Skip to main content
darranz
darranz
New Member
October 26, 2017
Solved

type="traffic" subtyoe="forward" level="notice" action="server-rst"

  • October 26, 2017
  • 2 replies
  • 120566 views

Hi all,

 

   I am having issues with a policy rule for ssh, the rule is to accept ssh traffic from internet to an internal sftp service, we have some ip allowed, and all ip's are running with that rule less one ip than when try to go to the sftp server, all i can see in the log is:

 

date=2017-10-26 time=12:38:23 devname= devid= logid="0000000013" type="traffic" subtype=" forward" level="notice" vd="root" logtime=1509014303 srcip=xxxxxx srcport=53440 srcintf="wan1" srcintfrole="wan" dstip=xxxxxxx dstport=22 dstintf="dmz" dstintfrole="dmz" poluuid="cf827494-ba2e-51e7-eb01-4fc04f2ee2c8" sessionid=30414454 proto=6 action="server-rst" policyid=19 policytype="policy" service="SSH" dstcountry="xxxx" srccountry="xxxxx" trandisp="dnat" tranip=xxxxx tranport=22 duration=5 sentbyte=92 rcvdbyte=92 sentpkt=2 rcvdpkt=2 appcat="unscanned"

 

what do "action=server-rst" mean??

 

Thanks in Advanced

      Best answer by hmtay_FTNT

      Hello darranz,

       

      Here's some explanation on most of the "action" in the log.

       

      It may include the following values: (depending on your FortiOS version - older OS may print just "close". Newer OS prints "Accept: session closed")

      deny accept start dns ip-conn web close timeout

      server-rst

      client-rst session status: start, close, timeout, client-rst, server-rst firewall action for the session: accept, deny other purpose: dns, ip-conn

       

      Most sessions that are accepted by a policy usually have either "Accept" - if UDP, "Accept: session closed" - if closed properly with FIN from both sides, "client-rst" - the client side of the session sends a RST packet or "server-rst" - the server side of the session sends a RST packet. "ip-conn" is used when an IP does not respond to a connection.

       

      There are a few possible reasons that you would get a "server-rst" action, e.g. the client did not send any info for a while for some reasons and the server decides to terminate the session, or if the client sends a FIN and the server may decide to send a RST instead of a FIN.

       

      Hope this helps!

       

      Homing

      2 replies

      hmtay_FTNT
      Staff
      hmtay_FTNTAnswer
      Staff
      October 26, 2017

      Hello darranz,

       

      Here's some explanation on most of the "action" in the log.

       

      It may include the following values: (depending on your FortiOS version - older OS may print just "close". Newer OS prints "Accept: session closed")

      deny accept start dns ip-conn web close timeout

      server-rst

      client-rst session status: start, close, timeout, client-rst, server-rst firewall action for the session: accept, deny other purpose: dns, ip-conn

       

      Most sessions that are accepted by a policy usually have either "Accept" - if UDP, "Accept: session closed" - if closed properly with FIN from both sides, "client-rst" - the client side of the session sends a RST packet or "server-rst" - the server side of the session sends a RST packet. "ip-conn" is used when an IP does not respond to a connection.

       

      There are a few possible reasons that you would get a "server-rst" action, e.g. the client did not send any info for a while for some reasons and the server decides to terminate the session, or if the client sends a FIN and the server may decide to send a RST instead of a FIN.

       

      Hope this helps!

       

      Homing

        darranz
        darranzAuthor
        New Member
        October 27, 2017

        Hi hmtay_FTNT,

         

          very helpfull, thanks for your information.

         

        Regards

        luismg
        luismg
        New Member
        November 15, 2017

        I guess is a reset packet, to send a close connection

        Terms & ConditionsAccessibility statement