Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tino_p
Staff
Staff

Created on ‎09-17-2023 09:07 PM

Article Id 274015

Technical Tip: How to know the starting time of a traffic session

Description This article describes how to know the starting time of a traffic session in FortiGate.
Scope FortiGate.
Solution

By default, policy matching usually happens when traffic starts, but logging only happens when traffic ends. So we will need the following calculation to know the session's starting time:

 

[session's starting time] = [session's end time] - [session's duration]

 

For example:

 

In this session, the starting time is: [11:14:49] - [135] (seconds) = [11:12:34].

 

1.PNG

 

date=2023-09-16 time=11:14:49 eventtime=1694834089182722753 tz="+0800" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.55.100 srcport=54262 srcintf="port5" srcintfrole="lan" dstip=172.217.26.67 dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Singapore" sessionid=11418530 proto=6 action="accept" policyid=1 policytype="policy" poluuid="d489b652-543b-51ee-d6b9-26c215f9f0a6" policyname="www" service="HTTPS" trandisp="snat" transip=10.47.4.6 transport=54262 duration=135 sentbyte=1622 rcvdbyte=6791 sentpkt=13 rcvdpkt=16 appcat="unscanned" sentdelta=1622 rcvddelta=6791 mastersrcmac="00:57:69:72:2b:01" srcmac="00:57:69:72:2b:01" srcserver=0

 

However, it is possible to change that default behavior by configuring the option 'logtraffic-start ' in firewall policy.

After enabling it, traffic logging will happen when traffic starts and ends, causing 2 logs for each session ID.

 

For example:

 

2.PNG

 

3.PNG

 

date=2023-09-16 time=11:38:04 eventtime=1694835483940960507 tz="+0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.55.100 srcport=54644 srcintf="port5" srcintfrole="lan" dstip=131.226.92.57 dstport=8013 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Philippines" sessionid=11433724 proto=6 action="client-rst" policyid=1 policytype="policy" poluuid="d489b652-543b-51ee-d6b9-26c215f9f0a6" policyname="www" service="tcp/8013" trandisp="snat" transip=10.47.4.6 transport=54644 duration=5 sentbyte=576 rcvdbyte=3182 sentpkt=6 rcvdpkt=5 appcat="unscanned" mastersrcmac="00:57:69:72:2b:01" srcmac="00:57:69:72:2b:01" srcserver=0


date=2023-09-16 time=11:37:59 eventtime=1694835478734794565 tz="+0800" logid="0000000015" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.55.100 srcport=54644 srcintf="port5" srcintfrole="lan" dstip=131.226.92.57 dstport=8013 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Philippines" sessionid=11433724 proto=6 action="start" policyid=1 policytype="policy" poluuid="d489b652-543b-51ee-d6b9-26c215f9f0a6" policyname="www" service="tcp/8013" trandisp="snat" transip=10.47.4.6 transport=54644 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"

 

In this session, the starting time is [11:37:59], the duration is [5] seconds and the end time is [11:38:04].
2063
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.