Technical Tip: Firewall Policy bandwidth usage is higher in Syslog Server than in FortiGate

In the below example, the total Bandwidth Usage in the firewall policy is 2.46 GB:

But on the Syslog server, it shows a higher value than what is shown on FortiGate.

Reason:

Generally syslog server calculates the cumulative value of rcvdbytes and sentbytes of all the log messages received.

FortiGate sends interim logs which have rcvdbytes and sentbytes fields in the middle of a session. However, it calculates the usage properly by excluding the interim log entries and based on each session ID.

Solution:
To get the same value on both FortiGate and Syslog servers, on the logging server filter the logs by Session ID select only the last received logs of each session, and add all selected.

Interim logs can be stopped from sending to the syslog server. However, it may show less usage in syslog since only a single log of a particular session will be sent.

Interim logs are identified by logid=20 and action=accept.

To stop interim logs, run the below commands:

config log syslogd filter
    config free-style
        edit 1
            set category traffic
            set filter "((logid 0000000020))"
            set filter-type exclude
        next
end