Here is a presentation of many common log messages that can be found in the firewall log.
In many messages, information about IP addresses, usernames and other changing parameters will be displayed in the log messages. In the listing, such information will be presented contained in angle brackets. The listed log message "<Username> logged on" will mean that the real message in your log will look like "admin logged on" or "Charlie logged on", that is, the <Username> will be replaced by a username on your system.
These log messages can appear when the SIP errors box has been checked on the Display Log page.
Something went wrong when the firewall tried to send a SIP packet to another SIP device. Maybe there was no TLS connection (if TLS should be used), or the device is known not to reply, or the firewall has no network connection at all on the interface facing the other device. The event number is an internal parameter to keep track of different SIP events.
The SIP device on <IP address> has been blacklisted by the firewall. This happens when the other SIP device has sent an ICMP type 3 packet in response to a SIP packet, or when the other SIP device has not responded at all to previous SIP signaling. For the latter event, you can avoid the blacklisting by setting the SIP blacklist interval on the Sessions and Media page to 0.
Something on the referred line in the SIP message does not comply with the SIP standard or is something else that the firewall does not recognize as valid SIP syntax.
The firewall sent a SIP packet to the IP address, but it hasn't responded before the message timed out. If this was a message to a SIP domain, the firewall will try next server handling this domain.
Something in the received SIP response was unexpected. It could be a very late response to a SIP request, or a message where the topmost Via header does not indicate the firewall, or something else that does not make it an invalid SIP packet in itself, but it doesn't match what has happened in the firewall.
This message will be shown when the SIP module is started. This can happen when you apply settings where the SIP module just has been activated, or when you boot the firewall or after you have pressed the Restart the SIP module button on the Restart page. It means that the firewall is now ready to receive SIP signaling over TCP.
This message will be shown when the SIP module is started. This can happen when you apply settings where the SIP module just has been activated, or when you boot the firewall or after you have pressed the Restart the SIP module button on the Restart page. It means that the firewall is now ready to receive SIP signaling over UDP.
This message will be shown when the SIP module is stopped. This can happen when you apply settings where the SIP module just has been deactivated, or when you boot the firewall or after you have pressed the Restart the SIP module button on the Restart page. It means that the firewall can no longer receive SIP signaling over TCP.
This message will be shown when the SIP module is stopped. This can happen when you apply settings where the SIP module just has been deactivated, or when you boot the firewall or after you have pressed the Restart the SIP module button on the Restart page. It means that the firewall can no longer receive SIP signaling over UDP.
These log messages can appear when the IPsec key negotiations box has been checked on the Display Log page.
The IPsec peer <peer name> sent a message during negotiation which the firewall ignores, because it can't use it. The payload type (like IPSEC_RESPONDER_LIFETIME) will give you a hint about what is the matter. The event number is a counter for how many negotiation attempts has been performed for this peer.
The firewall has no Certification Revocation List for the CA of the peer's certificate. This is not an error, but is perfectly normal. You only need a Certification Revocation List when you want to make some certificates invalid.
These log messages can appear when the Configuration server logins box has been checked on the Display Log page.
The user <Username> logged on to the web user interface. You can also see the IP address the user came from and which privileges this user has in the web interface.
The user <Username> has not saved any configuration, changed page in the web interface or done any other changes for the last ten minutes. Next time this user tries to do anything in the web interface, he will be prompted for his password again.