Skip to main content
danielha
danielha
New Member
September 2, 2014
Question

FortiOS 5.2 logging : action=dns or action=ip-conn

  • September 2, 2014
  • 7 replies
  • 66146 views
Hi all, The LogReference PDF file does not give complete information regarding the action in the logs. Can someone give me more information about the action ? action=deny : no problem. We hit a deny rule in the firewall policy action=start : the log is created at the very begining of the tcp session. This is for debugging. action=timeout : the session duration hits the firewall timeout. The firewall closes the session. action=close : the log is created at the end of the session (when a tcp FIN packet is seen ?) action=ip-conn : what difference with action=close ? action=dns : I can' t figure out the meaning... Thanks for your help, Daniel

    7 replies

    jorge9090
    jorge9090
    New Member
    September 2, 2014
    Prior to FortiOS 5.2, there was an implicit action to allow DNS querys before every policy, that action=dns simply shows that a host or device made a DNS query to some url or domain. Now in 5.2 Fortinet changed that so the recomenation is to make a DNS policy before a permit/deny traffic policy. I guess they keep that log reference.
    danielha
    danielhaAuthor
    New Member
    September 3, 2014
    Hello Jorge, Thanks for your answer. Any idea about the ip-conn action ? Best regards, Daniel
    jorge9090
    jorge9090
    New Member
    September 3, 2014
    Honestly i wouldn' t know what ip-conn means. And you are right, besides the pdf log reference, there is no much info about it.
    danielha
    danielhaAuthor
    New Member
    September 4, 2014
    Jorge, I opened a ticket at the Fortinet Support. I was given an answer similar to yours for the DNS part. I' m still waiting for the ip-conn... I' ll let you know as soon as I get an answer. Regards, Daniel
    jorge9090
    jorge9090
    New Member
    September 4, 2014
    Thank you Daniel, i am sure Fortinet will give us the answer.
    Jeff_FTNT
    Staff
    Jeff_FTNT
    Staff
    September 5, 2014
    If PC behind FGT send package through match policy, FGT did not get expected return packet. FGT treat this is " action" as " Failed Connection Attempts" . It have traffic log with " action=ip-conn " . date=2014-09-05 time=11:04:32 logid=0000000011 type=traffic subtype=forward level=warning vd=vdom1 srcip=192.168.1.18 srcport=1112 srcintf=" switch" dstip=192.168.30.2 dstport=53 dstintf=" port9" sessionid=1572 action=ip-conn policyid=2 crscore=1375731722 craction=262144 FGT will collect log and if find one PC have too much this kind of log, this PC may be infected. This kind of log is for " Threat Weight" feature on FOS5.2.
    AtiT
    AtiT
    New Member
    May 17, 2016

    Hello Jeff

    I know it is an old thread but probably you can clarify to me what you mean about the Failed Connection Attemtps - the service is allowed in the policy (destination ALL service ALL).

    Why once the DNS request is not OK and the others are fine? I do not understand.

     

    See the logs below:

     

     

    I cannot see any difference why it should be logged as ip-conn. It makes problems with generating reports as the service is not listed as DNS and we need to do IF or CASE statements to catch this "anomaly".

    Jeff_FTNT
    Staff
    Jeff_FTNT
    Staff
    May 17, 2016

    Hi AtiT,

    Maybe some DNS response packet is lost ?

    Terms & ConditionsAccessibility statement