This article describes logging changes for traffic logs (introduced in FortiGate 5.6.2, 6.0.2) in particular the introduction of logging for ongoing sessions.
FortiGate log message references for various firmware versions can be found at https://docs.fortinet.com/product/fortigate
Prior to firmware versions 5.6.6 and 6.0.2, FortiGate only generated a traffic log message after a session was removed from the session table, containing all session details (duration, source/destination, related UTM, authentication etc).
This log has logid 0000000013 and looks as follows:
date=2019-08-20 time=16:57:50 idseq=124297053156147507 bid=10815853 dvid=1031 itime=1566300470 euid=0 epid=62427 dsteuid=1071 dstepid=62529 logflag=1 type="traffic" subtype="forward" level="notice" action="close" policyid=1 sessionid=1259494050 srcip=10.0.0.4 dstip=10.5.1.5 srcport=60329 dstport=443 trandisp="noop" duration=2 proto=6 sentbyte=327 rcvdbyte=132 sentpkt=6 rcvdpkt=3 logid="0000000013" dstunauthuser="test_user" service="HTTPS" app="HTTPS" appcat="unscanned" srcintfrole="lan" dstintfrole="lan" dstserver=1 policytype="policy" eventtime=1566300470 poluuid="f6b28a28-a1e9-51e9-b350-76ee9ac39102" dstmac="00:00:00:00:00:00" masterdstmac="00:00:00:00:00:00" dstdevtype="Windows PC" dstdevcategory="Windows Device" dstosname="Windows 10 / 2016" srccountry="Reserved" dstcountry="Reserved" srcintf="port11" dstintf="port3" dstunauthusersource="kerberos" devid=" FortiGate S/N " vd="root" devname="hostname"
Starting in firmware version 5.6.6 and 6.0.2, FortiGate generates a new traffic log type, 'Forward traffic statistics'
This log has logid 0000000020 and looks as follows:
date=2019-08-20 time=16:57:45 idseq=124297053156147572 bid=10815850 dvid=1031 itime=1566300465 euid=0 epid=62427 dsteuid=0 dstepid=101 logflag=32 type="traffic" subtype="forward" level="notice" action="accept" policyid=1 sessionid=1259478831 srcip=10.0.0.1 dstip=188.8.131.52 transip=184.108.40.206 srcport=59971 dstport=443 transport=59971 trandisp="snat" duration=125 proto=6 sentbyte=92 rcvdbyte=1552 sentdelta=0 rcvddelta=0 sentpkt=2 rcvdpkt=2 logid="0000000020" service="HTTPS" app="HTTPS" appcat="unscanned" srcintfrole="lan" dstintfrole="wan" policytype="policy" eventtime=1566300466 poluuid="3e343a16-7b04-51e9-db92-e9f802c1a6c6" srccountry="Reserved" dstcountry="United States" srcintf="port11" dstintf="port16" dstowner="microsoft.com" devid="FortiGate S/N" vd="root" devname="hostname"
The statistic log contains two new fields: sentdelta and rcvddelta
These fields contain the number of bytes since the previous statistic log for the same session.
Each ongoing session generates a statistic log every two minutes, starting two minutes after the session was established. This means a session can generate multiple logs over its lifetime.
After the session is closed, a final log with overall stats will be generated, with logid 0000000013. All logs belonging to the same session can be found by filtering for the unique session ID.
This logging behavior means that traffic is visible in the logs when one of the following conditions is met:
- The session is at least two minutes old
- The session has been removed from the session table (due to timeout, FIN/ACK, RST or similar)
As an example, a PING sent through the FortiGate will only typically be visible in the logs a minute later as:
- The PING only generates a few packets
- The PING does not contain a process to remove the session from the session table, so it has to time out
- The PING timeout is usually 60 seconds
- The log will be visible 60 seconds after the last PING packet
- An endless PING is sent; then the PING will be visible in logs two minutes after the start
- There is also a statistic log for sniffer traffic, logid 0000000021, but no statistic logs are generated for local traffic.
- The 2 minutes interval for the log generation is packet driven, meaning that every time there's a packet flow through the session, the log will be generated. If there's no traffic for a longer period of time, the statistic log will NOT be generated.