According to documentation provide for Fortigate exist multiple actions as:
The status of the session: deny - Session was deniedaccept - Allowed Forward session
start - Session starts (log message was created when the session was created)
dns - DNS query return error
ip-conn - Failed connection attemptsclose - Local-traffic session allowed
timeout - Allowed session was timeout
client-rst - Session reset by clientserver-rst - Session reset by server
I receive a lot of connections with the action "close" and I have a number of doubts:
If an incoming traffic has had the action "close", is it a successful connection or has nothing to do with it?
That same incoming connection must have a "Firewall Permit" event before or it is not necessary?
Action "Accept: session close" in traffic log means the firewall received the client fin ack and server ack.
You may refer to below KB to know more about "session close":https://community.fortinet.com/t5/FortiGate/Technical-Tip-Log-action-messages-Accept-session-close-a...
It is usually just informative and you may ignore if there is no noticeable network impact.