Microsoft TMG 2010 Log Analizi

Microsoft Forefront TMG 2010

Forefront TMG 2010’a ait Firewall ve Web Proxy olaylarına ilişkin bilgiler log olarak text, local SQL Server Express veya uzak bir SQL server üzerine kaydedilebilmektedir.

Forefront TMG 2010 log kayıtları Firewall ve Proxy olarak iki farklı kategoride kaydedilmektedir.

Logs & Reports / Configure Logging menüsü altından Firewall ve Proxy için log ayarları yapılandırılabilir.

Logların kaydedileceği dizin, log formatı, maksimum dosya boyutu ve log içerisinde kaydedilecek alanlar yapılandırılabilir.

Microsoft Forefront TMG 2010 - Firewall Log Fields

Bit number

Field name (log viewer)

Field name (W3C format)

Description

0

Server Name

computer

The name of the Forefront TMG computer assigned in the operating system settings.

  1

Log Date

date

The date on which the logged event occurred. In the SQL Server and SQL Server Express formats, both the date and the local time are included in the single logTime field.

  2

Log Time

time

The time when the logged event occurred. In the W3C extended file format this time is in Coordinated Universal Time (UTC). In all other formats, this is the local time. In the SQL Server and SQL Server Express formats both the date and the time are included in the single logTime field.

  3

Transport

IP Protocol

The transport protocol used for the connection. Common values are TCP and UDP.

  4

Client IP and Port

source

The IP address of the requesting client and the source port used. In SQL Server and SQL Server Express formats, there are separate SourceIP and SourcePort fields to allow individual querying. For ICMP packets, the port field indicates the ICMP type.

  5

Destination IP and Port

destination

The network IP address and the port number on the target computer that provides service to the current connection. The port number is used by the client application initiating the request. In SQL Server and SQL Server Express formats, there are separate DestinationIP and DestinationPort fields to allow individual querying. For ICMP packets, the port field indicates the ICMP code.

  6

Original Client IP

original client IP

The original IP address of the requesting client.

  7

Source Network

source network

The network from which the request originated.

  8

Destination Network

destination network

The network to which the request was sent.

  9

Action

action

The action performed by the firewall for the current session or connection. The possible values are defined in the FpcAction enumerated type.

10

Result Code

status

A Windows error code or a Forefront TMG error code in HRESULT format.

11

Rule

rule

The rule that either allowed or denied access to the request, as follows:

If an outgoing request was allowed, this field reflects the access rule that allowed the request. If the request was denied, this field reflects the access rule that blocked the request.

If an incoming request was allowed, this field reflects the Web publishing server or publishing rule that allowed the request. If the request was denied, this field reflects the Web publishing server or publishing rule that denied the request.

If the incoming or outgoing request was denied for a reason other than policy rules, (for example due to an intrusion attempt or exceeding a flood resiliency threshold) the field is empty and the Result Code field indicates the reason.

12

Protocol

application protocol

The name of the application protocol used for the connection as defined in the collection of protocol definitions.

13

Bidirectional

bidirectional

A value from the FpcBidirection enumerated type that indicates whether the connection was bidirectional.

14

Bytes Sent

bytes sent

The total number of bytes sent from the client to the destination host during the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host.

15

Bytes Sent Delta

bytes sent intermediate

The number of bytes sent from the client to the destination host since the previous log entry for the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host.

16

Bytes Received

bytes received

The total number of bytes sent from the remote computer and received by the client during the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.

17

Bytes Received Delta

bytes received intermediate

The number of bytes sent from the remote computer and received by the client since the previous log entry for the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.

18

Processing Time

connection time

The total time, in milliseconds, that was needed by Forefront TMG to process the current connection. It measures the time elapsed from the time when the Forefront TMG computer first received the request to the time when final processing occurred on the Forefront TMG computer—when results were returned to the client and the connection was closed.

19

Processing Time Delta

connection time intermediate

The time, in milliseconds, that has elapsed since the previous log entry for the current connection.

20

Destination Host Name

destination name

The domain name for the remote computer that provides service to the current connection.

21

Client Username

username

The account of the user making the request. A question mark (?) next to the user name indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous.

22

Client Agent

agent

For clients with Forefront TMG Client software installed, this is the name of the application that made the network request. This field is not applicable to SecureNAT client sessions.

23

Session ID

session ID

An identifier that identifies a session's connections. For Forefront TMG clients, each process that connects through the Microsoft Firewall service initiates a session. For SecureNAT clients, a single session is opened for all the connections that originate from the same IP address.

24

Connection ID

connection ID

An identifier that identifies entries belonging to the same connection. Outbound TCP usually has two entries for each connection: when the connection is established and when the connection is terminated. UDP usually has two entries for each remote address.

25

Network Interface

interface

The network adapter with which the connection was established on the Forefront TMG computer.

26

Raw IP Header

IP header

The IP header of the current packet. Information is supplied to this field only for packets that are denied passage and are dropped by Forefront TMG.

27

Raw Payload

protocol payload

The protocol header of the current packet. Information is supplied to this field only for packets that are denied passage and are dropped by Forefront TMG.

28

GMT Log Time

GMT Time

The GMT time that corresponds to the local time in the logTime field.

29

NIS Scan Result

NIS scan result

The result when NIS scans the traffic or connection (inspected/detected/blocked).

30

NIS Signature

NIS signature

The NIS signature detected or based on which the traffic was blocked.

31

NAT Address

NAT Address

Public IP address used as a source IP for outbound traffic.

32

Forefront TMG Client FDQN

fwc-client-fqdn

Gets the FQDN of the client computer for a Forefront TMG Client connection.

33

Forefront TMG Client Application Path

fwc-app-path

Gets the full path of the client application for a Forefront TMG Client connection.

34

Firewall Client Application SHA1 Hash

fwc-app-sha1-hash

Gets the SHA1 hash value that is calculated for the executable file of the client application and used by Forefront TMG Client to request a network connection.

35

Forefront TMG Client Application trust state

fwc-app-trust-state

Gets a value from the FpcFwcClientApplicationTrustState enumerated type that indicates whether the client application is trusted by the operating system running on the client computer.

36

Forefront TMG Client Application Internal Name

fwc-app-internal-name

Forefront TMG Client Application Internal Name.

37

Forefront TMG Client Application Product Name

fwc-app-product-name

Gets the product name of the client application.

38

Forefront TMG Client Application Product Version

fwc-app-product-version

Gets the product version of the client application.

39

Forefront TMG Client Application File Version

fwc-app-file-vrsion

Gets the file version of the client application.

40

Forefront TMG Client Application Original File Name

fwc-app-original-file-name

The original name of the client application.

41

Internal Service Info Log Fields

internal-service-info

Internal

42

NIS Application Protocol

NIS application protocol

The application protocol in which NIS detected the signature.

43

Forefront TMG Client Version 

fwc-version

The version number of the Forefront TMG Clients

 

Microsoft Forefront TMG 2010 – Web Proxy Log Fields

Bit number

Field name (log viewer)

Field name (W3C)

Description

0

Client IP

c-ip

The IP address of the requesting client.

1

Client Username

cs-username

The user account making the request. A question mark (?) indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous.

2

Client Agent

c-agent

The name and version of the client application sent in the HTTP User-Agent header. When Forefront TMG is actively caching, this field is set to Forefront TMG.

 3

Authenticated Client

sc-authenticated

Indicates whether the client has been authenticated with the Forefront TMG computer. Possible values are Y and N.

  4

Log Date

date

The date on which the logged event occurred. In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.

  5

Log Time

time

The local time when the logged event occurred. In the W3C extended file format and in ODBC-compliant SQL Server databases, this time is in Coordinated Universal Time (UTC). In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.

  6

Service

s-svcname

The type of service that logged this record. This may be Proxy or Reverse Proxy.

  7

Server Name

s-computername

The name of the Forefront TMG server.

  8

Referring Server

cs-referred

Reserved for future use.

  9

Destination Host Name

r-host

The domain name for the remote computer that provides service to the current request. A hyphen (-) in this field may indicate that an object was retrieved from the local cache and not from the destination.

10

Destination IP

r-ip

The network IP address of the remote computer that provides service to the current connection. A hyphen (-) in this field may indicate that an object was sourced from the local cache and not from the destination. One exception is negative caching. In that case, this field contains a destination IP address for which a negative cached object was returned.

11

Destination Port

r-port

The port number on the target computer that provides service to the current connection.

12

Processing Time

time-taken

The total time, in milliseconds, that Forefront TMG took to process the current request. It measures the time elapsed from the time when the server first receives the request to the time when final processing occurs on the server—when results are returned to the client. For cache requests that are processed through Web Proxy filter, the processing time measures the elapsed server time needed to fully process a client request and return an object to the client.

13

Bytes Received

cs-bytes

The number of bytes sent from the remote computer and received by the client during the current request. A hyphen (-), or a zero (0) in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.

14

Bytes Sent

sc-bytes

The number of bytes sent from the client to the remote computer during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were sent to the remote computer.

15

Protocol

cs-protocol

The application protocol used for the connection. Common values are HTTP, HTTPS, and FTP.

16

Transport

cs-transport

The transport protocol used for the connection. This is always TCP for Web requests.

17

HTTP Method

s-operation

The HTTP method used. Common values are GET, PUT, POST, and HEAD.

18

URL

cs-uri

The URL requested.

19

MIME Type

cs-mime-type

The MIME type for the current object. This field may also contain a hyphen (-) to indicate that this field is not used or that a valid MIME type was not defined for the current object.

20

Object Source

s-object-source

The type of source that was used to retrieve the current object. A table of some possible values is provided in Web proxy object source log values.

21

HTTP Status Code

sc-status

A Windows (Win32®) error code (for values less than 100), an HTTP status code (for values between 100 and 1,000), a Winsock error code (for values between 10,004 and 11,031), or a Forefront TMG error code. A table of some possible values is provided in Result code log values.

22

Cache Information

s-cache-info

A number reflecting the cache status of the object, which indicates the reasons why the object was or was not cached. The number logged is the sum of the values for all the conditions that are met. A table of the possible values is provided in Web proxy cache log values.

23

Rule

rule

The rule that either allowed or denied access to the request, as follows:

If an outgoing request was allowed, this field indicates the access rule that allowed the request.

If an outgoing request was denied by a policy rule, this field indicates the access rule that blocked the request.

If an incoming request was denied by a policy rule, this field indicates the Web publishing or server publishing rule that denied the request.

If Forefront TMG denied the connection for any reason other than a policy rule (for example due to an intrusion attempt or exceeding a flood resiliency threshold) this field contains a hyphen (-), and the Result Code field (bit 21) indicates the reason.

24

Filter Information

FilterInfo

Information supplied by a Web filter. For example, if HTTP Filter rejected a request, this field contains the reason for the rejection.

25

Source Network

cs-Network

The network from which the request originated.

26

Destination Network

sc-Network

The network for which the request was destined.

27

Error information

error-info

A 32-bit bitmask that provides additional information about the request that can help identify the source of the error if an error occurred. A table of the possible bit fields is provided in Web proxy error log values.

28

Action

action

The action performed by the Microsoft Firewall Service for the current session or connection. The possible values are defined in the FpcAction enumerated type.

29

GMT Log Time

GmtLogTime

The date and time in Coordinated Universal Time (UTC) when the log entry was made.

30

Authentication Server

AuthenticationServer

The name of the authentication server.

31

NIS Scan Result

NIS scan result

The result of NIS scanning of the traffic or the connection (inspected/detected/blocked).

32

NIS Signature

NIS signature

The NIS signature detected that resulted in the traffic been blocked.

33

Threat Name

ThreatName

The string describing the threat.

34

Malware Inspection Action

MalwareInspectionAction

Describes the action performed on the inspection content. Possible values are Allowed, Cleaned or Blocked.

35

Malware Inspection Result

MalwareInspectionActionResult

Describes the outcome of the malware inspection process. Possible values include:

No Violation Detected

Low and Medium Level Threats Not Blocked

Infected File

Suspicious File

Encrypted File

Maximum Archive Nesting Exceeded

Maximum Size Exceeded

Maximum Unpacked File Size Exceeded

Unknown Encoding

Corrupted File

Time Out

Storage Space Limit Exceeded

Unknown

Malware Inspection Disabled

Malware Inspection Disabled for the Matching Policy Rule

Malware Inspection Disabled for the Matching Web Chaining Rule

Destination Included in Malware Inspection Exceptions List

Response Originated from Proxy Server

Request Served by Malware Inspection Web Filter

Request/Response Pair Identified as Exempted Protocol Message

Response Identified as a 200 Response to a CONNECT Request

Response Scanned Before Being Routed by CARP (this is not relevant for Forefront TMG in the Essential Business Server scenario.

36

URL Category

UrlCategory

Specifies the URL category that is assigned to the requested URL.

37

Content Delivery Method

MalwareInspectionContentDeliveryMethod

Specifies whether users were informed by trickling partial content, or progress notifications.

38

UAG Array Id

UAG Array ID

The array name of the message's array context.

39

UAG Version

Not in use.

 

40

UAG Module Id

UAG module name

The name of the module that produced the message.

41

UAG Id

Not in use.

 

42

UAG Severity

UAG message severity

The message severity (Error, Warning, Information, Notice).

43

UAG Type

Type of message

The type of the message (Security, Application, System, Session).

44

UAG Event Name

Not in use.

 

45

UAG Session Id

UAG session ID

The ID of the session which is the context of the message.

46

UAG Trunk Name

UAG trunk name

The name of the trunk which is the context of the message.

47

UAG Service Name

UAG service name

The name of the UAG service that generated the message.

48

UAG Error Code

UAG message ID

Specifies the UAG message ID.

49

Malware Inspection Duration (msec)

MalwareInspectionDuration

Specifies the inspection duration in milliseconds. If content is not inspected, 0 is shown. Inspected content shows a minimum value of 1.

50

Threat Level

MalwareInspectionThreatLevel

Shows the threat level. Possible values include:

Low

Medium

High

Severe

51

Internal Service Info Log Fields

internal-service-info

Internal

52

NIS Application Protocol

NIS application protocol

The application protocol in which NIS detected the signature.

53

NAT Address

NAT Address

Public IP address used as a source IP for outbound traffic.

54

URL Categorization Reason

UrlCategorizationReason

The reason for the URL categorizations.

Possible values include:

For successful categorizations:

From overrides

From cache

From Web service

For unknown:

Feature disabled

Not in database

Connection error

Web service down

License expired

 

 

 

Microsoft Forefront TMG 2010 – Web Proxy Error Information Description

Value

Descriptive code

Description

0x00000001

ERROR_INFO_IO_RECV_FROM_CLIENT

Error receiving packets from client.

0x00000002

ERROR_INFO_IO_SEND_TO_CLIENT

Error sending packets to client.

0x00000004

ERROR_INFO_IO_SEND_TO_SERVER

Error sending packets to server.

0x00000008

ERROR_INFO_IO_RECV_FROM_SERVER

Error receiving packets from server.

0x00000010

ERROR_INFO_DEST_IS_MEMBER

-

0x00000020

ERROR_INFO_CLIENT_IS_MEMBER

-

0x00000040

ERROR_INFO_DURING_CONNECT

Error while connecting.

0x00000080

ERROR_INFO_CLIENT_KA

Connection with client is keep-alive.

0x00000100

ERROR_INFO_SERVER_KA

Connection with upstream server is keep-alive.

0x00000200

ERROR_INFO_REQUEST_HAS_BODY

Client's request includes a body (of nonzero content length).

0x00000400

ERROR_INFO_RESPONSE_HAS_BODY

Server's response includes a body (of nonzero content length).

0x00000800

ERROR_INFO_IP_FROM_DNS_CACHE

Name resolution using the DNS cache.

 

Microsoft Forefront TMG 2010 – Firewall Action Log Values

Value

Description

NotLogged

No action was logged.

Bind

The Firewall service associated a local address with a socket.

Listen

The Firewall service placed a socket in a state in which it listens for an incoming connection.

GHBN

Get host by name request. The Firewall service retrieved host information corresponding to a host name.

GHBA

Get host by address request. The Firewall service retrieved host information corresponding to a network address.

Redirect_Bind

The Firewall service enabled a connection using a local address associated with a socket.

Establish

The Firewall service established a session.

Terminate

The Firewall service terminated a session.

Denied

The action requested was denied.

Allowed

The action requested was allowed.

Failed

The action requested failed.

Intermediate

The action was intermediate.

Successful_Connection

The Firewall service was successful in establishing a connection to a socket.

Unsuccessful_Connection

The Firewall service was unsuccessful in establishing a connection to a socket.

Disconnection

The Firewall service closed a connection on a socket.

User_Cleared_Quarantine

The Firewall service cleared a quarantined virtual private network (VPN) client.

Quarantine_Timeout

The Firewall service disqualified a quarantined VPN client after the time-out period elapsed.

 

Microsoft Forefront TMG 2010 – Web Proxy Result Code Values

Source values

Description

        0

The operation completed successfully.

    200

OK.

    201

Created.

    202

Accepted.

    204

No content.

    301

Moved permanently.

    302

Moved temporarily.

    304

Not modified.

    400

Bad request.

    401

Unauthorized.

    403

Forbidden.

    404

Not found.

    500

Server error.

    501

Not implemented.

    502

Bad gateway.

    503

Out of resources.

    995

Operation aborted.

10060

A connection timed out.

10061

A connection was refused by the destination host.

10065

No route to host.

11001

Host not found.

12201

A chained proxy server or array member requires proxy-to-proxy authentication. Please contact your server administrator.

12301

A chained server requires authentication. Contact the server administrator.

12202

The Forefront TMG denied the specified Uniform Resource Locator (URL).

12302

The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.

12204/ 12304

The specified Secure Sockets Layer (SSL) port is not allowed. Forefront TMG is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests.

12206

The Forefront TMG detected a proxy chain loop. There is a problem with the configuration of the Forefront TMG routing policy. Please contact your server administrator.

12306

The server detected a chain loop. There is a problem with the configuration of the server routing policy. Contact the server administrator.

12207

Forefront TMG dial-out connection failed. The administrator should manually dial the specified phonebook entry to determine if the number can be reached.

12307

The dial-out connection failed. The dial-out connection failed with the specified phonebook entry. The administrator should manually dial the specified phonebook entry to confirm that the problem is not the Windows auto-dial facility.

12208

Forefront TMG is too busy to handle this request. Reenter the request or renew the connection to the server (now or at a later time).

12308

The server is too busy to handle this request. Reenter the request or try again later.

12209

The Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.

12309

The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.

12210/ 12310

An Internet Server API (ISAPI) filter has finished handling the request. Contact your system administrator.

12211

Forefront TMG requires a secure channel connection to fulfill the request. Forefront TMG is configured to respond to outgoing secure (Secure Sockets Layer (SSL)) channel requests.

12311

The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator.

12213

Forefront TMG requires a client certificate to fulfill the request. A Secure Sockets Layer (SSL) Web server, during the authentication process, requires a client certificate.

12313

The page requires a client certificate as part of the authentication process. If you are using a smart card, you will need to insert your smart card to select an appropriate certificate. Otherwise, contact your server administrator.

12214/ 12314

An Internet Server API (ISAPI) filter caused an error or terminated with an error.

12215

The size of the request header is too large. Contact your Forefront TMG administrator.

12315

The size of the request header is too large. Contact the server administrator.

12216

The size of the response header is too large. Contact your Forefront TMG administrator.

12316

The size of the response header is too large. Contact the server administrator.

12217

The request was rejected by the HTTP filter. Contact your Forefront TMG administrator.

12317

The request was rejected by the HTTP filter. Contact the server administrator.

12218

Forefront TMG cannot handle your request because the DNS quota was exceeded. Contact your Forefront TMG administrator.

12318

Forefront TMG cannot handle your request because the DNS quota was exceeded. Contact the server administrator.

12219

The number of HTTP requests per minute exceeded the configured limit. Contact your Forefront TMG administrator.

12319

The number of HTTP requests per minute exceeded the configured limit. Contact the server administrator.

12320

Forefront TMG is configured to block HTTP requests that require authentication.

12221/ 12321

The client certificate used to establish the SSL connection with the Forefront TMG computer is not trusted.

12222/ 12322

The client certificate used to establish the SSL connection with the Forefront TMG computer is not acceptable. The client certificate restrictions not met.

12323

Authentication failed. The client certificate used to establish an SSL connection with the Forefront TMG computer does not match the user credentials that you entered.

12224

The SSL server certificate supplied by a destination server is not yet valid.

12225

The SSL server certificate supplied by a destination server expired.

12226

The certification authority that issued the SSL server certificate supplied by a destination server is not trusted by the local computer.

12227

The name on the SSL server certificate supplied by a destination server does not match the name of the host requested.

12228

The SSL certificate supplied by a destination server cannot be used to validate the server because it is not a server certificate.

12229

The Web site requires a client certificate, but a client certificate cannot be supplied when HTTPS inspection is applied to the request.

12230

The SSL server certificate supplied by a destination server has been revoked by the certification authority that issued it.

12234/ 12334

The traffic was blocked by IPS.

12235

Web traffic was blocked for a rule with URL filtering enabled because the URL filtering database is not available.

12236/ 12336

Download failed because a third-party Web content filter does not support downloads that exceed 4GB.

12337

Download failed because the Link Translation filter does not support downloads that exceed 4GB.

12238/ 12338

Download failed because the Compression filter does not support downloads that exceed 4GB.

12239/ 12339

Request failed because the size of the request body is too large.

 

Microsoft Forefront TMG 2010 -  Firewall Result Code Values

Symbolic name

Code

Message text

FWX_E_TERMINATING

0xC0040001

The object is shutting down.

FWX_E_INVALID_ARG

0xC0040002

The argument is invalid.

FWX_E_ALREADY_IN_BLOCKING_OP

0xC0040003

The blocking operation is already started.

FWX_E_NOT_IN_BLOCKING_OP

0xC0040004

There is no blocking operation to be ended.

FWX_E_FILTER_NOT_REGISTERED

0xC0040005

The filter is not registered.

FWX_E_ALREADY_EXISTS

0x800700B7

The object cannot be created because an object with the same name already exists.

FWX_E_BUFFERFULL

0xC0040007

Not all the data was appended to the buffer object because the buffer was full.

FWX_E_ALREADY_EMULATED

0xC0040009

The connection is already emulated by another filter.

FWX_E_BAD_CONTEXT

0xC004000A

The method was not called while handling any of the supported events.

FWX_E_NOT_SUPPORTED

0xC004000B

Modifying this property is not allowed for this session.

FWX_E_NOT_AUTHENTICATED

0xC004000C

The action cannot be performed because the session is not authenticated.

FWX_E_POLICY_RULES_DENIED

0xC004000D

The policy rules do not allow the user request.

FWX_E_MIME_NEEDED

0xC004000E

The MIME type is required.

FWX_E_MUST_USE_DS

0xC004000F

-

FWX_E_NOT_EMULATED

0xC0040010

The connection is not emulated.

FWX_E_IS_BUSY

0xC0040011

A connection was dropped because there are too many pending connection requests.

FWX_E_NETWORK_RULES_DENIED

0xC0040012

The network rules do not allow the connection requested.

FWX_E_FRAGMENT_PACKET_DROPPED

0xC0040013

A packet was dropped because it contained an IP fragment that Forefront TMG is configured to block.

FWX_E_FWE_SPOOFING_PACKET_DROPPED

0xC0040014

A packet was dropped because Forefront TMG determined that the source IP address is spoofed.

FWX_E_TCPIPDROP_PACKET_DROPPED

0xC0040015

A packet was dropped by the TCP/IP stack.

FWX_E_NO_BACKLOG_PACKET_DROPPED

0xC0040016

A packet was dropped because the rate of requests for incoming connections was too high.

FWX_E_TCP_NOT_SYN_PACKET_DROPPED

0xC0040017

A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer.

FWX_E_BAD_LENGTH_PACKET_DROPPED

0xC0040018

A packet was dropped because its IP length field does not fall within the allowed range or is inconsistent with the actual length.

FWX_E_PING_OF_DEATH_PACKET_DROPPED

0xC0040019

A packet was dropped because Forefront TMG detected a ping-of-death attack.

FWX_E_OUT_OF_BAND_PACKET_DROPPED

0xC004001A

A packet was dropped because Forefront TMG detected a Windows out-of-band (WinNuke) attack.

FWX_E_IP_HALF_SCAN_PACKET_DROPPED

0xC004001B

A packet was dropped because Forefront TMG detected an IP half-scan attack.

FWX_E_LAND_ATTACK_DROPPED

0xC004001C

A packet was dropped because Forefront TMG detected a land attack.

FWX_E_UDP_BOMB_DROPPED

0xC004001D

A packet was dropped because Forefront TMG detected a UDP bomb attack.

FWX_E_FULLDENY_DROPPED

0xC004001E

A packet was dropped because Forefront TMG is operating in lockdown mode.

FWX_E_IPOPTIONS_DROPPED

0xC004001F

A packet was dropped because its header includes one or more IP options that Forefront TMG is configured to block.

FWX_E_UNCOMPLETED_CONNECTION_REQUEST

0xC0040020

An attempt to log on to the VPN server was rejected during the authentication phase because the authentication data was not received in a timely manner. The client session was disconnected.

FWX_E_CONNECTION_REQUEST_REJECTED

0xC0040021

An attempt to log on to the VPN server was rejected during the authentication phase. The client session was disconnected.

FWX_E_VALIDATE_QUARANTINE_FAILED

0xC0040022

The VPN quarantine settings could not be validated. The client session was disconnected.

FWX_E_VPN_CONNECTIONS_LIMIT_EXCEEDED

0xC0040023

The VPN client connection limit was exceeded. The client session was disconnected.

FWX_E_OUT_OF_RESOURCES

0xC0040024

A packet was dropped because there are insufficient resources.

FWX_E_BROADCAST_PACKET_DROPPED

0xC0040025

A broadcast packet was dropped by the Forefront TMG policy.

FWX_E_UNKNOWN_ADAPTER_DROPPED

0xC0040026

Reserved for future use.

FWX_E_ICMP_ERROR_PACKET_DROPPED

0xC0040027

Reserved for future use.

FWX_E_INVALID_PROTOCOL_PACKET_DROPPED

0xC0040028

A packet was dropped because its header specifies an invalid IP protocol (255) or address (0.0.0.0).

FWX_E_PORT_ZERO_PACKET_DROPPED

0xC0040029

A packet was dropped because its transport header specifies an invalid port (0).

FWX_E_SYN_ATTACK_START

0xC004002A

Forefront TMG detected a SYN attack.

FWX_E_SYN_ATTACK_END

0xC004002B

Forefront TMG is no longer experiencing a SYN attack.

FWX_E_INVALID_DHCP_OFFER

0xC004002C

An invalid DHCP offer was blocked.

FWX_E_UNREACHABLE_ADDRESS

0xC004002D

A packet was dropped because its destination IP address is unreachable.

FWX_E_ADDRESS_NOT_ALLOWED

0xC004002E

An attempt to establish a connection by an application filter was rejected because the source address is not in a range that is allowed for the destination address.

FWX_E_IPSEC_NO_ROUTE_DROPPED

0xC004002F

A packet arriving through an IPsec tunnel was rejected because its source address is not expected for the tunnel.

FWX_E_OUTBOUND_PATH_THROUGH_DROPPED

0xC0040030

A packet generated on the local host was rejected because its source IP address is assigned to one network adapter and its destination IP address is reachable through another network adapter.

FWX_E_BAD_TCP_CHECKSUM_DROPPED

0xC0040031

A packet was dropped because verification of its TCP checksum failed.

FWX_E_VPN_USER_MAPPING_FAILED

0xC0040032

An attempt to map a VPN client to a Windows user failed. The client session was disconnected.

FWX_E_RULE_QUOTA_EXCEEDED_DROPPED

0xC0040033

A connection was rejected because the maximum number of connections that can be created for a rule during one second was exceeded.

FWX_E_SEQ_ACK_MISMATCH

0xC0040034

A TCP packet was rejected because it has an invalid sequence number or an invalid acknowledgement number.

WSA_RWS_GRACEFUL_SHUTDOWN or FWX_E_GRACEFUL_SHUTDOWN

0x80074E20

A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.

WSA_RWS_ABORTIVE_SHUTDOWN or FWX_E_ABORTIVE_SHUTDOWN

0x80074E21

A connection was abortively closed after one of the peers sent a RST segment.

WSA_RWS_QUOTA or FWX_E_RULE_QUOTA_EXCEEDED_DROPPED

0x80074E23

A connection was refused because a quota set in a rule was exceeded.

WSA_RWS_CONNECTION_KILLED or FWX_E_CONNECTION_KILLED

0x80074E24

Forefront TMG killed a connection.

WSA_RWS_TIMEOUT or FWX_E_TIMEOUT

0x80074E25

A connection was terminated because it was idle for more than the time-out period, or the time-out on an incomplete action expired.

WSA_RWS_ADMIN_TERMINATE or FWX_E_ADMIN_TERMINATE

0x80074E26

A connection was terminated from Forefront TMG Management during shutdown, or when a VPN client was disconnected.

FWX_E_THREAD_QUOTA_EXCEEDED

0xC0040035

A blocking operation could not be performed because the thread limit for this operation was reached.

FWX_E_DNS_QUOTA_EXCEEDED

0xC0040036

A DNS query could not be performed because the query limit was reached.

FWX_E_TCP_RATE_QUOTA_EXCEEDED_DROPPED

0xC0040037

A connection was rejected because the maximum connections rate for a single client host was exceeded.

FWX_E_TCP_NO_SERVER_REPLY

0xC0040038

A connection was closed because no SYN/ACK reply was received from the server.

FWX_E_POLICY_CONNECTION_CLOSED

0xC0040039

An existing connection was closed because it is no longer allowed by the policy.

FWX_E_NAT_ADDRESS_NOT_AVAILABLE

0xC004003A

A network rule specifies a NAT address, but no local IP address is available for NAT on the server.

FWX_E_IPS_BLOCKED

0xC004003B

The connection was blocked by network inspection system (NIS).

FWX_E_IPS_DETECTED

0xC004003C

The network inspection system (NIS) detected traffic that matches a vulnerability signature.

FWX_E_CONNECTION_QUARANTINED

0xC004003D

The connection was closed because the client was quarantined.

FWX_E_FW_IPSEC_DROPPED

0xC004003E

A packet was dropped due to periodic inconsistency between the IPSec policy and Forefront TMG's snapshot of the IPSec policy.

FWX_E_TRANSITION_DROPPED

0xC004003F

A packet was dropped while adjusting the Forefront TMG behavior to a new IPSec policy.

FWX_E_BOTH_ADRESSES_BELONG_TO_SAME_NETWORK

0xC0040040

Both input addresses belong to the same network.

FWX_E_UNSUPPORTED_IPV6_DROPPED

0xC0040041

A packet was dropped because IPv6 protocol is not supported.

FWX_E_INVALID_ROUTER_ADV

0xC0040042

An invalid IPv6 router advertisement.

FWX_E_IPV6_ROUTING_HEADER

0xC0040043

IPv6 routing header presents.

FWE_E_FAIL_TRANSACT_TO_TRANSITION_TO_IPSEC

0xC0040044

The FW engine failed to apply the IPSec configuration.

FWE_E_FAIL_TRANSACT_TO_IPSEC

0xC0040045

The FW engine entered an invalid state.

FWX_E_UNSUPPORTED_NATPT_DROPPED

0xC0040046

An unsupported NAT-PT packet was dropped.

FWX_E_NIS_LOAD_POLICY_FAILED

0xC0040047

The FW engine failed to process the network inspection system (NIS) signature set.

 

 

Başka sorularınız var mı? Bir talep gönder

Yorumlar