Help
Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
user2345312
New Contributor

Created on ‎12-15-2021 07:58 AM

I don't understand the actions for the type log: LOG_ID_TRAFFIC_END_FORWARD

According to documentation provide for Fortigate exist multiple actions as:

 

The status of the session: deny - Session was denied
accept - Allowed Forward session

start - Session starts (log message was created when the session was created)

dns - DNS query return error

ip-conn - Failed connection attempts
close - Local-traffic session allowed

timeout - Allowed session was timeout

client-rst - Session reset by client
server-rst - Session reset by server

 

I receive a lot of connections with the action "close" and I have a number of doubts:

 

If an incoming traffic has had the action "close", is it a successful connection or has nothing to do with it?

 

That same incoming connection must have a "Firewall Permit" event before or it is not necessary?

 

 

Labels:
3269
0 Kudos
2 REPLIES 2
Jackstorm
New Contributor II

Created on ‎12-20-2021 06:07 AM Edited on ‎12-20-2021 06:08 AM

Action "Accept: session close" in traffic log means the firewall received the client fin ack and server ack.


Lucas
3218
0 Kudos
btan
Staff
Staff

Created on ‎12-23-2021 05:35 PM

You may refer to below KB to know more about "session close":
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Log-action-messages-Accept-session-close-a...


It is usually just informative and you may ignore if there is no noticeable network impact.

Regards,
Bon
3203
0 Kudos
Labels
Top Kudoed Authors
View all

Contact Us