2.39. RULE

Home Prev	cOS Stream 4.00.03 Log Reference Guide	Next

2.39.1. [ID: 1230] IPC error managing dynamic rules

Log Categories: RULE
Log Message: IPC error managing dynamic rules.
Default Log Severity: Error
Parameters: module, error
Explanation: An unexpected and, hence, unhandled error occurred while managing dynamic rules. This may result in leaked rules remaining in the system after they should have been removed or reduced functionality if it was inserting new rules that failed.
Gateway Action: None
Action Description: None
Proposed Action: The device might need to be manually restarted to get full functionality. This should be reported to the vendor of the device.

2.39.2. [ID: 1240] Dynamic rules leaked

Log Categories: RULE
Log Message: Dynamic rules leaked.
Default Log Severity: Error
Parameters: module, count
Explanation: The system failed to remove rules that where dynamically set up by the module. Leaking/leaving unwanted dynamic rules in place is a last resort when all attempts to removed them has failed.
Gateway Action: None
Action Description: None
Proposed Action: The device might need to be manually restarted to get rid of those unwanted rules. This should be reported to the vendor of the device.

2.39.3. [ID: 1133] Blacklist rule added

Log Categories: RULE,BLACKLIST
Log Message: Blacklist rule added.
Default Log Severity: Information
Parameters: srcip, destip, proto, recviface
Explanation: A new blacklist rule has been added.
Gateway Action: None
Action Description: None
Proposed Action: None

2.39.4. [ID: 1164] Blacklist rule table size set to

Log Categories: RULE,BLACKLIST
Log Message: Blacklist rule table size set to.
Default Log Severity: Information
Parameters: size
Explanation: Maximum number of simultaneous blacklist entries changed/set to.
Gateway Action: None
Action Description: None
Proposed Action: None

2.39.5. [ID: 1141] Blacklist rule removed

Log Categories: RULE,BLACKLIST
Log Message: Blacklist rule removed.
Default Log Severity: Information
Parameters: srcip, destip, proto, recviface
Explanation: A blacklist rule has been removed either because it timed out or because the user manually removed it via the cli.
Gateway Action: None
Action Description: None
Proposed Action: None

2.39.6. [ID: 1165] Blacklist rule replaced

Log Categories: RULE,BLACKLIST
Log Message: Blacklist rule replaced.
Default Log Severity: Information
Parameters: srcip, destip, proto, srcip, destip, proto, recviface, recviface
Explanation: Random blacklist rule has been replaced with another rule.
Gateway Action: None
Action Description: None
Proposed Action: None

2.39.7. [ID: 649] Flow HA sync disallowed by access rule

Log Categories: RULE,FLOW,HA
Log Message: Flow HA sync disallowed by access rule.
Default Log Severity: Notice
Parameters: srcip, destip, recviface, matchkey, rule
Explanation: The access rules on the inactive HA node did not allow this flow to be installed.
Gateway Action: Skip
Action Description: None
Proposed Action: This event can be caused by having different configurations on the HA nodes. Running a cluster with different configurations on the nodes is not recommended, consider synchronizing the configurations.

2.39.8. [ID: 643] Flow HA sync failed due to address[...]

Log Categories: RULE,FLOW,HA
Log Message: Flow HA sync failed due to address translation mismatch.
Default Log Severity: Notice
Parameters: matchkey, rule
Explanation: The flow could not be installed on the inactive node due to that the rules on the inactive node specified different address translation than the rules on the active node.
Gateway Action: Skip
Action Description: None
Proposed Action: This event can be caused by having different configurations on the HA nodes. Running a cluster with different configurations on the nodes is not recommended, consider synchronizing the configurations.

2.39.9. [ID: 1150] Flow HA sync disallowed by blacklist rule

Log Categories: RULE,FLOW,HA,BLACKLIST
Log Message: Flow HA sync disallowed by blacklist rule.
Default Log Severity: Notice
Parameters: srcip, destip, recviface, matchkey, rule
Explanation: The blacklist rules on the inactive HA node did not allow this flow to be installed.
Gateway Action: Skip
Action Description: None
Proposed Action: This event can be caused by having different blacklist rules on the HA nodes. Running a cluster with different blacklist rules on the nodes is not recommended, consider synchronizing the blacklist rules.

2.39.10. [ID: 1662] Source IP not routed on receive interface

Log Categories: RULE,FLOW,HA
Log Message: Source IP not routed on receive interface.
Default Log Severity: Notice
Parameters: srcip, destip, recviface, matchkey, srcroute
Explanation: The flow could not be installed on the inactive node due to the source IP of the flow not being routed over the receive interface of the flow according to the inactive node's configuration.
Gateway Action: Skip
Action Description: None
Proposed Action: This event can be caused by having different configurations on the HA nodes. Running a cluster with different configurations on the nodes is not recommended, consider synchronizing the configurations.

2.39.11. [ID: 647] Flow HA sync failed due to no route to[...]

Log Categories: RULE,FLOW,HA
Log Message: Flow HA sync failed due to no route to destination.
Default Log Severity: Notice
Parameters: destip, iface, matchkey
Explanation: The flow could not be installed on the inactive node due to no route to the destination.
Gateway Action: Skip
Action Description: None
Proposed Action: This event can be caused by having different configurations on the HA nodes. Running a cluster with different configurations on the nodes is not recommended, consider synchronizing the configurations.

2.39.12. [ID: 659] Flow HA sync failed due to no route to source

Log Categories: RULE,FLOW,HA
Log Message: Flow HA sync failed due to no route to source.
Default Log Severity: Notice
Parameters: srcip, iface, matchkey
Explanation: The flow could not be installed on the inactive node due to no route to the source.
Gateway Action: Skip
Action Description: None
Proposed Action: This event can be caused by having different configurations on the HA nodes. Running a cluster with different configurations on the nodes is not recommended, consider synchronizing the configurations.

2.39.13. [ID: 1738] Flow HA sync disallowed by the ruleset

Log Categories: RULE,FLOW,HA
Log Message: Flow HA sync disallowed by the ruleset.
Default Log Severity: Notice
Parameters: matchkey, geoip, rule
Explanation: The flow could not be installed on the inactive node since the flow was disallowed by the inactive node's ruleset.
Gateway Action: Skip
Action Description: None
Proposed Action: This event can be caused by having different configurations on the HA nodes. Running a cluster with different configurations on the nodes is not recommended, consider synchronizing the configurations.

2.39.14. [ID: 1739] Flow HA sync failed due to configuration[...]

Log Categories: RULE,FLOW,HA
Log Message: Flow HA sync failed due to configuration mismatch.
Default Log Severity: Notice
Parameters: matchkey, rule
Explanation: The flow could not be installed on the inactive node since the packets on the flow should be processed in a different way according to the inactive node's ruleset.
Gateway Action: Skip
Action Description: None
Proposed Action: This event can be caused by having different configurations or licenses on the HA nodes. Running a cluster with different configurations or licenses on the nodes is not recommended, consider synchronizing the configurations and using identical licenses. Comparing rulesnoop output for the affected flow between the nodes might help to pin-point what the difference is.

2.39.15. [ID: 1741] Flow HA sync failed due to HA sync status[...]

Log Categories: RULE,FLOW,HA
Log Message: Flow HA sync failed due to HA sync status mismatch.
Default Log Severity: Notice
Parameters: matchkey, rule
Explanation: The flow could not be installed on the inactive node since according to the inactive node's ruleset this flow should not be HA synced.
Gateway Action: Skip
Action Description: None
Proposed Action: This event can be caused by having different configurations on the HA nodes. Running a cluster with different configurations on the nodes is not recommended, consider synchronizing the configurations.

2.39.16. [ID: 1395] Source address matches translation prefix

Log Categories: RULE,NAT64
Log Message: Source address matches translation prefix.
Default Log Severity: Notice
Parameters: prefix, matchkey, rule
Explanation: A packet with a source address matching the prefix used in protocol translation has been dropped. This is done to prevent hairpinning loops.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.39.17. [ID: 1088] Max sessions reached on ALG

Log Categories: RULE,FTPALG,SIPALG,DNSALG,GTPINSPECTION
Log Message: Max sessions reached on ALG.
Default Log Severity: Warning
Parameters: profile, type, max, pkt, rule, ruletype, ruleorigin
Explanation: The amount of sessions on an ALG has reached the limit configured in the profile used.
Gateway Action: Drop
Action Description: None
Proposed Action: If the MaxSessions limit is reached under normal usage patterns, try increasing the MaxSessions on the profile used to allow more sessions through.

2.39.18. [ID: 109] Packet received open

Log Categories: RULE
Log Message: Packet received open.
Default Log Severity: Notice
Parameters: flow, rule, user, userid
Explanation: Packet that is allowed to be forwarded according to setting is received. The traffic is configured to be allowed according to the rule set.
Gateway Action: Open
Action Description: None
Proposed Action: None

2.39.19. [ID: 431] Packet received reject

Log Categories: RULE
Log Message: Packet received reject.
Default Log Severity: Notice
Parameters: flow, rule, user, userid
Explanation: Packet that is allowed to be forwarded according to setting is received. The traffic is configured to be rejected according to the rule set.
Gateway Action: Open
Action Description: None
Proposed Action: None

2.39.20. [ID: 1209] Unsupported protocol combination for ALG

Log Categories: RULE,FTPALG,SIPALG,DNSALG,GTPINSPECTION
Log Message: Unsupported protocol combination for ALG.
Default Log Severity: Notice
Parameters: type, proto, pkt, rule, ruletype, ruleorigin
Explanation: The matching rule specified to use an Application Layer Gateway (ALG) to process the traffic but the selected ALG does not support the protocols used by the packet.
Gateway Action: Drop
Action Description: None
Proposed Action: None

2.39.21. [ID: 238] Allowed by access rule

Log Categories: RULE
Log Message: Allowed by access rule.
Default Log Severity: Notice
Parameters: pkt, rule
Explanation: The sender IP address was verified and accepted by an access rule in the access section.
Gateway Action: Allow
Action Description: None
Proposed Action: Modify the access rule accordingly, if the sender should not be allowed.

2.39.22. [ID: 242] Disallowed by access rule

Log Categories: RULE
Log Message: Disallowed by access rule.
Default Log Severity: Notice
Parameters: srcip, destip, recviface, pkt, rule
Explanation: The packet was dropped since the configuration, that is, access rules, does not allow packets from this sender to arrive at that interface.
Gateway Action: Drop
Action Description: None
Proposed Action: If the decision to drop the packet was correct but you don't want any logs then either change the LogEnabled property on the access rule (if the rule is an explicitly configured access rule), add an access rule to drop the packet silently or configure a log message exception in the log receiver to ignore this message. If the decision to drop the packet was incorrect then there are two cases: If the rule is an explicitly configured access rule then modify it, and possibly other, access rules accordingly. Otherwise start by verifying that the routing is correctly configured for the sender's address since routes provide automatic access rules. If that does not help, that is, in setups where packets arriving from the sender arrive on another interface than where packets going to the sender are routed, then add an access rule accepting the sender's address on the receive interface.

2.39.23. [ID: 1661] Source IP not routed on receive interface

Log Categories: RULE,ROUTE,IPSPOOFING
Log Message: Source IP not routed on receive interface.
Default Log Severity: Notice
Parameters: srcip, destip, recviface, srcroute, pkt
Explanation: The packet was dropped since the source IP of the packet is not routed over the receive interface of the packet. This event could indicate that someone is trying to use a spoofed IP address.
Gateway Action: Drop
Action Description: None
Proposed Action: This is an effect of the automatic reverse path ingress filtering of the system based on the routes known to the system. The default policy is basically "strict reverse path forwarding", that is, that a packet must be received on the interface where packets to the source IP of the packet would be routed out, to be acceptable. In some scenarios, for instance, where asymmetric routing is used, this is too strict. Exceptions can then be made by marking interfaces as security equvivalent or by adding explicit access rules to allow packets from the source IP on this interface even tough packets to the source IP will be sent over some other interface.

2.39.24. [ID: 1653] Receive sub interface id mismatch with route[...]

Log Categories: RULE,ROUTE,IPSPOOFING
Log Message: Receive sub interface id mismatch with route to source IP.
Default Log Severity: Notice
Parameters: srcip, destip, recviface, srcroute, pkt
Explanation: The packet was dropped since the source IP is routed on another sub interface id (belongs to another client) than the packet was received from. This event could indicate that someone is trying to use a spoofed IP address.
Gateway Action: Drop
Action Description: None
Proposed Action: This is an effect of the automatic reverse path ingress filtering of the system based on the routes known to the system. The default policy is basically "strict reverse path forwarding", that is, that a packet must be received on the interface where packets to the source IP of the packet would be routed out, to be acceptable. In some scenarios, for instance, where asymmetric routing is used, this is too strict. Exceptions can then be made by marking interfaces as security equvivalent or by adding explicit access rules to allow packets from the source IP on this interface even tough packets to the source IP will be sent over some other interface.

2.39.25. [ID: 394] Local Undelivered

Log Categories: RULE
Log Message: Local Undelivered.
Default Log Severity: Warning
Parameters: pkt
Explanation: Packet destined for the firewall itself was not picked up by any local service.
Gateway Action: Drop
Action Description: None
Proposed Action: Verify the configuration of the corresponding service if the packet should be processed.

2.39.26. [ID: 471] No route to destination

Log Categories: RULE
Log Message: No route to destination.
Default Log Severity: Warning
Parameters: destip, iface, pkt
Explanation: Further processing of received packet is not allowed due to no route coverage for the destination address.
Gateway Action: Drop
Action Description: None
Proposed Action: Configure route support for the destination if it should be allowed.

2.39.27. [ID: 129] No route to source

Log Categories: RULE
Log Message: No route to source.
Default Log Severity: Warning
Parameters: srcip, iface, pkt
Explanation: Further processing of received packet is not allowed due to no route coverage for the source address.
Gateway Action: Drop
Action Description: None
Proposed Action: Configure route support for the source if it should be allowed.

2.39.28. [ID: 1737] Denied by the ruleset

Log Categories: RULE
Log Message: Denied by the ruleset.
Default Log Severity: Notice
Parameters: matchkey, geoip, rule
Explanation: A rule lookup, other than to set up a new flow for a packet, matched a deny rule. An example of such rule lookups is the reevaluation of existing flows after rule changes.
Gateway Action: Deny
Action Description: None
Proposed Action: Modify the ruleset accordingly, if the traffic should be allowed.

2.39.29. [ID: 514] Packet dropped by the ruleset

Log Categories: RULE
Log Message: Packet dropped by the ruleset.
Default Log Severity: Warning
Parameters: pkt, geoip, rule
Explanation: Further processing of received packet is not allowed due to matched drop rule policy of the ruleset.
Gateway Action: Drop
Action Description: None
Proposed Action: Modify the ruleset accordingly, if the traffic should be allowed.

2.39.30. [ID: 384] Non-NATable IP protocol

Log Categories: RULE,SYSTEM,PORTMGR
Log Message: Non-NATable IP protocol.
Default Log Severity: Warning
Parameters: proto, localip, destip, rule
Explanation: Network Address Translation (NAT) is only fully supported for TCP, UDP and ICMP flows. Address translation will still be applied to flows with IP protocol number proto, but it is only possible to have one such flow open between the source and destination IP pair localip-destip.
Gateway Action: Ignore
Action Description: None
Proposed Action: Modify the rule rule to only include NATable protocols.

2.39.31. [ID: 520] Could not allocate NAT port

Log Categories: RULE,SYSTEM,PORTMGR
Log Message: Could not allocate NAT port.
Default Log Severity: Error
Parameters: localip, destip, rule
Explanation: A NAT flow could not be opened since dynamic port allocation failed for the source and destination IP pair localip-destip.
Gateway Action: Drop
Action Description: None
Proposed Action: The system might be low on RAM or all ports for the specified source and destination IP pair might be allocated.

2.39.32. [ID: 987] Could not allocate NAT IP from NATPool

Log Categories: RULE,SYSTEM,NATPOOL
Log Message: Could not allocate NAT IP from NATPool.
Default Log Severity: Critical
Parameters: pool, srcip, rule
Explanation: The system failed to setup a new flow since allocation of a dynamic NAT IP from a NAT Pool failed.
Gateway Action: Drop
Action Description: None
Proposed Action: Review NAT Pool related log messages for an indication why this event occurred.

2.39.33. [ID: 1158] Whitelist prevents blacklist action from[...]

Log Categories: RULE,THRESHOLD,FLOW,BLACKLIST
Log Message: Whitelist prevents blacklist action from being executed.
Default Log Severity: Warning
Parameters: conflictrule, thresholdset, matchkey, rule
Explanation: A flow setup attempt triggered the given thresholdset in threshold rule conflictrule: The flow setup attempt should have been blocked and blacklisted, but this was overruled by the whitelist rule rule. The flow setup attempt has therefore been allowed.
Gateway Action: Ignore
Action Description: A threshold blacklist action was prevented from being executed by a whitelist rule
Proposed Action: Investigate why the threshold rules are triggered by whitelisted traffic. Normally this should never happen; it may signify that network resources have been compromised.