Skip to main content
fjulianom
fjulianom
Explorer II
March 1, 2018
Solved

When does FortiGate generate traffic logs?

  • March 1, 2018
  • 1 reply
  • 31569 views

Hi guys,

 

According to NSE4, FortiGate will generate traffic logs once a firewall policy closes an IP session. What does that mean? Does that mean when FortiGate sends a FIN packet to the server? Or does that mean when FortiGate sends an ACK packet after it has received a SYN-ACK from the server? I guess is the second option. Could you confirm?

 

Regards,

Julián

    Best answer by emnoc

    I  would look at the set logtraffic-start enable  option, but in normal operation the log category traffic is not written till after the session has closed. This is  the only way to get duration and bytes sent/received

     

    Ken

     

    1 reply

    emnoc
    emnocAnswer
    New Member
    March 2, 2018

    I  would look at the set logtraffic-start enable  option, but in normal operation the log category traffic is not written till after the session has closed. This is  the only way to get duration and bytes sent/received

     

    Ken

     

    fjulianom
    fjulianomAuthor
    Explorer II
    March 2, 2018

    Hi Ken,

     

    I have found this post which confirms what you say

     

    https://forum.fortinet.com/tm.aspx?m=124864

     

    But this part of documentation doesn't mention that a log is generated once the session is closed, but always a packet matches a firewall policy

     

    http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-logging-reporting/logs.htm

     

    Traffic

    Traffic logs record the traffic that is flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through the unit, this type of logging is also referred to as firewall policy logging. Firewall policies control all traffic that attempts to pass through the FortiGate unit, between FortiGate interfaces, zones and VLAN sub-interfaces.

    Logging traffic works in the following way:

    [ul]firewall policy has logging enabled on it (Log Allowed Traffic)packet comes into an inbound interfacea possible log packet is sent regarding a match in the firewall policy, such as a URL filtertraffic log packet is sent, per firewall policypacket passes and is sent out an interface[/ul]

    Traffic log messages are stored in the traffic log file. Traffic logs can be stored any log device, even system memory.

      

     

    Regards,

    Julián

    emnoc
    emnoc
    New Member
    March 2, 2018

    review this  article ( search on traffic-start  and the logging section )

     

    http://help.fortinet.com/cli/fos50hlp/54/Content/FortiOS/fortiOS-cli-ref-54/config/firewall/policy.htm

     

     

     

    Terms & ConditionsAccessibility statement