15 June 2016

Gaia Syslog Messages

R80

Technical Reference Guide

Classification: [Protected]
© 2016 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part
of this product or related documentation may be reproduced in any form or by any means without
prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our
trademarks.
Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html
for a list of relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date
with the latest functional improvements, stability fixes, security enhancements and
protection against new and evolving attacks.

Latest Version of this Document

Download the latest version of this document
http://supportcontent.checkpoint.com/documentation_download?ID=50131.
To learn more, visit the Check Point Support Center
http://supportcenter.checkpoint.com.

Revision History
Date Description
15 June 2016 First release of this document
Contents
Important Information................................................................................................... 3
Important Gaia Syslog Messages .................................................................................. 5
Syslog Overview ........................................................................................................ 5
Message Format ....................................................................................................... 5
General Messages ..................................................................................................... 6
Login and Logout Messages ........................................................................................... 6
Configuration Change Messages .................................................................................... 7
Interface Messages ........................................................................................................ 8
DHCP Server Messages .................................................................................................. 9
DHCP Client Messages ..................................................................................................10
Device Maintenance Messages ......................................................................................11
Upgrade and Downgrade Messages...............................................................................11
User Management Messages.........................................................................................12
Protocol Messages .................................................................................................. 12
IGMP ..............................................................................................................................12
Multicast Forwarding Cache (MFC)................................................................................13
OSPF..............................................................................................................................13
PIM ................................................................................................................................13
VRRP .............................................................................................................................14
 Important Gaia Syslog Messages

Important Gaia Syslog Messages

This document gives important syslog messages, logged by Check Point Gaia appliances, version
R80.

Syslog Overview
The syslog protocol lets a machine send system notification messages to a remote syslog server
or to a local /var/log/messages file. These messages are used to monitor the status of an
appliance and to troubleshoot issues.

Message Format
Format of a syslog message:
<Date> <Time> <Daemon/Process><Process ID>: <Syslog message>

Where:

Date Time Timestamp of the logged syslog message

Daemon/Proce Source of the syslog message

ss

Process ID PID of the daemon/process that generates syslog messages; optional

Syslog Logged information

message

Message Level Parameter

The system uses the Level parameter to classify the notification messages. These are the values
for this parameter:

Possible Values Description

LOG_EMERG A panic condition

LOG_ALERT An alert notification like corruption in database

LOG_CRIT Critical conditions like hard disk errors

LOG_ERR Errors

LOG_NOTICE Notifications

LOG_INFO Informational messages

LOG_DEBUG Debugging messages

Gaia Syslog Messages Technical Reference Guide R80 | 5

 Important Gaia Syslog Messages

General Messages
These are key syslog messages logged by Check Point R80 appliances. Descriptions are not given
for intuitive messages.
A string in angle brackets (< >) represents text variable text. For example, given the syslog
message
" HTTP login denied from <IP address> for <username>",
the actual message on the appliance would be: " HTTP login denied from 192.168.1.1 for bob "

Login and Logout Messages

Syslog Message Description
httpd2: Session had expired for user: <username> WebUI session expired for
<username>

HTTP login denied from <ip address> for <username> WebUI access denied from <IP
address> for <username>

User entry created for "<username> " in the password Password change for <username>
database succeeded

HTTP login from <IP address> as <username> WebUI access to the appliance

HTTP logout from <IP address> as <username> WebUI logout from the appliance

Telnet from <IP address> Telnet connection from<IP address> to

the appliance was successful

User <username> logged in with <read/write> User <username> logged into Check
permission Point CLI shell

User <username> logged out from CLI shell

User <username> logged out due to an error from CLI

shell

authentication failure; logname= uid=0 euid=0 tty=ssh

ruser= rhost=<ip> user=<user>

Failed password for admin from <ip> port <port_num>

ssh2

FAILED LOGIN >num> FROM <ip> FOR <user>, Number of login failures from <ip> for
Authentication failure <user>
(excluding ssh connection)

PAM_unix: (<program name>) session opened for user Session opened for SSH (or other
admin by (uid=0) program)

PAM_unix: (<program name>) session closed for user Session closed for SSH (or other
<username> program)

Gaia Syslog Messages Technical Reference Guide R80 | 6


Syslog Message
PAM_unix: check pass; user unknown
sshd-x: Accepted password for <username> from <IP
address> port <SSH client port> ssh2
sshd-x: Failed password for <username> from <IP
address> port <SSH client port> ssh2
Configuration Change Messages
Configuration change messages are logged in a configuration database binding format.
Syslog Message
<username> <from IP address> t +interface:<ifname>
<value> <username> <from IP address> t
-interface:<ifname>
<username> <from IP address> p +interface:<ifname>
<value> <username> <from IP address> p
-interface:<ifname>
Gaia Syslog Messages Technical Reference Guide R80
Important Gaia Syslog Messages
Description
Invalid user
Description
The t flag indicates transient changes.
Configuration is in the memory
database only. (For example, when
Apply is clicked in the WebUI.)
The plus ( + ) flag indicates that a
setting was added to the database.
The minus ( - ) flag indicates that a
setting was deleted from the database.
The p flag indicates permanent
changes. Configuration is in the
memory database and in /config
file. (For example, when Save is
clicked in the WebUI.)
| 7
 Important Gaia Syslog Messages

Examples of configuration change messages:

admin localhost t +interface:eth-s1p1c0:ipaddr:1.1.1.1:mask 24
admin localhost t +ifphys:<ifname>:speed 100M
admin localhost t +snmp:interface:<ifname>:trapstate off
admin localhost t +ip:arp:keep_time 60
admin localhost t -resolv:domain:1
admin localhost t -resolv:resolver:2
admin localhost t -resolv:resolver:3
admin localhost p -hosts:test.checkpoint.com
admin localhost p +snap:show:fcd:desc t
admin localhost p +snap:show:fcd:desc:sfsa t
admin localhost p +webuiparams:logincount:admin 3
nobody localhost t +timezone Asia/Jerusalem
nobody localhost p +process:dhcpd t
nobody localhost p +cron:admin:job:new_bash_session:minutes
nobody localhost p +cron:admin:job:new_bash_session:months all
nobody localhost p -dhcp:dhcpd:dynamic:192.168.192.0:maxlease 86400

Interface Messages
Syslog Message Description
xpand[<PID>]: Interface <IF_NAME> set to up Interface’s state was changed to up

xpand[<PID>]: Interface <IF_NAME> set to down Interface’s state was changed to down

Gaia Syslog Messages Technical Reference Guide R80 | 8

 Important Gaia Syslog Messages

DHCP Server Messages

Syslog Message Description
Packet from unknown subnet: <Ip address>

DHCPDISCOVER from <MAC address> via <server All IP addresses in the appliance's
interface name>: network <subnet>: no free leases server address pool are exhausted

DHCPDISCOVER from <MAC address> via <server

interface name>

DHCPOFFER on <IP address offered> to <client MAC

address> via <interface name>

DHCPREQUEST for <requested IP address> (<server IP

address>) from <client's MAC address> via <server
interface name>

DHCPACK on <requested IP address> to <client MAC

address> via <server interface name>

DHCPREQUEST for <requested IP address> from <client

MAC address> via <server interface name>: lease
<requested IP address> unavailable

DHCPNAK on <requested IP address> to <client MAC

address> via <server interface name>

DHCPREQUEST for <requested IP address> from <client DHCP server does not have an
MAC address> via <server interface name>: ignored (not address pool configured for the
authoritative) requested IP address

DHCPRELEASE of <IP address> from <client MAC DHCP server does not have an
address> via <server interface name> (not found) address pool configured for the
requested IP address

Abandoning IP address <IP address>: pinged before IP address is already in use:

offer abandon the lease

DHCPREQUEST for <requested IP address> from <client

MAC address> via <server interface name>: unknown
lease <IP address>

Gaia Syslog Messages Technical Reference Guide R80 | 9

 Important Gaia Syslog Messages

DHCP Client Messages

Syslog Message Description
DHCPACK from <IP address>

DHCPNAK from <IP address>

No DHCPOFFERS received

bound to <IP address> -- renewal in <number> seconds

BOOTREPLY from <IP address> rejected

<DHCP type> from <IP address> rejected DHCP message type:

• DHCP OFFER
• DHCP NACK
• DHCP ACK
DHCPDISCOVER on <client interface name> to <IP
broadcast address> port 67 interval <number>

DHCPOFFER from <server IP address>

DHCPREQUEST on <client interface name> to <IP

broadcast address> port 67

DHCPDECLINE on <client interface name> to <server IP

address> port 67

DHCPRELEASE on <client interface name> to <server IP

address> port 67

DHCPACK from <server IP address>

Gaia Syslog Messages Technical Reference Guide R80 | 10

 Important Gaia Syslog Messages

Device Maintenance Messages

Syslog Message Description
shutting down for system reboot Appliance was rebooted by user
<username>

Configuration changed from <IP address> by user

<username>

Boot image will be <Image name>

reboot with image <image name>

Time shift detected !!!

sshd-x: Server listening on <IP address> port 22.

clish :Processing : set time <time>

BACKUP operation started. Starting backup operation

Xpand: BACKUP operation has finished successfully.
Errors: none

backup_set_proc: will delete: state->s_file_name:<file Deleting backup file

full path>.tgz, val:<file name>.tgz

Upgrade and Downgrade Messages

Syslog Message Description
Start verification [Q]You are about to start upgrade to
R80 Gaia. Are you sure you want to continue (yes/no)?
LAST TS: 7"

xpand: Gaia DB Upgrade successful

Xpand: admin localhost p +upgrade:package:<new

version> t

Gaia Syslog Messages Technical Reference Guide R80 | 11

 Important Gaia Syslog Messages

User Management Messages

Syslog Message Description
clish[<PID>]: cmd by <USER_NAME>: Processing : add
user <USER_NAME> uid <UID> homedir <HOME_DIR>

xpand[<PID>]: Deleting User On WebUI and clish

entry for "<USER_NAME>" from the password
database

xpand[<PID>]: User entry created for <USER_NAME> in On WebUI and clish

the password database

clish[<PID>]: cmd by <USER_NAME>: Processing :

delete group <GROUP_NAME>
member <USER_NAME>

clish[<PID>]: cmd by <USER_NAME>: Processing : add

group <GROUP_NAME> member <USER_NAME>

clish[<PID>]: cmd by <USER_NAME>: Processing : add

group <GROUP_NAME> gid <GROUP_ID>

clish[<PID>]: cmd by <USER_NAME>: Processing :

delete group <GROUP_NAME>

clish[<PID>]: cmd by <USER_NAME>: Processing : add

user <USER_NAME> uid <UID> homedir <HOME_DIR>

Protocol Messages
IGMP
Syslog Message Description
igmp_recv_leave_group: ignoringleave group from <IP
address>, group <multicast address> is not in active
group database

igmp_recv: packet from non-local neighbor <IP

address>

igmp_recv_leave_group: malformed leave group group

address (<IP address>)

Gaia Syslog Messages Technical Reference Guide R80 | 12

 Important Gaia Syslog Messages

Multicast Forwarding Cache (MFC)

Syslog Message Description
mfc_resolve_sg: no multicast routing enabled on
<logical interface name> for (<multicast group
address>, <source IP address>)

mfc_resolve_sg: duplicate xresolve for (<multicast

group address>, <source IP address>)/<prefix length>

OSPF
Syslog Message Description
OSPF IO: <IP address>-><Multicast address> unknown
area ID <IP address> in Hello packet

OSPF IO: Hello interval mismatch on interface <IP

address>(<interface name>) got <hello interval>
expected <hello interval>

OSPF IO: <IP address>-><multicast address>:

authentication failed (10) in Hello packet

PIM
Syslog Message Description
PIM: No cluster IP found for interface <logical interface
name>

pim_dm_recv_state_refresh: ignoring state

refresh message <IP address>,<multicast group
address>/<prefix> received on <interface name> ttl:0

Local address<IP address>configured for interface

<interface name> is not a valid non-virtual address

pim_dm_rt_lookup: Route lookup for source <IP

address> failed

PIM: Begin of instance 0 termination

pim_sm_instance_terminate: termination of instance 0

PIM: No valid non-virtual address found for interface

ser-s3p1c0

Gaia Syslog Messages Technical Reference Guide R80 | 13

 Important Gaia Syslog Messages

VRRP
Syslog Message Description
firewall state not okay: cannot continue as master If we now monitor Firewall and before
we did not, and if Firewall is installed,
see if another master is already there.
See if the Firewall sync interface is
ready.

interface <interface name>,VRID <vrid>: state=INIT VRRP router with Interface and VRRP
vrid is in INIT state.

interface <interface name>,VRID <vrid>: VRRP router with Interface and VRRP
state=BACKUP vrid is in INIT state.

interface <interface name>,VRID <vrid>: VRRP router with Interface and VRRP
firewall state not okay: cannot become master vrid is in BACKUP state.

interface <interface name>,VRID <vrid>: VRRP router with Interface and VRRP
state=MASTER vrid is in MASTER state.

VRRP Router is shutting down due to: Reason for VRRP router shutting down:
<reason>
1. HDD failure
2. Cold Start delay

VRRP Router is shutting down due to: <reason> Reason codes:

1 VRRP ID
2 VRRP Priority
3 Advertisement interval
4 Routerdead interval
5 No preempt
6 VRRP IP address
7 Authentication
8 Monitor
9 VMAC

vrrp_recv: packet received on interface (<interface

name>) with no VRRP state, ignoring

vrrp_recv: discarded truncated IP packet from <Source

IP address>

vrrp_recv: discarded packet from <Source IP address>

bad VRRP checksum

Gaia Syslog Messages Technical Reference Guide R80 | 14

 Important Gaia Syslog Messages

Syslog Message Description

vrrp_recv: discarded packet from<Source IP address>
due to packet header truncated

vrrp_recv: discard VRRP version <version> packet from

<Source IP address>

vrrp_recv: discarded unknown VRID <vrrp id> packet

from <Source IP address>

vrrp_recv: discarded local loopback for VRID <vrrp id>

from <Source IP address>

vrrp_recv: discarded packet from<Source IP address>

with TTL <ttl>

vrrp_recv: discarded truncated VRRP packet from

<Source IP address> (got <vrrp packet length>,
expected <vrrp packet length>)

vrrp_recv: discarded packet from<Source IP address>

with NoAuthentication, expected <Auth type>

vrrp_recv: discarded packet from<Source IP address>

with SimpleTextPassword, expected <Auth type>

rrp_recv: discarded packet from <Source IP address>

with incorrect SimpleTextPassword

vrrp_recv: discarded packet from <Source IP address>

with unknown authentication type(<Auth type in hex>)

vrrp_recv: discarded packet from<Source IP address> The remote router tried to take over a
attempting to take over interface <interface name>, virtual router while the local router is
VRID <vrrp id> while local router is master master.

Gaia Syslog Messages Technical Reference Guide R80 | 15