According to documentation provide for Fortigate exist multiple actions as:
The status of the session: deny - Session was deniedaccept - Allowed Forward session
start - Session starts (log message was created when the session was created)
dns - DNS query return error
ip-conn - Failed connection attemptsclose - Local-traffic session allowed
timeout - Allowed session was timeout
client-rst - Session reset by clientserver-rst - Session reset by server
I receive a lot of connections with the action "close" and I have a number of doubts:
If an incoming traffic has had the action "close", is it a successful connection or has nothing to do with it?
That same incoming connection must have a "Firewall Permit" event before or it is not necessary?
Action "Accept: session close" in traffic log means the firewall received the client fin ack and server ack.
You may refer to below KB to know more about "session close":https://community.fortinet.com/t5/FortiGate/Technical-Tip-Log-action-messages-Accept-session-close-a...
It is usually just informative and you may ignore if there is no noticeable network impact.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.