Technical Tip: FortiGate sends additional traffic log entries to FortiAnalyzer

Description

This articles describes the additional traffic statistics logs sent from FortiGate to FortiAnalyzer to show consistent session stats when the session is still open in FortiAnalyzer FortiView.

The additional logs are "interim" logs for long live sessions, they are generated every 2 minutes and they are identified in the logs by logid=20 and action=accept.

These logs are sent every 2 minutes based on a traffic triggered meter. If there is no traffic within 2 minutes, the next packet received will trigger the log.

When a session is closed, the log entry will appear just before the expected log message with firewall action equal to close.

Solution

The following commands is to disable these statistics logs sent to FortiAnalyzer:

   config log fortianalyzer filter
        set filter "logid(00020)"
        set filter-type exclude
    end

As of firmware version 7.0.x, the design has been changed as following:

Config log FortiAnalyzer filter:

     config free-style
         edit 0
            set category traffic
            set filter "logid 00020"
            set filter-type exclude
         next
     end
 end

Note: In general when putting 0 as ID  in config, FortiGate will assign the next available ID for the setting.

Related document:
https://docs.fortinet.com/document/fortigate/7.0.1/cli-reference/479620/config-log-fortianalyzer-filter