This article explains how FortiAnalyzer handles the field change from Status to Action in FortiOS logs starting in FortiOS 5.2.

It also summarizes what the possible values are for status and action fields.

As outlined in the FortiOS Log Reference documentations for v5.0 and v5.2, changes were made in v5.2 for the name of the status.

FortiGate v4.3 and v5.0 use status while FortiGate v5.2 and later uses action.

FortiAnalyzer v5.2.x needs to handle both FortiGate v5.0 and v5.2 logs. When FortiAnalyzer collects logs, it does not distinguish log versions so it creates a set of all log fields and values.

In more recent FortiAnalyzer versions (v5.2.x and higher), the FortiAnalyzer only records action, placing the status value (if included) in the action field.

For FortiGate v5.0, the status field in the traffic log could have five possible values:

• accept: for the end of non-TCP traffic.

• close: for the end of TCP session closed with a FIN/FIN-ACK/RST-. 

• deny: for traffic blocked by a firewall policy.

• start: for TCP session start log (special option to enable logging at the start of a session). This means it is allowed by a firewall policy.

• timeout: for the end of a TCP session which is closed because it was idle.

For FortiGate v5.2, action could have six possible values:

• close: for the end of TCP session closed with a FIN/FIN-ACK/RST.

• deny: for traffic blocked by a firewall policy.

• dns: for DNS that failed for the session.

• ip-conn: for IP connection that failed for the session (host is not reachable).

• start: for TCP session start log (special option to enable logging at start of a session). This means allowed by a firewall policy.

• timeout: for the end of a TCP session which is closed because it was idle.

The FortiGate Log Message Reference v5.0 and FortiOS Log Reference Guide v5.2 are both available in the Fortinet Document Library.