Skip to main content
amoureux
amoureux
Explorer
January 2, 2025
Solved

Interpreting bytes telemetry in Log99 of fortiproxy

  • January 2, 2025
  • 1 reply
  • 2307 views

Hi guys,

I need some assistance in clarifying some of the information I'm seeing in log 99 from my fortiproxy, particularly the rcvdbytes and sentbytes.

Question 1: Does the received bytes refer to the amount of bytes received by the fortiproxy from user or vice versa?

Question 2: Does the sent bytes refer to the amount of bytes sent by user to the dest or vice versa?

Question 3: Does the HTTP method or any other telemetry within the rawlogs that may affect the order of how we see the bytes?

This is crucial because it allows me to understand if there are potential malicious exfiltration happening in my environment.

Thanks!

Best answer by dingjerry_FTNT

Thank you, @amoureux .

 

1) rcvdbyte is the bytes received for the initiator.

2) sentbyte is the bytes sent by the initiator.

3) I don't think so.

1 reply

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
January 2, 2025

Hi @amoureux ,

 

Can you explain, or attach a screenshot of what log 99 is?

amoureux
amoureuxAuthor
Explorer
January 2, 2025

Hi, 

Thanks for the reply.

I'm referring to this - 99 - LOG_ID_TRAFFIC_HTTP_TRANSACTION | FortiProxy 7.6.0 | Fortinet Document Library

dingjerry_FTNT
Staff
dingjerry_FTNTAnswer
Staff
January 2, 2025

Thank you, @amoureux .

 

1) rcvdbyte is the bytes received for the initiator.

2) sentbyte is the bytes sent by the initiator.

3) I don't think so.

    Terms & ConditionsAccessibility statement