|
The server reset and client reset messages can be found in the logs with 'server-rst' and 'client-rst' forms and are known as TCP reset packets. The application control profile can tag as 'unknown' app-cat or application cation category 'unknown' for client or server reset packets in some circumstances.
Sample log:
date=2024-08-13 time=17:19:44 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="FGClient" eventtime=1597357184697786098 tz="-0500" srcip=192.168.0.1 srcport=43270 srcintf="port5" srcintfrole="undefined" dstip=192.168.180.102 dstport=443 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=9077 proto=6 action="server-rst" policyid=1 policytype="policy" poluuid="7e166248-93d2-51ea-0ec2-3a377e3937ff" policyname="InternetAccess" service="HTTPS" trandisp="snat" transip=200.56.34.129 transport=43270 appcat="unknown" applist="AppCtrl-Monitor" duration=5 sentbyte=25716 rcvdbyte=1124 sentpkt=21 rcvdpkt=24 wanin=0 wanout=24616 lanin=24616 lanout=24616 utmaction="block" countapp=1 utmref=0-2516
date=2023-04-06 time=11:20:35 eventtime=1680747636059599977 tz="+0900" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.101.5 srcport=51281 srcintf="internal3" srcintfrole="undefined" dstip=210.158.111.97 dstport=443 dstintf="internal5" dstintfrole="undefined" srccountry="Reserved" dstcountry="Japan" sessionid=1153888 proto=6 action="server-rst" policyid=3 policytype="policy" poluuid="bc5b313e-f8e1-51ec-0ff7-0f0044aebd90" policyname="internalToExternal" service="HTTPS" trandisp="snat" transip=10.16.10.6 transport=51281 appcat="unknown" applist="Guard" duration=0 sentbyte=0 rcvdbyte=40 sentpkt=0 rcvdpkt=1
In FortiGate firewalls, server reset (server-rst) and client reset (client-rst) messages are not classified under the Application Control profile because they are transport-layer (Layer 4) events rather than application-layer activities (Layer 7), where it inspects and categorizes traffic based on application signatures and behaviors.
A TCP reset can happen due to multiple reasons, and with these scopes, the application control profile may not add a category to the traffic. Common causes include:
- A server rejects a connection due to its policy restrictions.
- A client is closing a session abruptly.
- Network issues or timeouts.
- Security mechanisms, such as intrusion prevention systems, terminate a session.
- This could also be related to MTU/MSS issues.
Since FortiGate cannot always determine why the reset occurred in an application, it logs the event as a reset rather than categorizing it under Application Control. Also, if the TCP reset happens before the full application inspection, the 'unknown' category may appear in the logs.
To verify the actual RESET, check the TTL value in SYN and RST packets in Wireshark captures, which will give more insight into who is sending the actual RESET.
If the TTL value in the IP header is 64 or 128, that means the packet was not even routed out of the gateway device.
Related articles:
Technical Tip: FortiGate does not block Facebook Traffic with Application Control Security Profile w...
Troubleshooting Tip: 'action=client-rst' in the traffic log description
|
