No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Log Reference

AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R007

This document supports all the logs of device, including the parameters, meaning, possible causes and solution.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).



IPS/4/CNC(l): A malware domain was detected. (SyslogId=[syslog-id], VSys=[vsys-name], Policy=[policy-name], SrcIp=[source-ip-address], DstIp=[destination-ip-address], SrcPort=[source-port], DstPort=[destination-port], SrcZone=[source-zone], DstZone=[destination-zone], User=[user-name], Protocol=[protocol], Application=[application-name],Profile=[profile-name],DomainName=[domain-name], EventNum=[event-number], Action=[action])


The device determined that the received packet was destined for a malicious domain name using the domain name-filtering function.


Parameter Name Parameter Meaning

Log ID


Name of the virtual system


Name of the security policy


Source IP address of packets


Destination IP address of packets


Source port of packets (the field is 0 for ICMP packets)


Destination port of packets (the field is 0 for ICMP packets)


Source security zone of packets


Destination security zone of packets


User name


Protocol of the packets matching the signature


Application of the packets matching the signature


Profile name


Malicious domain name


Match count


Action for the signature

  • Alert
  • Block

Possible Causes

The domain name in the DNS packet matched a malicious domain name in the signature database. The IPS processed the packet based on the configured action and generated a log message.


  1. This log message indicates a normal situation, and no action is required.
Updated: 2019-05-29

Document ID: EDOC1000097209

Views: 128092

Downloads: 189

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Previous Next