Skip to main content
opetr_FTNT
Staff
opetr_FTNT
Staff
August 13, 2024

Technical Tip: Response Code 0 found in Traffic Log

  • August 13, 2024
  • 0 replies
  • 2178 views
Description

This article explains the mechanism of the FortiWeb traffic log, including the meaning of response code 0.
Scope FortiWeb.
Solution

Diagram:

Client ---- FortiWeb (WAF) ---- Real Server (RS).

 

The mechanism of the FortiWeb traffic log is as below:

  1. Client sent HTTP request to WAF, RS response data to WAF. WAF response data to the client, there is a tlog with the correct HTTP code. This is a standard situation.

 

  • Client:

 

% curl -sk -D - -o /dev/null 'vip1.internal.lab' | head -2
HTTP/1.1 200 OK
Server: nginx/1.6.2

 

  • Capture:

 

diag network sniffer port1 'port 80 and host 172.26.167.21' 4 0 a

filters=[port 80 and host 172.26.167.21]

interface=[port1]
2024-08-13 10:26:50.194644 172.26.167.21.56454 -> 10.109.30.9.80: syn 488743468

2024-08-13 10:26:50.194746 10.109.30.9.80 -> 172.26.167.21.56454: syn 2856766223 ack 488743469

2024-08-13 10:26:50.259251 172.26.167.21.56454 -> 10.109.30.9.80: ack 2856766224

2024-08-13 10:26:50.259253 172.26.167.21.56454 -> 10.109.30.9.80: psh 488743469 ack 2856766224

2024-08-13 10:26:50.259364 10.109.30.9.80 -> 172.26.167.21.56454: ack 488743549

2024-08-13 10:26:50.268430 10.109.30.9.80 -> 172.26.167.21.56454: psh 2856766224 ack 488743549

2024-08-13 10:26:50.332865 172.26.167.21.56454 -> 10.109.30.9.80: ack 2856766715

2024-08-13 10:26:50.333912 172.26.167.21.56454 -> 10.109.30.9.80: fin 488743549 ack 2856766715

2024-08-13 10:26:50.334723 10.109.30.9.80 -> 172.26.167.21.56454: fin 2856766715 ack 488743550

2024-08-13 10:26:50.399756 172.26.167.21.56454 -> 10.109.30.9.80: ack 2856766716

 

  • Tlog:

 

standard_situation.png

 

v015xxxxdate=2024-08-13 time=12:26:50 log_id=30000001 msg_id=000009810172 device_id=FVVM08TM22000169 eventtime=1723544810267911205 vd="root" timezone="(GMT+1:00)Belgrade,Bratislava,Budapest,Ljubljana,Prague" timezone_dayst="GMTb-2" type=traffic subtype="http" pri=notice proto=tcp service=http status=success reason=none policy="lab_spolicy" original_src=172.26.167.21 src=172.26.167.21 src_port=56454 dst=10.198.3.30 dst_port=80 http_request_time=5 http_response_time=1 http_request_bytes=80 http_response_bytes=347 http_method=get http_url="/" http_agent="curl/8.6.0" http_retcode=200 msg="HTTP get request from 172.26.167.21:56454 to 10.198.3.30:80" original_srccountry="Reserved" srccountry="Reserved" content_switch_name="none" server_pool_name="vl198_spool" http_host="vip1.internal.lab" user_name="Unknown" http_refer="none" http_version="1.x" dev_id=68D4D0E0374C6C418288956723B875B42E17 cipher_suite="none" x509_cert_subject="none"

 

  1. Client sent HTTP request to WAF, RS does not respond data to WAF. 
  • Connection is ended with WAF from the client side, WAF sends FIN to RS, and there is a tlog with HTTP code 0.
  • Client:

 

% curl -m 10 vip1.internal.lab

curl: (28) Operation timed out after 10006 milliseconds with 0 bytes received

 

  • Capture:

 

diag network sniffer port1 'port 80 and host 172.26.167.21' 4 0 a

filters=[port 80 and host 172.26.167.21]

interface=[port1]
2024-08-13 10:14:21.764667 172.26.167.21.56149 -> 10.109.30.9.80: syn 1029527710

2024-08-13 10:14:21.764758 10.109.30.9.80 -> 172.26.167.21.56149: syn 682109709 ack 1029527711

2024-08-13 10:14:21.826888 172.26.167.21.56149 -> 10.109.30.9.80: ack 682109710

2024-08-13 10:14:21.826890 172.26.167.21.56149 -> 10.109.30.9.80: psh 1029527711 ack 682109710

2024-08-13 10:14:21.826992 10.109.30.9.80 -> 172.26.167.21.56149: ack 1029527791

2024-08-13 10:14:31.762911 172.26.167.21.56149 -> 10.109.30.9.80: fin 1029527791 ack 682109710

2024-08-13 10:14:31.763832 10.109.30.9.80 -> 172.26.167.21.56149: fin 682109710 ack 1029527792

2024-08-13 10:14:31.824507 172.26.167.21.56149 -> 10.109.30.9.80: ack 682109711

 

  • Tlog:

 

client_fin.png

 

v015xxxxdate=2024-08-13 time=12:14:31 log_id=30000001msg_id=000009810083 device_id=FVVM08TM22000169 eventtime=1723544071763907702 vd="root" timezone="(GMT+1:00)Belgrade,Bratislava,Budapest,Ljubljana,Prague" timezone_dayst="GMTb-2" type=traffic subtype="http" pri=notice proto=tcp service=http status=success reason=none policy="lab_spolicy" original_src=172.26.167.21 src=172.26.167.21 src_port=56149 dst=10.198.3.30 dst_port=8099 http_request_time=1 http_response_time=0 http_request_bytes=80 http_response_bytes=0 http_method=get http_url="/" http_agent="curl/8.6.0" http_retcode=0 msg="HTTP get request from 172.26.167.21:56149 to 10.198.3.30:8099" original_srccountry="Reserved" srccountry="Reserved" content_switch_name="none" server_pool_name="vl198_dummy" http_host="vip1.internal.lab" user_name="Unknown" http_refer="none" http_version="1.x" dev_id=68D4D0E0374C6C418288956723B875B42E17 cipher_suite="none" x509_cert_subject="none"

 

  • Connection is ended with WAF from the server side, WAF sends FIN to RS, and there is a tlog with HTTP code 0.
  • Client:

 

% curl vip1.internal.lab/reset

curl: (52) Empty reply from server

 

  • Capture:

 

diag network sniffer port3 'port 80' 4 0 a
filters=[port 80]

interface=[port3]
2024-08-12 12:44:24.595011 10.198.3.13.11498 -> 10.198.3.30.80: syn 2544364718
2024-08-12 12:44:24.595438 10.198.3.30.80 -> 10.198.3.13.11498: syn 3382863383 ack 2544364719
2024-08-12 12:44:24.595475 10.198.3.13.11498 -> 10.198.3.30.80: ack 3382863384
2024-08-12 12:44:24.595539 10.198.3.13.11498 -> 10.198.3.30.80: psh 2544364719 ack 3382863384
2024-08-12 12:44:24.595751 10.198.3.30.80 -> 10.198.3.13.11498: ack 2544364966
2024-08-12 12:44:24.595964 10.198.3.30.80 -> 10.198.3.13.11498: fin 3382863384 ack 2544364966
2024-08-12 12:44:24.596152 10.198.3.13.11498 -> 10.198.3.30.80: ack 3382863385
2024-08-12 12:44:24.597151 10.198.3.13.11498 -> 10.198.3.30.80: fin 2544364966 ack 3382863385
2024-08-12 12:44:24.597390 10.198.3.30.80 -> 10.198.3.13.11498: ack 2544364967

 

  • Tlog:


server_fin.png

 

v015xxxxdate=2024-08-12 time=14:44:24 log_id=30000001 msg_id=000009801326 device_id=FVVM08TM22000169 eventtime=1723466664596821115 vd="root" timezone="(GMT+1:00)Belgrade,Bratislava,Budapest,Ljubljana,Prague" timezone_dayst="GMTb-2" type=traffic subtype="http" pri=notice proto=tcp service=http status=success reason=none policy="lab_spolicy" original_src=172.26.48.4 src=172.26.48.4 src_port=58724 dst=10.198.3.30 dst_port=80 http_request_time=1 http_response_time=0 http_request_bytes=85 http_response_bytes=0 http_method=get http_url="/reset" http_agent="curl/8.6.0" http_retcode=0 msg="HTTP get request from 172.26.48.4:58724 to 10.198.3.30:80" original_srccountry="Reserved" srccountry="Reserved" content_switch_name="none" server_pool_name="vl198_spool" http_host="vip1.internal.lab" user_name="Unknown" http_refer="none" http_version="1.x" dev_id=B46180B85F6C0371E745576918307A3C9C56 cipher_suite="none" x509_cert_subject="none"
Terms & ConditionsAccessibility statement