Hi guys,
I have encountered a very strange problem. The management commissioned me to produce an employee report. We have FGT100D (5.6.6) in transparent mode and FAZ200D (6.0.3). This employee uses Bitcoin's wallet on his PC. The problem is that the report shows me that in about 1 week he transferred about 1,3TB of data and his network card on the PC shows about 90GB. The same result (about 90GB) shows our backbone router.
Standart Policy cfg: App control (monitor all), Web filter (some cat forbidden) and cert. inspect. Thats all.
Fortigate is lying? If so, this is a very unpleasant finding - especially because reports are regularly used to check employees ...
Thanks Jirka
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
he duration in the graph in the pic looks to be for about 10 days (end looks count off though) while the duration listed in the Ethernet status indicates 8+ days connected. Aside from that, I wouldn't trust the byte count on the Ethernet status activity. Perform a netstat -s or netstat -e on the CMD line.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Hi Dave, thank you for your reaction. I checked the transferred data using cmd:
Yes, the differences from the network card are there, but even lower. I also checked the total internet traffic on the our core box, and the whole network produced around 890GB of data for the whole week. While Fortigate shows only 1.3TB data for this single user....
Is your policy logging all sessions or UTM sessions only?
FYI: I created a TAC request and the answer is: The issue you are experiencing appears to be matching a recently reported bug 0523445. This problem seems to occur when traffic logs forwarded to FortiAnalyzer contain long-lived UDP and TCP sessions. To confirm if you are your issue is matching this bug ID, could you please drill down to the 5-minute report of for the affected source IP so that you can see all individual sessions.Then please compare some of the sessions that transmitted most data and compare their session-id. If you can see the same session-ID multiple times, you than you are experiencing the same issue as reported in the bug.
Jirka
This is exactly what I found with a report of mine; long-lived TCP sessions in my case, resulted in ever-incrementing, multiple log entries, causing ridiculous data results. See my thread here:
[link]https://forum.fortinet.com/tm.aspx?m=168332[/link]
Hi Jirka,
Have you received any further news? I am still waiting for confirmation from Fortinet Support that my bug report is officially the same as yours.
In the meantime, I see that v5.6.7 has been released, however Bug ID 0523445 was not listed among the items fixed.
Steve
Hey Frosty, yes, here is the TAC answer:
Hello Jirka,
I would like to inform you that FAZ 6.0.4, which should be released in the middle of December 2018, will contain a fix for this problem to prevent the duplication of the event logs. Additionally, the development team is planning to enhance the logging accuracy in FortiOS 5.6.8 by adding delta traffic counters into syslog messages. Since FortiOS 5.6.7 was released two days ago, you can expect the release of FortiOS 5.6.8 in around March 2019.
Jirka
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.