Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
opetr_FTNT
Staff
Staff

Created on ‎08-13-2024 03:47 AM Edited on ‎05-28-2025 01:38 AM By Moderator

Article Id 331823

Technical Tip: Response Code 0 found in Traffic Log

Description

This article explains the mechanism of the FortiWeb traffic log, including the meaning of response code 0.
Scope FortiWeb.
Solution

Diagram:

Client ---- FortiWeb (WAF) ---- Real Server (RS).

 

The mechanism of the FortiWeb traffic log is as below:

  1. Client sent HTTP request to WAF, RS response data to WAF. WAF response data to the client, there is a tlog with the correct HTTP code. This is a standard situation.

 

  • Client:

 

% curl -sk -D - -o /dev/null 'vip1.internal.lab' | head -2
HTTP/1.1 200 OK
Server: nginx/1.6.2

 

  • Capture:

 

diag network sniffer port1 'port 80 and host 172.26.167.21' 4 0 a

filters=[port 80 and host 172.26.167.21]

interface=[port1]
2024-08-13 10:26:50.194644 172.26.167.21.56454 -> 10.109.30.9.80: syn 488743468

2024-08-13 10:26:50.194746 10.109.30.9.80 -> 172.26.167.21.56454: syn 2856766223 ack 488743469

2024-08-13 10:26:50.259251 172.26.167.21.56454 -> 10.109.30.9.80: ack 2856766224

2024-08-13 10:26:50.259253 172.26.167.21.56454 -> 10.109.30.9.80: psh 488743469 ack 2856766224

2024-08-13 10:26:50.259364 10.109.30.9.80 -> 172.26.167.21.56454: ack 488743549

2024-08-13 10:26:50.268430 10.109.30.9.80 -> 172.26.167.21.56454: psh 2856766224 ack 488743549

2024-08-13 10:26:50.332865 172.26.167.21.56454 -> 10.109.30.9.80: ack 2856766715

2024-08-13 10:26:50.333912 172.26.167.21.56454 -> 10.109.30.9.80: fin 488743549 ack 2856766715

2024-08-13 10:26:50.334723 10.109.30.9.80 -> 172.26.167.21.56454: fin 2856766715 ack 488743550

2024-08-13 10:26:50.399756 172.26.167.21.56454 -> 10.109.30.9.80: ack 2856766716

 

  • Tlog:

 

standard_situation.png

 

v015xxxxdate=2024-08-13 time=12:26:50 log_id=30000001 msg_id=000009810172 device_id=FVVM08TM22000169 eventtime=1723544810267911205 vd="root" timezone="(GMT+1:00)Belgrade,Bratislava,Budapest,Ljubljana,Prague" timezone_dayst="GMTb-2" type=traffic subtype="http" pri=notice proto=tcp service=http status=success reason=none policy="lab_spolicy" original_src=172.26.167.21 src=172.26.167.21 src_port=56454 dst=10.198.3.30 dst_port=80 http_request_time=5 http_response_time=1 http_request_bytes=80 http_response_bytes=347 http_method=get http_url="/" http_agent="curl/8.6.0" http_retcode=200 msg="HTTP get request from 172.26.167.21:56454 to 10.198.3.30:80" original_srccountry="Reserved" srccountry="Reserved" content_switch_name="none" server_pool_name="vl198_spool" http_host="vip1.internal.lab" user_name="Unknown" http_refer="none" http_version="1.x" dev_id=68D4D0E0374C6C418288956723B875B42E17 cipher_suite="none" x509_cert_subject="none"

 

  1. Client sent HTTP request to WAF, RS does not respond data to WAF. 
  • Connection is ended with WAF from the client side, WAF sends FIN to RS, and there is a tlog with HTTP code 0.
  • Client:

 

% curl -m 10 vip1.internal.lab

curl: (28) Operation timed out after 10006 milliseconds with 0 bytes received

 

  • Capture:

 

diag network sniffer port1 'port 80 and host 172.26.167.21' 4 0 a

filters=[port 80 and host 172.26.167.21]

interface=[port1]
2024-08-13 10:14:21.764667 172.26.167.21.56149 -> 10.109.30.9.80: syn 1029527710

2024-08-13 10:14:21.764758 10.109.30.9.80 -> 172.26.167.21.56149: syn 682109709 ack 1029527711

2024-08-13 10:14:21.826888 172.26.167.21.56149 -> 10.109.30.9.80: ack 682109710

2024-08-13 10:14:21.826890 172.26.167.21.56149 -> 10.109.30.9.80: psh 1029527711 ack 682109710

2024-08-13 10:14:21.826992 10.109.30.9.80 -> 172.26.167.21.56149: ack 1029527791

2024-08-13 10:14:31.762911 172.26.167.21.56149 -> 10.109.30.9.80: fin 1029527791 ack 682109710

2024-08-13 10:14:31.763832 10.109.30.9.80 -> 172.26.167.21.56149: fin 682109710 ack 1029527792

2024-08-13 10:14:31.824507 172.26.167.21.56149 -> 10.109.30.9.80: ack 682109711

 

  • Tlog:

 

client_fin.png

 

v015xxxxdate=2024-08-13 time=12:14:31 log_id=30000001msg_id=000009810083 device_id=FVVM08TM22000169 eventtime=1723544071763907702 vd="root" timezone="(GMT+1:00)Belgrade,Bratislava,Budapest,Ljubljana,Prague" timezone_dayst="GMTb-2" type=traffic subtype="http" pri=notice proto=tcp service=http status=success reason=none policy="lab_spolicy" original_src=172.26.167.21 src=172.26.167.21 src_port=56149 dst=10.198.3.30 dst_port=8099 http_request_time=1 http_response_time=0 http_request_bytes=80 http_response_bytes=0 http_method=get http_url="/" http_agent="curl/8.6.0" http_retcode=0 msg="HTTP get request from 172.26.167.21:56149 to 10.198.3.30:8099" original_srccountry="Reserved" srccountry="Reserved" content_switch_name="none" server_pool_name="vl198_dummy" http_host="vip1.internal.lab" user_name="Unknown" http_refer="none" http_version="1.x" dev_id=68D4D0E0374C6C418288956723B875B42E17 cipher_suite="none" x509_cert_subject="none"

 

  • Connection is ended with WAF from the server side, WAF sends FIN to RS, and there is a tlog with HTTP code 0.
  • Client:

 

% curl vip1.internal.lab/reset

curl: (52) Empty reply from server

 

  • Capture:

 

diag network sniffer port3 'port 80' 4 0 a
filters=[port 80]

interface=[port3]
2024-08-12 12:44:24.595011 10.198.3.13.11498 -> 10.198.3.30.80: syn 2544364718
2024-08-12 12:44:24.595438 10.198.3.30.80 -> 10.198.3.13.11498: syn 3382863383 ack 2544364719
2024-08-12 12:44:24.595475 10.198.3.13.11498 -> 10.198.3.30.80: ack 3382863384
2024-08-12 12:44:24.595539 10.198.3.13.11498 -> 10.198.3.30.80: psh 2544364719 ack 3382863384
2024-08-12 12:44:24.595751 10.198.3.30.80 -> 10.198.3.13.11498: ack 2544364966
2024-08-12 12:44:24.595964 10.198.3.30.80 -> 10.198.3.13.11498: fin 3382863384 ack 2544364966
2024-08-12 12:44:24.596152 10.198.3.13.11498 -> 10.198.3.30.80: ack 3382863385
2024-08-12 12:44:24.597151 10.198.3.13.11498 -> 10.198.3.30.80: fin 2544364966 ack 3382863385
2024-08-12 12:44:24.597390 10.198.3.30.80 -> 10.198.3.13.11498: ack 2544364967

 

  • Tlog:


server_fin.png

 

v015xxxxdate=2024-08-12 time=14:44:24 log_id=30000001 msg_id=000009801326 device_id=FVVM08TM22000169 eventtime=1723466664596821115 vd="root" timezone="(GMT+1:00)Belgrade,Bratislava,Budapest,Ljubljana,Prague" timezone_dayst="GMTb-2" type=traffic subtype="http" pri=notice proto=tcp service=http status=success reason=none policy="lab_spolicy" original_src=172.26.48.4 src=172.26.48.4 src_port=58724 dst=10.198.3.30 dst_port=80 http_request_time=1 http_response_time=0 http_request_bytes=85 http_response_bytes=0 http_method=get http_url="/reset" http_agent="curl/8.6.0" http_retcode=0 msg="HTTP get request from 172.26.48.4:58724 to 10.198.3.30:80" original_srccountry="Reserved" srccountry="Reserved" content_switch_name="none" server_pool_name="vl198_spool" http_host="vip1.internal.lab" user_name="Unknown" http_refer="none" http_version="1.x" dev_id=B46180B85F6C0371E745576918307A3C9C56 cipher_suite="none" x509_cert_subject="none"
993
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.