Help
Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
user2345312
New Contributor

Created on β€Ž12-15-2021 07:58 AM

I don't understand the actions for the type log: LOG_ID_TRAFFIC_END_FORWARD

According to documentation provide for Fortigate exist multiple actions as:

 

The status of the session: deny - Session was denied
accept - Allowed Forward session

start - Session starts (log message was created when the session was created)

dns - DNS query return error

ip-conn - Failed connection attempts
close - Local-traffic session allowed

timeout - Allowed session was timeout

client-rst - Session reset by client
server-rst - Session reset by server

 

I receive a lot of connections with the action "close" and I have a number of doubts:

 

If an incoming traffic has had the action "close", is it a successful connection or has nothing to do with it?

 

That same incoming connection must have a "Firewall Permit" event before or it is not necessary?

 

 

Labels:
173
0 Kudos
2 REPLIES 2
Jackstorm
New Contributor II

Created on β€Ž12-20-2021 06:07 AM Edited on β€Ž12-20-2021 06:08 AM

Action "Accept: session close" in traffic log means the firewall received the client fin ack and server ack.


Lucas
144
0 Kudos
btan
Staff
Staff

Created on β€Ž12-23-2021 05:35 PM

You may refer to below KB to know more about "session close":
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Log-action-messages-Accept-session-close-a...


It is usually just informative and you may ignore if there is no noticeable network impact.

Regards,
Bon
129
0 Kudos

Contact Us