Appendix D – FortiClient Log Messages

Appendix D – FortiClient Log Messages

Client Feature ID Level Format Description
AntiVirus 0x00017913 Warning Found malware by [AntiVirus scan|AntiVirus realtime protection] in [filesystem|email] This message is logged when a malware is found.
AntiVirus 0x00017914 Warning Found suspicious by [AntiVirus scan|AntiVirus realtime protection] in [filesystem|disk|email] This message is logged when a suspicious is found.
AntiVirus 0x00017915 Info User enabled Realtime AntiVirus protection Logged when someone enables Realtime AntiVirus.
AntiVirus 0x00017916 Warning User disabled Realtime AntiVirus protection Logged when someone disables Realtime AntiVirus.
AntiVirus 0x00017917 Info Communication error  
AntiVirus 0x00017918 Warning AntiVirus realtime protection killed malware process : [process name] A malware process killed a malware process.
AntiVirus 0x0001791d Info av_task scan is started This message is logged if AV scanning is started.
AntiVirus 0x0001791e Info av_task scan is stopped This message is logged if AV scanning is stopped.
AntiVirus 0x00017919 Info av_task scan thread is suspended This message is logged if AV scanning is paused.
AntiVirus 0x0001791a Info av_task scan thread is resumed This message when AV scanning is resumed.
AntiVirus 0x0001791b Warning av_task killed suspicious process : <filename or process name> <filename or process name> is a suspicious process and has been terminated.
AntiVirus 0x0001791c Info Cannot start scan task  

 

Client Feature ID Level Format Description
AntiVirus 0x0001791f Error Scheduled scan failed: Path to file/folder no longer exists. Path not found.
AntiVirus 0x00017920 Warning AntiVirus scan was stopped by a user before it finished. The user specified stopped an AntiVirus scan
AntiVirus 0x00017921 Warning Failed to connect to FortiSandbox server. The sandbox server is unavialable
Webfilter 0x000178f4 Info User enabled Webfilter Logged when someone enables webfiltering.
Webfilter 0x000178f5 Warning User disabled Webfilter Logged when someone disables webfiltering.
Webfilter 0x000178f6 Warning user’s access to the url [action and reason] the action to the user’s access
Webfilter 0x000178f7 Info user’s access to the url [action and reason] the action to the user’s access
Webfilter 0x000178f8 Warning The Webfilter Violation report was cleared [user name] Logged when someone clears the webfilter violation report.
Webfilter 0x000178f9 Warning Unable to create proxy/webfilter communication socket. FortiClient will not be able to determine the FortiGuard rating of URLs.
Webfilter 0x000178fa Warning Unable to retrieve the webfilter UDP port number. FortiClient will not be able to determine the FortiGuard rating of URLs.
Webfilter 0x000178fb Warning status=warn [logged on user] temporarily disabled blocking of category [category id] ([category name]) to access [url] The user [logged on user] proceeded to the url [url] after acknowledging a warning message.
Application FireWall 0x00017980 Warning Firewall action  
Application FireWall 0x00017981 Info Firewall action
Application FireWall 0x00017982 Info User enabled Firewall User enabled Firewall

 

Client Feature ID Level Format Description
Application FireWall 0x00017983 Warning User disabled Firewall User disabled Firewall
Application FireWall 0x00017984 Warning The Application Firewall report was cleared Logged when someone clears the application firewall report.
Application FireWall 0x00017985 Warning The application firewall has been disabled because it’s driver could not be loaded Logged when application firewall driver could not be loaded with error 127 (The specified procedure could not be found).
IKE VPN 0x00017930 Info VPN tunnel status VPN tunnel status
IKE VPN 0x00017940 Info IKE phase1 authentication fail as peer’s certificate is not verified. IKE phase1 authentication fail as peer’s certificate is not verified.
IKE VPN 0x00017941 Info IKE phase1 authentication fail as the preshare key mismatch. IKE phase1 authentication fail as the preshare key mismatch.
IKE VPN 0x00017931 Warning No response from the peer  
IKE VPN 0x00017932 Warning No response from the peer
IKE VPN 0x00017933 Warning Received delete payload from peer check xauth password. Received delete payload from peer check xauth password.
IKE VPN 0x00017934 Error Failed to acquire an IP address. Failed to acquire an IP address for the virtual adapter.
IKE VPN 0x00017935 Error ike error  
IKE VPN 0x00017936 Info negotiation information
IKE VPN 0x00017937 Error negotiation error
IKE VPN 0x00017938 Error replayed packet detected (packet dropped)

 

Client Feature ID Level Format Description
IKE VPN 0x00017939 Info VPN user accept the banner and continue with the tunnel setup The VPN user accept the banner warning
IKE VPN 0x0001793a Info VPN user choose disconnect the tunnel or no response The VPN user reject the banner warning and disconnect the tunnel
IKE VPN 0x0001793b Info locip=<ip address> locport=<port number> remip=<ip address> remport=<port number> outif=<interface> vpntunnel=<tunnel name> action=install_sa  
IKE VPN 0x0001793c Info VPN before logon was enabled Logged when someone enables VPN before logon.
IKE VPN 0x0001793d Info VPN before logon was disabled Logged when someone disables VPN before logon.
IKE VPN 0x0001793e Error VPN cannot connect because an authorization rule failed. Logged when a VPN authorization rule failed.
IKE VPN 0x0001793f Warning A required application is not running. VPN cannot connect because the specified application is not running.
SSL VPN 0x00017958 Info SSLVPN tunnel status SSLVPN tunnel status
Wan Acceleration 0x00017a71 Info User enabled WAN Acceleration User enabled WAN Accel-

eration

Wan Acceleration 0x00017a70 Info User disabled WAN Acceleration User disabled WAN Acceleration
Wan Acceleration 0x0000b000 Error Network registry keys are missing When enumerating the network interface subkeys
Wan Acceleration 0x0000b001 Error Network adapter is missing a description When enumerating the network interfaces
Wan Acceleration 0x0000b002 Error Error opening redirector device Wan acceleration will not function.
Wan Acceleration 0x0000b003 Info WAN Acceleration was enabled by [user name] Logged when someone enables WAN Acceleration.

 

Client Feature ID Level Format Description
Wan Acceleration 0x0000b004 Info WAN Acceleration was disabled by [user name] Logged when someone disables WAN Acceleration.
Vulnerability

Scan

0x00017908 Info The vulnerability scan status has changed A vulnerability scan status change
Vulnerability

Scan

0x00017909 Info A vulnerability scan result has been logged A Vulnerability scan result log
Vulnerability

Scan

0x0001790a Info Remediating vulnerability The details of the vulnerability being remediated is described by the log fields
EndPoint Con-

trol

0x00017ab6 Info upload logs  
EndPoint Con-

trol

0x00017ab7 Info Endpoint control policy synchronization was enabled Logged when someone

enables Endpoint control policy synchronization.

EndPoint Con-

trol

0x00017ab8 Warning Endpoint control policy synchronization was disabled Logged when someone disables Endpoint control policy synchronization.
EndPoint Con-

trol

0x00017ab9 Info Endpoint Control Status changed to [status] Endpoint Control Status Changed
EndPoint Con-

trol

0x00017aba Warning OffNet configuration version [version] doesn’t match FortiGate configuration version [version] OffNet configuration version doesn’t match FortiGate configuration version
EndPoint Con-

trol

0x00017abb Info Endpoint Control Registration

Status changed to [status] with

FGT [serial]

 
EndPoint Con-

trol

0x00017abc Info Endpoint Quarantine Status changed to [status] Endpoint Quarantine Status Changed
Update 0x00017a2a Info Customer initiated a software update request. Logged when a user presses the gui’s update button.
Update 0x00017a37 Info Checking for updates. Checking for updates.
Update 0x00017a2c Info Update allowed only if you have a valid license Update allowed only if you have a valid license

 

Client Feature ID Level Format Description
Update 0x00017a38 Info Software update started. Software update started.
Update 0x00017a2d Info Software updates are disabled. Software updates from FortiGuard have been disabled.
Update 0x00017a2e Info Software updates from FortiGuard have been disabled because this client is managed. Software updates from FortiGuard have been disabled.
Update 0x00017a2f Info Software updates require administrative privileges. The user does not have sufficient privileges to perform software updates.
Update 0x00017a30 Info Software update successful. Software update successful.
Update 0x00017a31 Info Software update failed. Software update failed.
Update 0x00017a32 Info Unable to perform software update. Registry does not contain image id to download. The image id that is expected to be in the registry is missing.
Update 0x00017a33 Info Update <module description> successful  
Update 0x0001798a Info Update success Update was successful.
Update 0x00017a34 Error Unable to load AV engine Failed to load the av engine
Update 0x00017a35 Error Error patching AV signature. Error patching AV signature.
Update 0x00017a36 Error Unable to load FASLE engine Unable to load FASLE engine
Update 0x00017a39 Info Update successful  
Scheduler 0x00017a20 Info Forcefully kill a child process after grace period expires A scheduler owned child process failed to stop when instructed to do so

 

Client Feature ID Level Format Description
Scheduler 0x00017a21 Error The scheduler cannot start the scheduled task because the task’s license is expired. The scheduler cannot start the scheduled task because the task’s license is expired.
Scheduler 0x00017a68 Info FortiClient is starting up FortiClient is starting up
Scheduler 0x00017a69 Info %s is shutting down FortiClient is shutting down
FortiProxy 0x00017a49 Info Fortiproxy is enabled Fortiproxy is enabled
FortiProxy 0x00017a48 Warning Fortiproxy is disabled Fortiproxy is disabled
FortiShield 0x00017a53 Info FortiShield is enabled FortiShield is enabled
FortiShield 0x00017a52 Warning FortiShield is disabled FortiShield is disabled
FortiShield 0x00017a54 Info The console was locked The console password was locked.
FortiShield 0x00017a55 Warning The console was unlocked The console password was unlocked.
FortiShield 0x00017a56 Warning The console password was removed The console password was removed.
FortiShield 0x00017a57 Warning FortiShield blocked application: [application path] from modifying: [file or registry path] FortiShield has prevented an application from modifying a file or registry setting protected by FortiClient.
Application

Database

0x0000d001 Error <context> <file reference> db error – creating new database. A critical error occurred. The application database will not work. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.

 

Client Feature ID Level Format Description
Application

Database

0x0000d003 Error <context> <file reference> db error – BIND command. A critical error occurred. The application database will not work. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application

Database

0x0000d004 Error <context> <file reference> db error – opening database. A critical error occurred. The application database is not present. An attempt to automatically regenerate it will occur. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application

Database

0x0000d005 Error <context> <file reference> db error – preparing sql statement. The sql statement used is invalid. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application

Database

0x0000d006 Error <context> <file reference> db error – unable to find fingerprint. The fingerprint does not exist in the database. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application

Database

0x0000d007 Error <context> <file reference> db error – invalid md5. The parameter supplied is not an MD5. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.

 

Client Feature ID Level Format Description
Application

Database

0x0000d008 Error <context> <file reference> db error – row not found. The requested row does not exist. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application

Database

0x0000d00a Error <context> <file reference> Can’t open file. The file cannot be opened. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application

Database

0x0000d00b Error <context> <file reference>

Unable to extract vendor id.

The files is not digitally signed
Application

Database

0x0000d00e Error <context> <file reference> Can’t access file because of sharing violation. Can’t access file because of sharing violation. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application

Database

0x0000d00f Error <context> <file reference> Can’t open driver. Can’t open the apd driver. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application

Database

0x0000d010 Error <context> <file reference> Can’t start driver. Can’t start the apd driver. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application

Database

0x0000d011 Error <context> <file reference> Driver io error. APD driver io error. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.

 

Client Feature ID Level Format Description
Application

Database

0x0000d016 Error <context> <file reference> Server-side pipe error. A communication error occurred. It is probably temporary. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application

Database

0x0000d017 Error <context> <file reference> Pipe server initialization error. A communication initialization error occurred. It is probably temporary. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application

Database

0x0000d018 Error <context> <file reference> Pipe server creation error. A communication initialization error occurred. It is probably temporary. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application

Database

0x0000d019 Error <context> <file reference>

Unable to bypass fortishield.

Failed to bypass self-protection. The daemon might not function normally after this. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application

Database

0x0000d01a Error <context> <file reference> Invalid arguments. Invalid command line options supplied. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.

 

Client Feature ID Level Format Description
Application

Database

0x0000d01c Error <context> <file reference> Unable to allocate memory for vendor id cache. Low memory. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application

Database

0x0000d01d Error <context> <file reference>

Vendor id cache not initialized.

This is probably temporary. An attempt will be made later to read/write to the cache. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application

Database

0x0000d01e Error <context> <file reference>

Unable to open vendor id cache shared memory.

Application detection will not be functioning normally. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Application

Database

0x0000d01f Error <context> <file reference>

Unable to open mutex to access vendor id shared memory.

Application detection will not be functioning normally. <context> is the service that generated the log. <file reference> is optional and describes the file was being accessed when the log was generated.
Config

Import/Export

0x00017a5c Info A configuration file is exported to [location] Logged when someone exports a config file.
Config

Import/Export

0x00017a5d Info A configuration file is imported from [location] Logged when someone imports a config file.
Config

Import/Export

0x00017a72 Info Policy ‘[name]’ was received and applied Logged when push configuration is received.
Single SignOn Mobility

Agent

0x00017ad4 Info Single Sign-On event Single Sign-On event.

 

Client Feature ID Level Format Description
Single SignOn Mobility

Agent

0x00017ad5 Info Single Sign-On Mobility Agent was enabled Logged when someone enables Single Sign-On Mobility Agent.
Single SignOn Mobility

Agent

0x00017ad6 Warning Single Sign-On Mobility Agent was disabled Logged when someone disables Single Sign-On Mobility Agent.
Single SignOn Mobility

Agent

0x00017ad7 Info Single Sign-On Mobility Agent is starting…  
Single SignOn Mobility

Agent

0x00017ad8 Info Single Sign-On Mobility Agent is stopping…
UI 0x00017a66 Warning Logs were cleared Logged when logs are cleared.
UI 0x00017a67 Info Alerts were cleared Logged when alerts are cleared by a user.
This entry was posted in FortiClient and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.