Skip to main content
Jirka1
Jirka1
New Member
November 9, 2018
Question

Fortigate incorrectly counts..??

  • November 9, 2018
  • 1 reply
  • 20669 views

Hi guys,

I have encountered a very strange problem. The management commissioned me to produce an employee report. We have FGT100D (5.6.6) in transparent mode and FAZ200D (6.0.3). This employee uses Bitcoin's wallet on his PC. The problem is that the report shows me that in about 1 week he transferred about 1,3TB of data and his network card on the PC shows about 90GB. The same result (about 90GB) shows our backbone router.

Standart Policy cfg: App control (monitor all), Web filter (some cat forbidden) and cert. inspect. Thats all.

Fortigate is lying? If so, this is a very unpleasant finding - especially because reports are regularly used to check employees ...

 

Thanks Jirka

 

    1 reply

    Dave_Hall
    Dave_Hall
    New Member
    November 9, 2018

    he duration in the graph in the pic looks to be for about 10 days (end looks count off though) while the duration listed in the Ethernet status indicates 8+ days connected.  Aside from that, I wouldn't trust the byte count on the Ethernet status activity.  Perform a netstat -s or netstat -e on the CMD line.

     

     

    Jirka1
    Jirka1Author
    New Member
    November 9, 2018

    Hi Dave, thank you for your reaction. I checked the transferred data using cmd:

     

    Yes, the differences from the network card are there, but even lower. I also checked the total internet traffic on the our core box, and the whole network produced around 890GB of data for the whole week. While Fortigate shows only 1.3TB data for this single user....

     

    enotspe
    enotspe
    New Member
    March 29, 2020

    Even on logid=13, which is supposed to mean "traffic end", I get logs with same sessionID, and most of them are exactly the same, apart from the date&time. How can a single session end multiple times??? I got to say theses "repeated" logs of the same sessionID are quite few. But still, something seems clearly wrong. I have found this behaivor even running 6.2.3

     

    Terms & ConditionsCookie settingsAccessibility statement