Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HS08
New Contributor

Created on ‎05-03-2023 10:25 PM

Application Not Working

Hello,

I troubleshoot for an application which this application cannot running, when i see on fortigate log i can see many record with result 'Accept(Start)' but not traffic counted.

Anyone know why this record not showing traffic counted?

 

Capture.JPG

Labels:
721
0 Kudos
3 REPLIES 3
rosatechnocrat
Contributor II

Created on ‎05-03-2023 10:59 PM Edited on ‎05-03-2023 11:01 PM

@HS08 Accept(Start) is recorded when initial syn or first packet is received.  But if there is no response back from the server or destination the action may not be changed. 

 

>> Try to add column received bytes in logs and see if there is response traffic from destination.
>> Issue could be because of routing or destination server not replying. 

>> Can also be confirmed by taking capture. 

diag sniffer packet any 'host 149.34.253.165 and host 10.100.50.141' 4 0 

 

For your reference only: 

 

- action start is for the start of session (icmp or udp or TCP)
- action accept is for the end of an icmp or udp (unicast) session
- action close is for the end of tcp session closed with a fin/fin-ack (and I suppose it is a same with a rst)
- action timeout is for the end of a tcp session which is closed because it was idle

Rosa Technocrat -- Also on YouTube---Please do Subscribe
Rosa Technocrat -- Also on YouTube---Please do Subscribe
710
0 Kudos
srajeswaran
Staff
Staff

Created on ‎05-03-2023 11:00 PM

I think you have enabled "Generate Logs when Session Starts" under the firewall policy. With this setting there will be a log as soon as the session is initiated and there won't be any traffic data. The traffic data sent/receive will be coming in upcoming logs (session close if the session is closed with in 2 minutes or the delata logs if the session is longer than 2 minutes).

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-the-session-to-start-logging...

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

709
0 Kudos
vsahu
Staff
Staff

Created on ‎05-04-2023 12:39 AM

Hello HS08,

 

The session start is just the info regarding the session has started, if you open the same log you'll see a session Id, Filter the logs using that and you'll be able to see the same session two logs one as session start and one with the data count.

The status field has the following value:
▶ start: the traffic session started
▶ accept: the normal traffic is pass-through
▶ deny: the normal traffic is denied by firewall policy, (not utm proflie)
▶ close/timeout: the traffic session finished
However, there are some different meanings between close and timeout.
the close occurs when traffic sessions are finished normally.
Otherwise, the HTTPS/SSH requests went to the destination but did not receive - reply, thus timeout occurred.

When log traffic-start is disabled you will only see status=close/timeout for the TCP session (it will not show the start of the session)
The start logs will only generate when logtraffic-start is enabled and it's a per policy configuration.

configure firewall policy
edit <policy_id>
set logtraffic-start enable
next

Regards,
Vishal
693
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.