Technical tip: FortiGate keeps generating traffic logs to FortiAnalyzer/Syslog after network device is disconnected

contreraspa · ‎08-31-2024

Description

This article describes why the FortiGate keeps generating traffic logs to FortiAnalyzer/Syslog sever some minutes later a device is disconnected from the network, in some cases.

Scope

FortiGate, FortiAnalyzer/Syslog.

Solution

After a device/PC is disconnected from the network, there will be multiple 'traffic' logs, in the FortiAnalyzer or Syslog server, some minutes later (more than 30 minutes in some cases).
For testing purposes, the FortiGate was configured to send only traffic logs from source IP 10.0.0.11:

config log syslogd setting
set status enable
set server "10.101.0.103"
end

FGT81E-2 # sho log syslogd filter
config log syslogd filter
    config free-style
        edit 1
            set category traffic
            set filter "srcip 10.0.0.11"
        next
    end
end

If packet capture is performed with a filter in the device IP, after a few seconds there will be no packets from the device IP generated, and only some ARP requests for that specific IP address are shown (PC 10.0.0.11 disconnected at 10.58:33):

FGT81E-2 # diag sniffer packet any "host 10.0.0.11" 6 0 l

interfaces=[any]
filters=[host 10.0.0.11]
2024-08-22 10:58:31.770350 port2 in 10.0.0.11.53055 -> 239.83.100.109.33355: udp 236
2024-08-22 10:58:34.957341 port2 out 96.45.36.31.443 -> 10.0.0.11.59922: psh 3283444850 ack 4008863970
2024-08-22 10:58:36.877354 port2 out 96.45.36.31.443 -> 10.0.0.11.59922: psh 3283444850 ack 4008863970
2024-08-22 10:58:40.727429 port2 out 96.45.36.31.443 -> 10.0.0.11.59922: psh 3283444850 ack 4008863970
2024-08-22 10:58:47.047205 port2 out arp who-has 10.0.0.11 tell 10.0.0.1
2024-08-22 10:58:48.047219 port2 out arp who-has 10.0.0.11 tell 10.0.0.1

However, some minutes later, traffic logs from source IP 10.0.0.11 will be registered in the Syslog Server.
If a packet capture is performed in the Fortigate with a filter in FortiAnalyzer/Sysylog IP, it will show these logs are being generated by the FortiGate:

Log details show packets and bytes counters increasing:

LOCAL7.NOTICE: date=2024-08-22 time=11:12:38 devname="FGT81E-2" devid="FGT81ETK18005001" eventtime=1724339558237565845 tz="-0400" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.0.11 srcname="PC-PCCM" srcport=59922 srcintf="port2" srcintfrole="lan" dstip=96.45.36.31 dstport=443 dstintf="wan1" dstintfrole="wan" srccountry="Reserved" dstcountry="United States" sessionid=4358461 proto=6 action="accept" policyid=1 policytype="policy" poluuid="a7540d06-419e-51ec-ec0d-b56604457fea" policyname="datacentertointernet" service="HTTPS" trandisp="snat" transip=192.168.180.4 transport=59922 appid=40568 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium" applist="default" duration=911 sentbyte=2427 rcvdbyte=6158 sentpkt=25 rcvdpkt=26 sentdelta=0 rcvddelta=130 durationdelta=120 sentpktdelta=0 rcvdpktdelta=1 srchwvendor="Dell" devtype="Home & Office" srcfamily="Computer" osname="Windows" srcswversion="10" mastersrcmac="e4:54:e8:db:8c:35" srcmac="e4:54:e8:db:8c:35" srcserver=0

LOCAL7.NOTICE: date=2024-08-22 time=11:14:38 devname="FGT81E-2" devid="FGT81ETK18005001" eventtime=1724339678557579894 tz="-0400" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.0.11 srcname="PC-PCCM" srcport=59922 srcintf="port2" srcintfrole="lan" dstip=96.45.36.31 dstport=443 dstintf="wan1" dstintfrole="wan" srccountry="Reserved" dstcountry="United States" sessionid=4358461 proto=6 action="accept" policyid=1 policytype="policy" poluuid="a7540d06-419e-51ec-ec0d-b56604457fea" policyname="datacentertointernet" service="HTTPS" trandisp="snat" transip=192.168.180.4 transport=59922 appid=40568 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium" applist="default" duration=1032 sentbyte=2427 rcvdbyte=6288 sentpkt=25 rcvdpkt=27 sentdelta=0 rcvddelta=130 durationdelta=121 sentpktdelta=0 rcvdpktdelta=1 srchwvendor="Dell" devtype="Home & Office" srcfamily="Computer" osname="Windows" srcswversion="10" mastersrcmac="e4:54:e8:db:8c:35" srcmac="e4:54:e8:db:8c:35" srcserver=0

Most of these logs are related to log IDs: 11, 13, 14, and 20.
However, if a traffic analysis is performed (debug flow), it will show these logs are being generated by incoming traffic from host 96.45.36.31:

2024-08-22 11:12:38 id=65308 trace_id=17698 func=print_pkt_detail line=5942 msg="vd-root:0 received a packet(proto=6, 96.45.36.31:443->192.168.180.4 :59922) tun_id=0.0.0.0 from wan1. flag [.], seq 783294768, ack 593322742, win 135"
2024-08-22 11:12:38 id=65308 trace_id=17698 func=resolve_ip_tuple_fast line=6030 msg="Find an existing session, id-042813d, reply direction"
2024-08-22 11:12:38 id=65308 trace_id=17698 func=__ip_session_run_tuple line=3487 msg="DNAT 192.168.180.4:59922->10.0.0.11:59922"
2024-08-22 11:14:38 id=65308 trace_id=17730 func=print_pkt_detail line=5942 msg="vd-root:0 received a packet(proto=6, 96.45.36.31:443->192.168.180.4 :59922) tun_id=0.0.0.0 from wan1. flag [.], seq 3386437580, ack 2707687964, win 256"
2024-08-22 11:14:38 id=65308 trace_id=17730 func=resolve_ip_tuple_fast line=6030 msg="Find an existing session, id-042813d, reply direction"
2024-08-22 11:14:38 id=65308 trace_id=17730 func=__ip_session_run_tuple line=3487 msg="DNAT 192.168.180.4:59922->10.0.0.11:59922"

Original direction and reply direction traffic is handled in the same ID, since the session is still active, the FortiGate keeps trace of session traffic, and these logs are generated.

Related documents:
Technical Tip: FortiGate sends additional traffic log entries to FortiAnalyzer
13 - LOG_ID_TRAFFIC_END_FORWARD
11 - LOG_ID_TRAFFIC_FAIL_CONN
14 - LOG_ID_TRAFFIC_END_LOCAL