We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see https://campus.barracuda.com/doc/71862301/ for further information on our EoS policy.

Security Events

  • Last updated on

The following article provides an overview on all security events that are processed by the Barracuda NG Firewall.

Event-IDDescriptionRelevanceSeverityNotificationPersistent
53Duplicate IP Detected 

An IP address living on the system has additionally been detected in the network.

Warning 2yes
140Mail Size Limit Exceeded 

The size of an e-mail has exceeded the configured limit (see: ). This event is only reported when parameter Limit Mail Data Size is set to yes.

Notice

2no
300 User ID (UID) Invalid See description.Security 3no
304 Reserved Login ID Used See description.Security 3no
2400Config Node Change Notice 

A configuration file has been edited in the Barracuda NG Control Center configuration tree. "Config node change" events are only reported if event notification has been configured for configuration file changes (CC context menu entry Properties … ). The following events apply:

  • Normal Event - Event-ID 2400
  • Notice Event - Event-ID 2401
  • Alert Event - Event-ID 2402

Notice

2no
2401Config Node Change Warning Warning 2no
2402Config Node Change Alert Security 3no
2420NG Firewall Login Notice 

An application has been granted administrative access to the system. Barracuda Networks applications generate "Barracuda Networks Subystem Login" notifications every time a user has successfully logged into an application that interacts with the graphical administration tool Barracuda NG Admin (for example control, event, statistics, config). The severity level for notifications regarding access to box services is configurable in CONFIGURATION > Configuration Tree > Box > Advanced Configuration > Access Notification; Notifications for other services may be customized per service.

Notice

2no
2421

NG Firewall Login Warning

Warning 2no
2422NG Firewall Login Alert Security 3no
2510

FW Global Connection Limit Exceeded

The number of total sessions allowed for a request has been exceeded (see: General Firewall Configuration).

Security

3yes
2600DHCP Lease Deleted Not available.Notice 2no
3011CRL Collection Failed 

Collection of the Certificate Revocation List (CRL) has failed. Paths to CRLs are defined in the VPN Settings > Root Certificates tab > Certificate Revocation tab (see: ). Polling for CRL retrieval is defined through parameter CRL Poll Time.

Security

3no
3012VPN Client Version Not available.Warning 2no
3013Antivir Pattern Update Failed Update to the recent Virus Scanner definitions has not succeeded. Security 3no
4000FW Port Scan Detected 

The number of blocked requests has exceeded the Port Scan Threshold within the configured Port Scan Detection Interval. Limit values can be customized in the Firewall Settings > Reporting tab.

Notice 2no
4002

FW Flood Ping Protection
Activated

The Min Delay time for pinging defined in a Firewall Service Object (see: ) has been under-run and the connection has thus been blocked by the FW.

Warning

2no
4004

FW Activating Perimeter
Defence (inbound mode)

The Inbound Mode Threshold (%) value specified in the Local Firewall settings (see: Host Firewall) has been exceeded.

Security 3no
4006

FW Pending TCP Connection
Limit Reached

The number of pending TCP sessions per source IP exceeds the allowed maximum. Requests initiating further pending sessions will be blocked. The threshold is configurable in the Firewall Forwarding Settings > Firewall tab (parameter Max. Pending Forward Accepts/Src).

Security 3no
4008

FW UDP Connection per Source Limit Exceeded

The maximum number of UDP sessions per source IP has been exceeded. The thresholds can be configured in the Local Firewall Settings > Session Limits tab (parameter Max Local-In UDP/Src) and in the Firewall Forwarding Settings > Firewall tab (parameter Max. Forwarding UDP/Src).

Warning

2no
4009

FW UDP Connection Limit Exceeded

The maximum number of UDP sessions has been exceeded. The threshold can be configured in the Local Firewall Settings > Session Limits tab (parameter Max UDP (%)).

Security

3no
4010

FW Oversized SYN Packet
Dumped

An oversized SYN packet has been dropped by the firewall. Notice 2no
4012FW Large ICMP Packet Dumped 

An ICMP-ECHO packet larger than the configured Max Ping Size (see: Service Objects) has been dropped by the firewall.

Notice 2no
4014

FW IP Spoofing Attempt Detected

An IP spoofing attempt has been discovered. Notice 4no
4015

FW Potential IP Spoofing Attempt

A SYN flooding attack has been identified (see: Best Practice - Protect Against TCP SYN Flooding Attacks with TCP Accept Policies).

Notice 4no
4016

FW Rule Connection Limit Exceeded

The maximum number of concurrent connections allowed per rule has been exceeded. The maximum value is defined by parameter Max. Number of Sessions (see: General Firewall Configuration).

Warning

2no
4018

FW Rule Connection per Source
Limit Exceeded

The maximum number of concurrent connections allowed per rule and source has been exceeded. The maximum value is defined by parameter Max. Number of Sessions per Source (see: General Firewall Configuration). 

Warning

2no
4020FW Rule Notice 

A firewall rule equipped with event generation has been processed. The severity level of the generated event is defined by the rule (see: How to Configure Event Notifications).

Notice

2no
4021FW Rule Warning Warning 2no
4022FW Rule Alert Security 3no
4024FW Global Connection per

Source Limit Exceeded

The maximum number of concurrent connections allowed per source has been exceeded. The maximum value is defined by parameters Max Local-In Session/Src in the Local Firewall Settings and Max. Forwarding Session/Src in the Forwarding Firewall Settings.

Warning

2no
4026 FW ICMP-ECHO Connection per

Source Limit Exceeded

The maximum number of concurrent ICMP-ECHO connections allowed per source has been exceeded. The maximum value is defined by parameters Max Local-In Echo/Src in the Local Firewall Settings and Max. Forwarding Echo/Src in the Forwarding Firewall Settings.

Warning

2no
4027FW ICMP-ECHO Connection

Limit Exceeded

The maximum number of ICMP-ECHO connections has been exceeded. The threshold can be configured in the Local Firewall Settings > Session Limits tab (parameter Max Echo (%) (see: General Firewall Configuration).

Warning

2no
 4028FW OTHER-IP Connection per

Source Limit Exceeded

The maximum number of concurrent OTHER-IP connections (all IP protocols except TCP, UDP and ICMP) allowed per source has been exceeded. The maximum value is defined by parameters Max Local-In Other/Src in the Local Firewall Settings and Max. Forwarding Other/Src in the Forwarding Firewall Settings.

 
 

Warning

 2no 
4029

FW OTHER-IP Session Limit
Exceeded

 

The maximum number of OTHER-IP sessions (all IP protocols except TCP, UDP and ICMP) has been exceeded. The threshold can be configured in the Local Firewall Settings > Session Limits tab (parameter Max Other (%).

 
 

Warning

 2 no
4050FW ARP MAC Address Changed Not available.Notice 2no
4051

FW ARP Ambiguous Duplicate
Reply

Not available.Notice 2no
4052

FW ARP Request Device
Mismatch

Not available.Notice 2no
4053 

FW ARP Reverse Routing Interface Mismatch

Not available.Notice 2no
4060IPS Log Notice IPS Signature.Notice 666no
4061IPS Log Warning IPS Signature.Warning666no
4062IPS Log Alert IPS Signature.Security 666no
4063IPS Drop NoticeIPS Signature.Notice 666no
4064IPS Drop Warning IPS Signature.Warning666no
4065IPS Drop Alert IPS Signature.Security666no
4100User Unknown 

A system login has been attempted with an unknown login ID (CONFIGURATION > Configuration Tree > Box > Advanced Configuration > Access Notification, see: How to Configure Access Notifications).

Warning

2no
4110Authentication Failure Notice 

A login attempt with a valid login ID has failed (CONFIGURATION > Configuration Tree > Box > Advanced Configuration > Access Notification, see: How to Configure Access Notifications).

Notice

2no
4111Authentication Failure Warning 

A login attempt with a valid login ID has failed the second time (CONFIGURATION > Configuration Tree > Box > Advanced Configuration > Access Notification, see: How to Configure Access Notifications). The ACL does not match (see: , - Allowed Phone Numbers).

Warning

2no
4112Authentication Failure Alert 

A login attempt with a valid login ID has failed at least three times (CONFIGURATION > Configuration Tree > Box > Advanced Configuration > Access Notification, see: How to Configure Access Notifications). Password authentication failure and/or unsuccessful command match (see: , - Command Codes).

Security

3no
4120Session Opened Notice See description.Notice 2no
4121Session Opened Warning 

A traced user has initiated an SSH connection (see: - Recorded Users).

Warning 2no
4122Session Opened Alert See description.Security 3no
4124

Remote Command Execution
Notice

Remote command execution has been triggered remotely by the Barracuda NG Control Center (in CC CONTROL > Remote Execution) or by an authorized user. Note that copying files with SCP also generates this event. Successful authentication and command is accepted (see: , - Command Codes).

Notice

2no
4125

Remote Command Execution
Warning

Warning 2no
4126

Remote Command Execution
Alert

Security 3no
4130System Login Notice 

The quality of these event notifications is determined by the settings made in CONFIGURATION > Configuration Tree > Box > Advanced Configuration > Access Notification (see: How to Configure Access Notifications). The following notifications apply with default settings:

  • Notice (not assigned)
  • Warning (successful SSH and remote SSH login)
  • Alert (successful console login). Login failure triggers events 4110, 4111, and 4112 (see above).

Notice

2no
4131System Login Warning Warning2no
4132System Login Alert Security3no
4160Log Data Deleted See description.Notice 2no
4162Statistics Data Deleted See description.Notice 2no
4163Statistics Collection Failed See description.Notice 2no
4200CTRL-ALT-DEL See description.Warning 2no
4202System Reboot 

The system has been rebooted. Manual reboot will trigger this event just like the Watchdog repair binary (see: Watchdog).

Warning 2no
4204System Shutdown The system has been shut down. Warning 2no
4206Runlevel Changed 

The runlevel of the operating system has changed. Runlevels change during system boot.

Notice 2no
4210Single User Mode 

The system has been booted in Single User mode using the boot option "single".

Warning 2no
4212Problems During Bootup See description.Warning 2no
4214Incomplete Previous BootThe previous system bootup could not be completed. Warning 2no
4220System Boot The system is starting the bootup process. Notice 2no
4222Emergency System Boot See description.Warning2no
4240

Bootloader Configuration
Change

See description.Notice 2no
4242Two Phase Kernel Update See description.Notice 2no
4244Automatic Kernel Update See description.Notice 2no
4246Kernel Update Rejected See description.Warning2no
4248

Custom Bootloader or Kernel
Update

See description.Notice 2no
4250

Bootloader Test Activation
Failure

See description.Notice 2no
4252Bootloader Activation Failed See description.Warning2no
4254Bootloader Disaster Recovery See description.Warning2no
4256Bootloader Reconfigured See description.Notice 2no
4258Kernel Update See description.Warning2no
4260Pending Kernel Update See description.Warning2no
4261

Activate Pending Kernel
Update

See description.Warning2no
4262

Bootloader Reconfiguration
Failed

See description.Warning2no
4264Kernel Update Failed See description.Warning2no
4300Empty ACL Encountered See description.Security 3no
4302Overlong ACL Encountered See description.Security 3no
4304Password Update Failure See description.Security 3no
4306Password Updated The password of the support user or the user "root" has changed. Warning 2no
4307Key Updated The root public RSA key has changed. Warning 2no
4400Release Update Triggered Software update has been triggered manually. Notice 2no
4402

Subsystem Release Update
Succeeded

See description.Notice 2no
4404

Subsystem Release Update
Cancelled

A software update has been cancelled. Notice 2no
4406

Subsystem Release Update
Aborted

See description.Warning 2no
4408Release Update Failed See description.Security3no
4410

Release Inconsistencies Detected

Incorrect RPM packages have been installed, for example hotfixes intended for another Barracuda NG Firewall release version, or Barracuda Networks files have been modified, for example by manually editing a Barracuda Networks script.

Warning

2no
4412Active Kernel not in RPM-DBThe Linux Kernel in use has not been added to the RPM database.Notice 2no
4450New Barracuda Software UpdateA new software update from Barracuda Networks is available. See DASHBOARD General PageNotice2yes
4460New Product TipA new Product Tip from Barracuda Networks is available. See DASHBOARD General Page Notice2yes
4500Mail Data Discarded 

An e-mail has been discarded from the mail queue (see: - Mail Queue Tab, Discard Mail. This event is only reported when parameter Admin Reception Commands (see: ) is set to yes.

Notice 2no
4504Mail Operation Changed 

An e-mail has been allowed or blocked manually (Processes Tab, Allow Mail Reception/Block Mail Reception). This event is only reported when parameter Admin Discard Mail Cmd is set to yes.

Notice 2no
4506Mail Delivery Refused 

E-mail delivery to a banned recipient has been refused. This event is only reported when parameter Recipient Dropped is set to yes.

Notice 2no
4508Mail Relaying Denied 

Relaying of an e-mail has been denied according to content filter configuration. This event is only reported when parameter Mail Denied (see: ) is set to  yes.

Notice 2no
4512Mail Rule Notice 

These are customized events with corresponding customized descriptions, which are triggered when Action type 'Event' is used.

  • Event-ID 0 = Severity Notice
  • Event-ID 1 = Severity Warning
  • Event-ID 2 = Severity Security

Events will only be reported when parameter User Defined Rule Event is set to yes (default).

Notice 2no
4513Mail Rule Warning Warning 2no
4514Mail Rule Alert Security 3no
4600Attempted Illegal Assignment See description.Security3no
Last updated on