Skip to main content
Jirka1
Jirka1
Explorer II
November 9, 2018
Question

Fortigate incorrectly counts..??

  • November 9, 2018
  • 1 reply
  • 20704 views

Hi guys,

I have encountered a very strange problem. The management commissioned me to produce an employee report. We have FGT100D (5.6.6) in transparent mode and FAZ200D (6.0.3). This employee uses Bitcoin's wallet on his PC. The problem is that the report shows me that in about 1 week he transferred about 1,3TB of data and his network card on the PC shows about 90GB. The same result (about 90GB) shows our backbone router.

Standart Policy cfg: App control (monitor all), Web filter (some cat forbidden) and cert. inspect. Thats all.

Fortigate is lying? If so, this is a very unpleasant finding - especially because reports are regularly used to check employees ...

 

Thanks Jirka

 

    1 reply

    Dave_Hall
    Dave_Hall
    New Member
    November 9, 2018

    he duration in the graph in the pic looks to be for about 10 days (end looks count off though) while the duration listed in the Ethernet status indicates 8+ days connected.  Aside from that, I wouldn't trust the byte count on the Ethernet status activity.  Perform a netstat -s or netstat -e on the CMD line.

     

     

    Jirka1
    Jirka1Author
    Explorer II
    November 9, 2018

    Hi Dave, thank you for your reaction. I checked the transferred data using cmd:

     

    Yes, the differences from the network card are there, but even lower. I also checked the total internet traffic on the our core box, and the whole network produced around 890GB of data for the whole week. While Fortigate shows only 1.3TB data for this single user....

     

    Jirka1
    Jirka1Author
    Explorer II
    November 9, 2018

    And another anomaly - from our core box we collect the flow data and send it to the collector. Do you really think that in 8 days our network produces 17.2TB of logs? The collector stores 134MB of data in 8 days..

     

    Terms & ConditionsAccessibility statement