Firewall log messages explained

This is an attempt to explain the firewall messages which pop up in the web event log or the log of the remote syslog machine if you have configured the syslog feature.

Blocking log messages

These are firewall log entries which tell you that something is being blocked.

• Not enough resources: The packet was blocked because of a lack of memory.
• Port filter defense: The firewall policy is causing the packet to be blocked.
• Default defense: No firewall policy has been defined for this type of packet and so it is blocked by default.
• Disallowed destination IP: The IP address cannot be received by this interface.
• Invalid IP packet size: The IP packet is smaller than stated in its header.
• Black list defense: The IP address of this host is on the router's blacklist.
• No existing session: A packet has been received, but there is no associated session.
• Invalid fragment: The fragment is not consistent with others in the session.

Session tracking log messages

These are firewall log messages which tell you whether sessions are valid or not.

• Permitted: The packet is passed and a session has been established.
• Normal: The session has terminated normally.
• Timeout: The session has terminated due to inactivity.
• Policy migration: An existing session was terminated because of a firewall policy change.

Protocol meanings ... (Prot=)

These are part of the firewall log messages and tell you which protocol was involved.

The format of the protocol descriptions is as follows:

Protocol_Number[/Protocol_Type][/Protocol_Code]

So, for example, Blocked Prot=6 means protocol number 6 (TCP) was blocked and Blocked Prot=1/3/3 means protocol number 1 (ICMP), type 3 (destination unreachable), code 3 (port unreachable) was blocked.

See: IANA for protocol numbers and ICMP parameters for the full details on decoding these protocols, type and codes.

Back to the Info Dump