These log messages refer to the ARP category.
2.2.1. [ID: 142] Allowed by access rule
- Log Categories
- ARP
- Log Message
- Allowed by access rule.
- Default Log Severity
- Notice
- Parameters
- srchw, srcip, destip, recviface, rule
- Explanation
- The ARP sender IP address was verified and accepted by an access rule in the access section.
- Gateway Action
- Allow
- Action Description
- None
- Proposed Action
- Modify the access rule accordingly, if the sender should not be allowed.
2.2.2. [ID: 144] Hardware address changed
- Log Categories
- ARP
- Log Message
- Hardware address changed.
- Default Log Severity
- Notice
- Parameters
- knownip, knownhw, newhw
- Explanation
- The received ARP packet has a different hardware address compared to the previously known dynamic entry.
- Gateway Action
- Allow
- Action Description
- None
- Proposed Action
- If this is not the wanted behavior, change the setting ARPTableSettings:ARPChanges.
2.2.3. [ID: 279] Hardware address change disallowed
- Log Categories
- ARP
- Log Message
- Hardware address change disallowed.
- Default Log Severity
- Notice
- Parameters
- knownip, knownhw, newhw, pkt
- Explanation
- The received ARP packet has a different hardware address compared to the previously known dynamic entry.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If this is not the wanted behavior, change the setting ARPTableSettings:ARPChanges.
2.2.4. [ID: 638] Hardware address change detected
- Log Categories
- ARP
- Log Message
- Hardware address change detected.
- Default Log Severity
- Warning
- Parameters
- knownip, knownhw, newhw, pkt
- Explanation
- The received ARP packet has a different hardware address compared to the previously known dynamic entry. The address will
not be updated since ARPTableSettings:ARPRequests setting does not allow updates from requests.
- Gateway Action
- Ignore
- Action Description
- None
- Proposed Action
- If hardware address changes should be allowed, both ARPTableSettings:ARPRequests and ARPTableSettings:ARPChanges must be set to allow.
2.2.5. [ID: 123] IP conflict detected
- Log Categories
- ARP
- Log Message
- IP conflict detected.
- Default Log Severity
- Warning
- Parameters
- srcip, srchw, iface, pkt
- Explanation
- A host/device using one the firewall interfaces IPs as source address were detected which could lead to connectivity problems.
- Gateway Action
- Reject
- Action Description
- Attempted to resolve the conflict by broadcasting ARP (gratuitous) ownership updates
- Proposed Action
- Check the network for incorrectly configured devices/hosts.
2.2.6. [ID: 653] IP conflict detected
- Log Categories
- ARP
- Log Message
- IP conflict detected.
- Default Log Severity
- Warning
- Parameters
- srcip, srchw, iface, pkt
- Explanation
- A host/device using one the firewall interfaces IPs as source address were detected which could lead to connectivity problems.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Check the network for incorrectly configured devices/hosts.
2.2.7. [ID: 534] Illegal ARP sender hardware address
- Log Categories
- ARP,VALIDATE
- Log Message
- Illegal ARP sender hardware address.
- Default Log Severity
- Warning
- Parameters
- srchw, pkt
- Explanation
- A host in the network is using an illegal Ethernet sender address.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Trace down the host and verify that it is not faulty/compromised.
2.2.8. [ID: 622] Out of memory initializing ARP
- Log Categories
- ARP,SYSTEM
- Log Message
- Out of memory initializing ARP.
- Default Log Severity
- Critical
- Parameters
-
- Explanation
- The ARP subsystem could not be initialized due to insufficient free memory.
- Gateway Action
- Abort
- Action Description
- None
- Proposed Action
- Review system wide settings and try to tweak memory consuming features to use less memory.
2.2.9. [ID: 240] Disallowed by access rule
- Log Categories
- ARP,VALIDATE
- Log Message
- Disallowed by access rule.
- Default Log Severity
- Warning
- Parameters
- srchw, srcip, destip, recviface, pkt, rule
- Explanation
- The sender IP is not allowed according to the access rules and/or routing table.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If the address should be allowed modify the access rule and/or routing table accordingly.
2.2.10. [ID: 269] Mismatching hardware addresses
- Log Categories
- ARP,VALIDATE
- Log Message
- Mismatching hardware addresses.
- Default Log Severity
- Notice
- Parameters
- hwaddr, arphw, pkt
- Explanation
- The hardware sender address specified in the ARP data does not match the Ethernet hardware sender address.
- Gateway Action
- Allow
- Action Description
- None
- Proposed Action
- If this is not the wanted behavior, change the setting ARPTableSettings:ARPMatchEnetSender.
2.2.11. [ID: 618] Mismatching hardware addresses
- Log Categories
- ARP,VALIDATE
- Log Message
- Mismatching hardware addresses.
- Default Log Severity
- Notice
- Parameters
- hwaddr, arphw, pkt
- Explanation
- The hardware sender address specified in the ARP data does not match the Ethernet hardware sender address.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If this is not the wanted behavior, change the setting ARPTableSettings:ARPMatchEnetSender.
2.2.12. [ID: 350] Unable to add ARP entry to cache due to no[...]
- Log Categories
- ARP
- Log Message
- Unable to add ARP entry to cache due to no free entries.
- Default Log Severity
- Error
- Parameters
- hwaddr, ip, iface, pkt
- Explanation
- Unable to store ARP cache entry due exhaustion.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If the number of communication devices/hosts is as expected the setting ARPTableSettings:ARPCacheSize might need to be increased.
2.2.13. [ID: 377] ARP entry lost due to cache limit
- Log Categories
- ARP,STATEFUL
- Log Message
- ARP entry lost due to cache limit.
- Default Log Severity
- Warning
- Parameters
- ip, knownhw, iface
- Explanation
- The firewall need to resolve an IP address, but the current virtual system is out of free ARP entries. The ARP entry for IP
ip at interface iface has been freed in order to continue.
- Gateway Action
- Discard
- Action Description
- The firewall has been forced to discard one existing ARP entry in use
- Proposed Action
- This log is commonly seen during some denial-of-service attacks. If you think that the system should be able to handle this
amount of dynamic ARP entries, review the ARPTableSettings:ARPCacheSize setting and consider increasing it. Whether to log this event is controlled by the ARPTableSettings:LogARPOutOfEntries setting.
2.2.14. [ID: 302] No sender IP
- Log Categories
- ARP,VALIDATE
- Log Message
- No sender IP.
- Default Log Severity
- Notice
- Parameters
- pkt
- Explanation
- The source IP address of an ARP query is 0.0.0.0 which may introduce problems.
- Gateway Action
- Allow
- Action Description
- None
- Proposed Action
- If this is not the wanted behavior, change the setting ARPTableSettings:ARPQueryNoSenderIP.
2.2.15. [ID: 626] No sender IP
- Log Categories
- ARP,VALIDATE
- Log Message
- No sender IP.
- Default Log Severity
- Notice
- Parameters
- pkt
- Explanation
- The source IP address of an ARP query is 0.0.0.0 which may introduce problems.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If this is not the wanted behavior, change the setting ARPTableSettings:ARPQueryNoSenderIP.
2.2.16. [ID: 526] ARP resolve timeout
- Log Categories
- ARP,STATEFUL
- Log Message
- ARP resolve timeout.
- Default Log Severity
- Notice
- Parameters
- localip, ip, iface, flow, user, userid
- Explanation
- The firewall failed to resolve IP ip at interface iface. The IP is not reachable via the local network; traffic to and from this address will be dropped.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The "arpsnoop" feature will allow realtime examination of the ARP traffic at interface iface; use this to pinpoint the problem. Review the route configuration and the access rules, especially when seemingly valid ARP
replies are discarded. Verify whether is possible to route bidirectional traffic to and from IP ip at interface iface. Whether to log this event is controlled by the ARPTableSettings:LogARPResolveFailure setting.
2.2.17. [ID: 106] ARP sender hardware address is broadcast[...]
- Log Categories
- ARP,VALIDATE
- Log Message
- ARP sender hardware address is broadcast address.
- Default Log Severity
- Notice
- Parameters
- pkt
- Explanation
- The sender address specified in the ARP data matches the broadcast address which may introduce problems.
- Gateway Action
- Allow
- Action Description
- None
- Proposed Action
- If this is not the wanted behavior, change the setting ARPTableSettings:ARPBroadcast.
2.2.18. [ID: 247] ARP sender hardware address is broadcast[...]
- Log Categories
- ARP,VALIDATE
- Log Message
- ARP sender hardware address is broadcast address.
- Default Log Severity
- Warning
- Parameters
- pkt
- Explanation
- The sender address specified in the ARP data matches the broadcast address which may introduce problems.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If this is not the wanted behavior, change the setting ARPTableSettings:ARPBroadcast.
2.2.19. [ID: 262] ARP sender hardware address is multicast[...]
- Log Categories
- ARP,VALIDATE
- Log Message
- ARP sender hardware address is multicast address.
- Default Log Severity
- Notice
- Parameters
-
- Explanation
- The sender address specified in the ARP data matches the multicast address range which may introduce problems.
- Gateway Action
- Allow
- Action Description
- None
- Proposed Action
- If this is not the wanted behavior, change the setting ARPTableSettings:ARPMulticast.
2.2.20. [ID: 117] ARP sender hardware address is multicast[...]
- Log Categories
- ARP,VALIDATE
- Log Message
- ARP sender hardware address is multicast address.
- Default Log Severity
- Notice
- Parameters
- pkt
- Explanation
- The sender address specified in the ARP data matches the multicast address range which may introduce problems.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If this is not the wanted behavior, change the setting ARPTableSettings:ARPMulticast.
2.2.21. [ID: 308] ARP collides with static entry
- Log Categories
- ARP
- Log Message
- ARP collides with static entry.
- Default Log Severity
- Warning
- Parameters
- knowntype, knownip, knownhw, pkt
- Explanation
- The hardware sender address does not match the static entry in the ARP table and static ARP changes are not allowed.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If the new address is correct, update the static ARP entry.
2.2.22. [ID: 584] Unsolicited ARP reply received
- Log Categories
- ARP
- Log Message
- Unsolicited ARP reply received.
- Default Log Severity
- Notice
- Parameters
- pkt
- Explanation
- An ARP reply was received even though no reply was currently expected for this IP.
- Gateway Action
- Allow
- Action Description
- The ARP reply was accepted and local ARP cache updated
- Proposed Action
- If this is not the wanted behavior, change the setting ARPTableSettings:UnsolicitedARPReplies.
2.2.23. [ID: 540] Unsolicited ARP reply received
- Log Categories
- ARP
- Log Message
- Unsolicited ARP reply received.
- Default Log Severity
- Notice
- Parameters
- pkt
- Explanation
- An ARP reply was received even though no reply was currently expected for this IP.
- Gateway Action
- Drop
- Action Description
- The ARP reply was dropped
- Proposed Action
- If this is not the wanted behavior, change the setting ARPTableSettings:UnsolicitedARPReplies.
cOS Stream 4.00.03 Log Reference Guide
