Appendix D – FortiClient Log Messages
| Client Feature | ID | Level | Format | Description |
| AntiVirus | 0x00017913 | Warning | Found malware by [AntiVirus scan|AntiVirus realtime protection] in [filesystem|email] | This message is logged when a malware is found. |
| AntiVirus | 0x00017914 | Warning | Found suspicious by [AntiVirus scan|AntiVirus realtime protection] in [filesystem|disk|email] | This message is logged when a suspicious is found. |
| AntiVirus | 0x00017915 | Info | User enabled Realtime AntiVirus protection | Logged when someone enables Realtime AntiVirus. |
| AntiVirus | 0x00017916 | Warning | User disabled Realtime AntiVirus protection | Logged when someone disables Realtime AntiVirus. |
| AntiVirus | 0x00017917 | Info | Communication error | |
| AntiVirus | 0x00017918 | Warning | AntiVirus realtime protection killed malware process : [process name] | A malware process killed a malware process. |
| AntiVirus | 0x0001791d | Info | av_task scan is started | This message is logged if AV scanning is started. |
| AntiVirus | 0x0001791e | Info | av_task scan is stopped | This message is logged if AV scanning is stopped. |
| AntiVirus | 0x00017919 | Info | av_task scan thread is suspended | This message is logged if AV scanning is paused. |
| AntiVirus | 0x0001791a | Info | av_task scan thread is resumed | This message when AV scanning is resumed. |
| AntiVirus | 0x0001791b | Warning | av_task killed suspicious process : <filename or process name> | <filename or process name> is a suspicious process and has been terminated. |
| AntiVirus | 0x0001791c | Info | Cannot start scan task |
| Client Feature | ID | Level | Format | Description |
| AntiVirus | 0x0001791f | Error | Scheduled scan failed: Path to file/folder no longer exists. | Path not found. |
| AntiVirus | 0x00017920 | Warning | AntiVirus scan was stopped by a user before it finished. | The user specified stopped an AntiVirus scan |
| AntiVirus | 0x00017921 | Warning | Failed to connect to FortiSandbox server. | The sandbox server is unavialable |
| Webfilter | 0x000178f4 | Info | User enabled Webfilter | Logged when someone enables webfiltering. |
| Webfilter | 0x000178f5 | Warning | User disabled Webfilter | Logged when someone disables webfiltering. |
| Webfilter | 0x000178f6 | Warning | user’s access to the url [action and reason] | the action to the user’s access |
| Webfilter | 0x000178f7 | Info | user’s access to the url [action and reason] | the action to the user’s access |
| Webfilter | 0x000178f8 | Warning | The Webfilter Violation report was cleared [user name] | Logged when someone clears the webfilter violation report. |
| Webfilter | 0x000178f9 | Warning | Unable to create proxy/webfilter communication socket. | FortiClient will not be able to determine the FortiGuard rating of URLs. |
| Webfilter | 0x000178fa | Warning | Unable to retrieve the webfilter UDP port number. | FortiClient will not be able to determine the FortiGuard rating of URLs. |
| Webfilter | 0x000178fb | Warning | status=warn [logged on user] temporarily disabled blocking of category [category id] ([category name]) to access [url] | The user [logged on user] proceeded to the url [url] after acknowledging a warning message. |
| Application FireWall | 0x00017980 | Warning | Firewall action | |
| Application FireWall | 0x00017981 | Info | Firewall action | |
| Application FireWall | 0x00017982 | Info | User enabled Firewall | User enabled Firewall |
| Client Feature | ID | Level | Format | Description |
| Application FireWall | 0x00017983 | Warning | User disabled Firewall | User disabled Firewall |
| Application FireWall | 0x00017984 | Warning | The Application Firewall report was cleared | Logged when someone clears the application firewall report. |
| Application FireWall | 0x00017985 | Warning | The application firewall has been disabled because it’s driver could not be loaded | Logged when application firewall driver could not be loaded with error 127 (The specified procedure could not be found). |
| IKE VPN | 0x00017930 | Info | VPN tunnel status | VPN tunnel status |
| IKE VPN | 0x00017940 | Info | IKE phase1 authentication fail as peer’s certificate is not verified. | IKE phase1 authentication fail as peer’s certificate is not verified. |
| IKE VPN | 0x00017941 | Info | IKE phase1 authentication fail as the preshare key mismatch. | IKE phase1 authentication fail as the preshare key mismatch. |
| IKE VPN | 0x00017931 | Warning | No response from the peer | |
| IKE VPN | 0x00017932 | Warning | No response from the peer | |
| IKE VPN | 0x00017933 | Warning | Received delete payload from peer check xauth password. | Received delete payload from peer check xauth password. |
| IKE VPN | 0x00017934 | Error | Failed to acquire an IP address. | Failed to acquire an IP address for the virtual adapter. |
| IKE VPN | 0x00017935 | Error | ike error | |
| IKE VPN | 0x00017936 | Info | negotiation information | |
| IKE VPN | 0x00017937 | Error | negotiation error | |
| IKE VPN | 0x00017938 | Error | replayed packet detected (packet dropped) |
| Client Feature | ID | Level | Format | Description |
| IKE VPN | 0x00017939 | Info | VPN user accept the banner and continue with the tunnel setup | The VPN user accept the banner warning |
| IKE VPN | 0x0001793a | Info | VPN user choose disconnect the tunnel or no response | The VPN user reject the banner warning and disconnect the tunnel |
| IKE VPN | 0x0001793b | Info | locip=<ip address> locport=<port number> remip=<ip address> remport=<port number> outif=<interface> vpntunnel=<tunnel name> action=install_sa | |
| IKE VPN | 0x0001793c | Info | VPN before logon was enabled | Logged when someone enables VPN before logon. |
| IKE VPN | 0x0001793d | Info | VPN before logon was disabled | Logged when someone disables VPN before logon. |
| IKE VPN | 0x0001793e | Error | VPN cannot connect because an authorization rule failed. | Logged when a VPN authorization rule failed. |
| IKE VPN | 0x0001793f | Warning | A required application is not running. | VPN cannot connect because the specified application is not running. |
| SSL VPN | 0x00017958 | Info | SSLVPN tunnel status | SSLVPN tunnel status |
| Wan Acceleration | 0x00017a71 | Info | User enabled WAN Acceleration | User enabled WAN Accel-
eration |
| Wan Acceleration | 0x00017a70 | Info | User disabled WAN Acceleration | User disabled WAN Acceleration |
| Wan Acceleration | 0x0000b000 | Error | Network registry keys are missing | When enumerating the network interface subkeys |
| Wan Acceleration | 0x0000b001 | Error | Network adapter is missing a description | When enumerating the network interfaces |
| Wan Acceleration | 0x0000b002 | Error | Error opening redirector device | Wan acceleration will not function. |
| Wan Acceleration | 0x0000b003 | Info | WAN Acceleration was enabled by [user name] | Logged when someone enables WAN Acceleration. |
| Client Feature | ID | Level | Format | Description |
| Wan Acceleration | 0x0000b004 | Info | WAN Acceleration was disabled by [user name] | Logged when someone disables WAN Acceleration. |
| Vulnerability
Scan |
0x00017908 | Info | The vulnerability scan status has changed | A vulnerability scan status change |
| Vulnerability
Scan |
0x00017909 | Info | A vulnerability scan result has been logged | A Vulnerability scan result log |
| Vulnerability
Scan |
0x0001790a | Info | Remediating vulnerability | The details of the vulnerability being remediated is described by the log fields |
| EndPoint Con-
trol |
0x00017ab6 | Info | upload logs | |
| EndPoint Con-
trol |
0x00017ab7 | Info | Endpoint control policy synchronization was enabled | Logged when someone
enables Endpoint control policy synchronization. |
| EndPoint Con-
trol |
0x00017ab8 | Warning | Endpoint control policy synchronization was disabled | Logged when someone disables Endpoint control policy synchronization. |
| EndPoint Con-
trol |
0x00017ab9 | Info | Endpoint Control Status changed to [status] | Endpoint Control Status Changed |
| EndPoint Con-
trol |
0x00017aba | Warning | OffNet configuration version [version] doesn’t match FortiGate configuration version [version] | OffNet configuration version doesn’t match FortiGate configuration version |
| EndPoint Con-
trol |
0x00017abb | Info | Endpoint Control Registration
Status changed to [status] with FGT [serial] |
|
| EndPoint Con-
trol |
0x00017abc | Info | Endpoint Quarantine Status changed to [status] | Endpoint Quarantine Status Changed |
| Update | 0x00017a2a | Info | Customer initiated a software update request. | Logged when a user presses the gui’s update button. |
| Update | 0x00017a37 | Info | Checking for updates. | Checking for updates. |
| Update | 0x00017a2c | Info | Update allowed only if you have a valid license | Update allowed only if you have a valid license |
| Client Feature | ID | Level | Format | Description |
| Update | 0x00017a38 | Info | Software update started. | Software update started. |
| Update | 0x00017a2d | Info | Software updates are disabled. | Software updates from FortiGuard have been disabled. |
| Update | 0x00017a2e | Info | Software updates from FortiGuard have been disabled because this client is managed. | Software updates from FortiGuard have been disabled. |
| Update | 0x00017a2f | Info | Software updates require administrative privileges. | The user does not have sufficient privileges to perform software updates. |
| Update | 0x00017a30 | Info | Software update successful. | Software update successful. |
| Update | 0x00017a31 | Info | Software update failed. | Software update failed. |
| Update | 0x00017a32 | Info | Unable to perform software update. Registry does not contain image id to download. | The image id that is expected to be in the registry is missing. |
| Update | 0x00017a33 | Info | Update <module description> successful | |
| Update | 0x0001798a | Info | Update success | Update was successful. |
| Update | 0x00017a34 | Error | Unable to load AV engine | Failed to load the av engine |
| Update | 0x00017a35 | Error | Error patching AV signature. | Error patching AV signature. |
| Update | 0x00017a36 | Error | Unable to load FASLE engine | Unable to load FASLE engine |
| Update | 0x00017a39 | Info | Update successful | |
| Scheduler | 0x00017a20 | Info | Forcefully kill a child process after grace period expires | A scheduler owned child process failed to stop when instructed to do so |
| Client Feature | ID | Level | Format | Description |
| Scheduler | 0x00017a21 | Error | The scheduler cannot start the scheduled task because the task’s license is expired. | The scheduler cannot start the scheduled task because the task’s license is expired. |
| Scheduler | 0x00017a68 | Info | FortiClient is starting up | FortiClient is starting up |
| Scheduler | 0x00017a69 | Info | %s is shutting down | FortiClient is shutting down |
| FortiProxy | 0x00017a49 | Info | Fortiproxy is enabled | Fortiproxy is enabled |
| FortiProxy | 0x00017a48 | Warning | Fortiproxy is disabled | Fortiproxy is disabled |
| FortiShield | 0x00017a53 | Info | FortiShield is enabled | FortiShield is enabled |
| FortiShield | 0x00017a52 | Warning | FortiShield is disabled | FortiShield is disabled |
| FortiShield | 0x00017a54 | Info | The console was locked | The console password was locked. |
| FortiShield | 0x00017a55 | Warning | The console was unlocked | The console password was unlocked. |
| FortiShield | 0x00017a56 | Warning | The console password was removed | The console password was removed. |
| FortiShield | 0x00017a57 | Warning | FortiShield blocked application: [application path] from modifying: [file or registry path] | FortiShield has prevented an application from modifying a file or registry setting protected by FortiClient. |
| Application
Database |
0x0000d001 | Error | <context> <file reference> db error – creating new database. | A critical error occurred. The application database will not work. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Client Feature | ID | Level | Format | Description |
| Application
Database |
0x0000d003 | Error | <context> <file reference> db error – BIND command. | A critical error occurred. The application database will not work. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d004 | Error | <context> <file reference> db error – opening database. | A critical error occurred. The application database is not present. An attempt to automatically regenerate it will occur. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d005 | Error | <context> <file reference> db error – preparing sql statement. | The sql statement used is invalid. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d006 | Error | <context> <file reference> db error – unable to find fingerprint. | The fingerprint does not exist in the database. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d007 | Error | <context> <file reference> db error – invalid md5. | The parameter supplied is not an MD5. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Client Feature | ID | Level | Format | Description |
| Application
Database |
0x0000d008 | Error | <context> <file reference> db error – row not found. | The requested row does not exist. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d00a | Error | <context> <file reference> Can’t open file. | The file cannot be opened. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d00b | Error | <context> <file reference>
Unable to extract vendor id. |
The files is not digitally signed |
| Application
Database |
0x0000d00e | Error | <context> <file reference> Can’t access file because of sharing violation. | Can’t access file because of sharing violation. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d00f | Error | <context> <file reference> Can’t open driver. | Can’t open the apd driver. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d010 | Error | <context> <file reference> Can’t start driver. | Can’t start the apd driver. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d011 | Error | <context> <file reference> Driver io error. | APD driver io error. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Client Feature | ID | Level | Format | Description |
| Application
Database |
0x0000d016 | Error | <context> <file reference> Server-side pipe error. | A communication error occurred. It is probably temporary. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d017 | Error | <context> <file reference> Pipe server initialization error. | A communication initialization error occurred. It is probably temporary. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d018 | Error | <context> <file reference> Pipe server creation error. | A communication initialization error occurred. It is probably temporary. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d019 | Error | <context> <file reference>
Unable to bypass fortishield. |
Failed to bypass self-protection. The daemon might not function normally after this. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d01a | Error | <context> <file reference> Invalid arguments. | Invalid command line options supplied. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Client Feature | ID | Level | Format | Description |
| Application
Database |
0x0000d01c | Error | <context> <file reference> Unable to allocate memory for vendor id cache. | Low memory. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d01d | Error | <context> <file reference>
Vendor id cache not initialized. |
This is probably temporary. An attempt will be made later to read/write to the cache. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d01e | Error | <context> <file reference>
Unable to open vendor id cache shared memory. |
Application detection will not be functioning normally. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Application
Database |
0x0000d01f | Error | <context> <file reference>
Unable to open mutex to access vendor id shared memory. |
Application detection will not be functioning normally. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated. |
| Config
Import/Export |
0x00017a5c | Info | A configuration file is exported to [location] | Logged when someone exports a config file. |
| Config
Import/Export |
0x00017a5d | Info | A configuration file is imported from [location] | Logged when someone imports a config file. |
| Config
Import/Export |
0x00017a72 | Info | Policy ‘[name]’ was received and applied | Logged when push configuration is received. |
| Single SignOn Mobility
Agent |
0x00017ad4 | Info | Single Sign-On event | Single Sign-On event. |
| Client Feature | ID | Level | Format | Description |
| Single SignOn Mobility
Agent |
0x00017ad5 | Info | Single Sign-On Mobility Agent was enabled | Logged when someone enables Single Sign-On Mobility Agent. |
| Single SignOn Mobility
Agent |
0x00017ad6 | Warning | Single Sign-On Mobility Agent was disabled | Logged when someone disables Single Sign-On Mobility Agent. |
| Single SignOn Mobility
Agent |
0x00017ad7 | Info | Single Sign-On Mobility Agent is starting… | |
| Single SignOn Mobility
Agent |
0x00017ad8 | Info | Single Sign-On Mobility Agent is stopping… | |
| UI | 0x00017a66 | Warning | Logs were cleared | Logged when logs are cleared. |
| UI | 0x00017a67 | Info | Alerts were cleared | Logged when alerts are cleared by a user. |