FortiGate has predefined services matching the protocol port numbers and types.

When user traffic passes through the FortiGate allowed by the defined ipv4 policy, a log is created for the session with all the information.

For Example:

LAN PC is Doing SSH access of the External FortiGate (acting as a server) and traffic is passing through Internal FortiGate.

When SSH access is initiated in the PC and allowed by FortiGate, it will create a Forward traffic log in Internal FortiGate with service as SSH.

date=2024-12-27 time=04:20:39 eventtime=1735302038535839376 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.30.18.94 srcname="ERBIUM-KVM134" srcport=52132 srcintf="port4" srcintfrole="undefined" dstip=10.5.144.165 dstname="10.5.144.165" dstport=22 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=10761106 proto=6 action="close" policyid=2 policytype="policy" poluuid="f1a56c7a-b57b-51ef-77b2-44d9c62a17a5" policyname="Internet policy" service="SSH" trandisp="snat" transip=10.5.144.159 transport=52132 appcat="unscanned" duration=106 sentbyte=2688 rcvdbyte=2460 sentpkt=16 rcvdpkt=15 vwlid=0 devtype="Unknown" osname="Windows" srcswversion="10 / 2016" mastersrcmac="00:65:72:62:86:01" srcmac="00:65:72:62:86:01" srcserver=0

The same logs are generated in FortiGate irrespective of the client application used to initiate SSH access (TCP port 22).

Even when doing telnet to External FortiGate on TCP port 22 as well.

SSH or Telnet can be used to establish a TCP connection to the server listening port as 22. These two protocols will not share any protocol information in TCP handshake.

When FortiGate checks the incoming communication, for FortiGate, the destination port is TCP 22 which is a default port for SSH.

Now FortiGate matches this traffic with service SSH and allows the traffic.
If the communication is happening on TCP port 23, it will be understood that it’s a Telnet communication.

When telnet to server IP with any service port number such as 22, 80, 443 is generated, this will be match the respective protocol defined for these ports.

Here is a capture for example:

This is a sample communication from client to server using putty and connection type as SSH.

3133 1451.725577 172.30.18.94 10.5.144.165 TCP 66 52879 → 22 [SYN, ECE, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM
3134 1451.728284 10.5.144.165 172.30.18.94 TCP 66 22 → 52879 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM WS=16384
3135 1451.728334 172.30.18.94 10.5.144.165 TCP 54 52879 → 22 [ACK] Seq=1 Ack=1 Win=262656 Len=0
3136 1451.730299 10.5.144.165 172.30.18.94 SSHv2 76 Server: Protocol (SSH-2.0-ZiFqlIDFo8Qx)
3137 1451.734302 172.30.18.94 10.5.144.165 SSHv2 82 Client: Protocol (SSH-2.0-PuTTY_Release_0.78)
3138 1451.735269 10.5.144.165 172.30.18.94 TCP 60 22 → 52879 [ACK] Seq=23 Ack=29 Win=32768 Len=0
3139 1451.735455 10.5.144.165 172.30.18.94 SSHv2 662 Server: Key Exchange Init
3140 1451.738527 172.30.18.94 10.5.144.165 SSHv2 1550 Client: Key Exchange Init
3141 1451.738943 10.5.144.165 172.30.18.94 TCP 60 22 → 52879 [ACK] Seq=631 Ack=1525 Win=32768 Len=0
3142 1451.741509 172.30.18.94 10.5.144.165 SSHv2 102 Client: Elliptic Curve Diffie-Hellman Key Exchange Init
3143 1451.746071 10.5.144.165 172.30.18.94 SSHv2 358 Server: Elliptic Curve Diffie-Hellman Key Exchange Reply, New Keys
3144 1451.802264 172.30.18.94 10.5.144.165 TCP 54 52879 → 22 [ACK] Seq=1573 Ack=935 Win=261632 Len=0
3145 1453.884082 172.30.18.94 10.5.144.165 SSHv2 134 Client: New Keys
3146 1453.884877 10.5.144.165 172.30.18.94 SSHv2 118 Server:
3147 1453.942904 172.30.18.94 10.5.144.165 TCP 54 52879 → 22 [ACK] Seq=1653 Ack=999 Win=261632 Len=0

FortiGate logs show this communication as SSH:

date=2024-12-12 time=05:49:58 eventtime=1734011397762639476 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.30.18.94 srcname="172.30.18.94" srcport=52879 srcintf="port4" srcintfrole="undefined" dstip=10.5.144.165 dstname="10.5.144.165" dstport=22 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=95130 proto=6 action="close" policyid=2 policytype="policy" poluuid="f1a56c7a-b57b-51ef-77b2-44d9c62a17a5" policyname="ff" service="SSH" trandisp="snat" transip=10.5.144.159 transport=52879 appid=16060 app="SSH" appcat="Network.Service" apprisk="elevated" applist="default" duration=121 sentbyte=2104 rcvdbyte=1370 sentpkt=11 rcvdpkt=9 vwlid=0 utmaction="allow" countapp=1 sentdelta=80 rcvddelta=80 durationdelta=1 sentpktdelta=2 rcvdpktdelta=2 utmref=65522-6840

This is a sample communication from client to server using putty and connection types such as Telnet and port 22.

2997 1204.255690 172.30.18.94 10.5.144.165 TCP 66 52861 → 22 [SYN, ECE, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM
2998 1204.258657 10.5.144.165 172.30.18.94 TCP 66 22 → 52861 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM WS=16384
2999 1204.258696 172.30.18.94 10.5.144.165 TCP 54 52861 → 22 [ACK] Seq=1 Ack=1 Win=262656 Len=0
3000 1204.260725 10.5.144.165 172.30.18.94 SSH 76 Server: Protocol (SSH-2.0-ZiFqlIDFo8Qx)
3001 1204.263778 172.30.18.94 10.5.144.165 SSH 75 Client: Encrypted packet (len=21)
3002 1204.264246 10.5.144.165 172.30.18.94 TCP 60 22 → 52861 [ACK] Seq=23 Ack=22 Win=32768 Len=0
3058 1287.110313 172.30.18.94 10.5.144.165 TCP 54 52861 → 22 [FIN, ACK] Seq=22 Ack=23 Win=262656 Len=0
3059 1287.112673 10.5.144.165 172.30.18.94 TCP 60 22 → 52861 [FIN, ACK] Seq=23 Ack=23 Win=32768 Len=0
3060 1287.112708 172.30.18.94 10.5.144.165 TCP 54 52861 → 22 [ACK] Seq=23 Ack=24 Win=262656 Len=0

Both the Traffic is matches the service SSH and get allowed.
Further logs will be created for this session with the app as 'SSH'.