action=close vs. action=accept - The Real Difference? 600C v5.6.6

Question

Hello all, We're using Fortigate 600C and just upgraded FortiOS to v5.6.6 from v5.4. While using v5.4, action=accept in our traffic logs was only referring to non-TCP connections and we were looking for action=close for successfully ended TCP connections. After we upgraded, the action field in our traffic logs started to take action=accept values for TCP connections as well and we're now having difficulties in differentiating the successfully ended TCP connections. We've looked at the forums, found this and also went through FortiOS - Log Reference document for v5.6.6 but got no success in understanding the real difference. FortiOS - Log Reference document for v5.6.6 only states the example field values (i.e. close, server-rst, client-rst) without any explanation, very revealing documentation indeed. What is the real difference between action=accept and action=close in v5.6.6?

Any help would be very much appreciated! PS: Two sample segments from our traffic logs for the same dstport and dstip that got action=accept and action=close respectively are provided below.

[ul]

action=accept: date=2019-01-18 time=00:00:46 type="traffic" subtype="forward" level="notice" vd="root" eventtime=1547758846 dstport=443 dstintfrole="lan" poluuid="cb3dd1b8-bb38-51e5-7544-c313ed6a828c" sessionid=975790564 proto=6 action="accept" policyid=25 policytype="policy" service="HTTPS" trandisp="dnat" tranport=443 duration=600 sentbyte=104 rcvdbyte=84 sentpkt=2 rcvdpkt=2 vpntype="ipsec-static" appcat="unscanned"

action=close: date=2019-01-18 time=00:00:10 type="traffic" subtype="forward" level="notice" vd="root" eventtime=1547758810 dstport=443 dstintfrole="lan" poluuid="cb3dd1b8-bb38-51e5-7544-c313ed6a828c" sessionid=977138730 proto=6 action="close" policyid=25 policytype="policy" service="HTTPS" trandisp="dnat" tranport=443 duration=3 sentbyte=144 rcvdbyte=124 sentpkt=3 rcvdpkt=3 vpntype="ipsec-static" appcat="unscanned"[/ul]

jhouvenaghel_FTNT · Accepted Answer

You mentionned : "For the same policy,[ul]action=accept takes logid="0000000020"action=close takes logid="0000000013"[/ul]---> this looks logical for me with 5.6.6 as there has been new log traffic messages sent to FAZ (for example) with action= accept and log id = 20 . In the log ref guide, you will see them as "LOG_ID_TRAFFIC_STAT" (Forward traffic statistics). There are used for "long sessions" (more than 2 minutes)  to give some stats to the FAZ (for example) so that Fortiview would be accurate when the session is still alive.You may see this log id = 20 as well just before the logid = 13 . In fact , when you have no traffic for some time before the TCP session is closed, then the next packet (ie TCP FIN)  will trigger the log stats entry (log id = 20) and then you will see the expect log id = 13 with action close for the end of TCP session. You indicate : "However, on some other policies, action=accept is taking logid="0000000013" as well"Is it for TCP traffic ?  If yes, more details would be needed Hope it helps

emnoc · Answer

Sounds like you have session accounting with log-start. Close is what is logged at the "closing" of the session.

http://socpuppet.blogspot.com/2018/04/fortios-set-logtraffic-start-enable.html

Ken Felix

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded