separators. Max 100 path depth.
501
Invalid Traversal
Tried to use "../" above root.
502
Illegal Character in URI
Illegal character used in uri.
503
Incomplete UTF8 Sequence
URI ended in middle of utf8 sequence.
504
Invalid UTF8 encoding
Invalid or non-canonical encoding attempt.
505
Invalid Hex Encoding
%nn where nn are not hex digits.
506
URI Path Length Too Long
Path length is greater than 512 characters.
507
Invalid Use of Character
Use of disabled characters
508
Double Decoding Exploit
Double decoding exploit attempt (%25xx, %25%xxd, etc).
700
Invalid Base64 Content
Packet content that was expected to be encoded in Base64 format was not encoded correctly.
710
Corrupted Deflate/GZIP Content
Packet content that was expected to be encoded in Base64 format was not encoded correctly.
711
Incomplete Deflate/GZIP Content
Incomplete Deflate/GZIP content
712
Deflate/GZIP Checksum Error
Deflate/GZIP checksum error.
713
Unsupported Deflate/GZIP Dictionary
Unsupported Deflate/GZIP dictionary.
714
Unsupported GZIP Header Format/Method
Unsupported GZIP header format or method.
801
Protocol Decoding Search Limit Exceeded
A protocol decoding rule defined a limit for a search or pdu object but the object was not found before the limit was reached.
802
Protocol Decoding Constraint Error
A protocol decoding rule decoded data that did not meet the protocol content constraints.
803
Protocol Decoding Engine Internal Error
804
Protocol Decoding Structure Too Deep
A protocol decoding rule encountered a type definition and packet content that caused the maximum type nesting depth (16) to be exceeded.
805
Protocol Decoding Stack Error
A rule programming error attempted to cause recursion or use to many nested procedure calls.
806
Infinite Data Loop Error