Filter Branch Office VPN Log Messages
To troubleshoot issues with a branch office VPN tunnel for a period of time longer than the interval set in the VPN Diagnostic Report, it can be useful to look at the log messages to find information about the status of the VPN connection. You can use the gateway IP addresses that appear in the log message header to filter the log messages.
Branch office VPN log messages have a header that shows the IP addresses of the local and remote gateway. The format of the header is:
See Log Messages
From both Fireware Web UI and Firebox System Manager (FSM), you can see the log messages from your Firebox as they are generated. You can then filter the log messages to find the log messages related to a specific gateway endpoint.
To see log messages from your Firebox, from Fireware Web UI:
- Select Dashboard > Traffic Monitor.
- To filter your log messages on a specific gateway, in the filter text box, type the IP address of the local or remote VPN gateway.
For more information, see Traffic Monitor.
In Firebox System Manager, you can use the IP address of a gateway endpoint to specify which log messages appear in Traffic Monitor.
- Select the Traffic Monitor tab.
- To find all log messages related to a specific gateway, in the filter text box, type the IP address of the local or remote VPN gateway.
For more information about log messages in Firebox System Manager, see Device Log Messages (Traffic Monitor).
If you have installed a WatchGuard System Manager Log Server, you can also use the Search option in the WatchGuard WebCenter Log Manager pages to filter log messages by gateway IP address. For more information, see Search Device Log Messages.
Change the Diagnostic Log Level
If you want your Firebox to generate more detailed log messages, you can change the diagnostic log level that is specified for IKE traffic in the diagnostic log level settings for the VPN category. When you increase the IKE diagnostic log level, the log file includes diagnostic log messages for all branch office VPN gateways. If you have several VPN gateways, you can filter the log messages by the gateway IP address to see only the log messages for a specific gateway.
In Fireware v11.9 and higher, you can disable a BOVPN gateway or BOVPN virtual interface. If another VPN endpoint attempts to negotiate a tunnel with a disabled BOVPN gateway or virtual interface, tunnel negotiation fails. When this happens, an Information level log message indicates that the IKE policy for the gateway is not enabled. To see this log message, the diagnostic log level for VPN log messages must be set to Information or Debug.
For more information about how to set the diagnostic log level, see Set the Diagnostic Log Level.