Technical Tip: Meaning of SSL-VPN event log alert 'close notify'

This article describes that, In the VPN event logs, the below example of log can be received:

date=aaaa-bb-cc time=14:57:03 id=7043999867294711827 itime="aaaa-bb-cc 14:57:03" euid=2 epid=2 dsteuid=2 dstepid=2 logver=604071911 logid=0101039944 type="event" subtype="vpn" level="information" action="ssl-alert" msg="SSL alerts" logdesc="SSL VPN alert" user="N/A" remip=x.x.x.x group="N/A" tunnelid=0 tunneltype="ssl" dst_host="N/A" reason="warning" desc="close notify" eventtime=1640059023563861162 tz="+1100" devid="FGTSERIALNO" vd="root" csf="FABRIC-NAME" dtime="aaaa-bb-cc 14:57:03" itime_t=1640059023 devname="FGT-NAME"

Note that some details of the above log have been altered for privacy reasons.

This is an alert for closing the SSL-VPN connection, right before the FIN packet.

When either the client or the server is ready to end the connection, both issue the SSL_shutdown() function to indicate that the SSL connection is ending normally.

This causes an SSL record whose type is alert to flow.

For this, the type of alert is close notify, which means the SSL session is ending.

To stop receiving this log message, it can be excluded using the log id and the below steps from FortiGate CLI:

# config log disk filter
    set filter-type exclude
    set filter [logid]

end