FortiOS 5.2 logging : action=dns or action=ip-conn

danielha · ‎09-02-2014

Hi all, The LogReference PDF file does not give complete information regarding the action in the logs. Can someone give me more information about the action ? action=deny : no problem. We hit a deny rule in the firewall policy action=start : the log is created at the very begining of the tcp session. This is for debugging. action=timeout : the session duration hits the firewall timeout. The firewall closes the session. action=close : the log is created at the end of the session (when a tcp FIN packet is seen ?) action=ip-conn : what difference with action=close ? action=dns : I can' t figure out the meaning... Thanks for your help, Daniel

jorge9090 · ‎09-02-2014

Prior to FortiOS 5.2, there was an implicit action to allow DNS querys before every policy, that action=dns simply shows that a host or device made a DNS query to some url or domain. Now in 5.2 Fortinet changed that so the recomenation is to make a DNS policy before a permit/deny traffic policy. I guess they keep that log reference.

danielha · ‎09-03-2014

Hello Jorge, Thanks for your answer. Any idea about the ip-conn action ? Best regards, Daniel

jorge9090 · ‎09-03-2014

Honestly i wouldn' t know what ip-conn means. And you are right, besides the pdf log reference, there is no much info about it.

danielha · ‎09-04-2014

Jorge, I opened a ticket at the Fortinet Support. I was given an answer similar to yours for the DNS part. I' m still waiting for the ip-conn... I' ll let you know as soon as I get an answer. Regards, Daniel

jorge9090 · ‎09-04-2014

Thank you Daniel, i am sure Fortinet will give us the answer.

Jeff_FTNT · ‎09-05-2014

If PC behind FGT send package through match policy, FGT did not get expected return packet. FGT treat this is " action" as " Failed Connection Attempts" . It have traffic log with " action=ip-conn " . date=2014-09-05 time=11:04:32 logid=0000000011 type=traffic subtype=forward level=warning vd=vdom1 srcip=192.168.1.18 srcport=1112 srcintf=" switch" dstip=192.168.30.2 dstport=53 dstintf=" port9" sessionid=1572 action=ip-conn policyid=2 crscore=1375731722 craction=262144 FGT will collect log and if find one PC have too much this kind of log, this PC may be infected. This kind of log is for " Threat Weight" feature on FOS5.2.

AtiT · ‎05-17-2016

Hello Jeff

I know it is an old thread but probably you can clarify to me what you mean about the Failed Connection Attemtps - the service is allowed in the policy (destination ALL service ALL).

Why once the DNS request is not OK and the others are fine? I do not understand.

See the logs below:

I cannot see any difference why it should be logged as ip-conn. It makes problems with generating reports as the service is not listed as DNS and we need to do IF or CASE statements to catch this "anomaly".

AtiT

Jeff_FTNT · ‎05-17-2016

Hi AtiT,

Maybe some DNS response packet is lost ?

awasfi_FTNT · ‎05-19-2016

Hello,

I don't think there is a way to disable it separately, however If you are running reports on FortiAnalyzer you can add a filter:

(Action Not Equal ip-conn)

under "Reports >> Advanced Settings >> Add Filter"

Regards,

AWASFI

FortiOS 5.2 logging : action=dns or action=ip-conn

Nominate a Forum Post for Knowledge Article Creation