Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
amoureux
New Contributor

Created on ‎01-02-2025 07:24 AM

Interpreting bytes telemetry in Log99 of fortiproxy

Hi guys,

I need some assistance in clarifying some of the information I'm seeing in log 99 from my fortiproxy, particularly the rcvdbytes and sentbytes.

Question 1: Does the received bytes refer to the amount of bytes received by the fortiproxy from user or vice versa?

Question 2: Does the sent bytes refer to the amount of bytes sent by user to the dest or vice versa?

Question 3: Does the HTTP method or any other telemetry within the rawlogs that may affect the order of how we see the bytes?

This is crucial because it allows me to understand if there are potential malicious exfiltration happening in my environment.

Thanks!

Labels:
163
0 Kudos
2 Solutions
dingjerry_FTNT
Staff
Staff
In response to amoureux

Created on ‎01-02-2025 08:31 AM

Keep it in mind: 

 

The log is for the initiator/responder, not for FortiProxy itself.

Regards,

Jerry

View solution in original post

141
dingjerry_FTNT
Staff
Staff
In response to amoureux

Created on ‎01-02-2025 08:35 AM

Unfortunately, there is no such a doc for it. You may open a technical ticket to ask for a tech doc for it.

Regards,

Jerry

View solution in original post

134
6 REPLIES 6
dingjerry_FTNT
Staff
Staff

Created on ‎01-02-2025 08:15 AM

Hi @amoureux ,

 

Can you explain, or attach a screenshot of what log 99 is?

Regards,

Jerry
150
0 Kudos
amoureux
New Contributor
In response to dingjerry_FTNT

Created on ‎01-02-2025 08:25 AM

Hi, 

Thanks for the reply.

I'm referring to this - 99 - LOG_ID_TRAFFIC_HTTP_TRANSACTION | FortiProxy 7.6.0 | Fortinet Document Library

146
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to amoureux

Created on ‎01-02-2025 08:30 AM

Thank you, @amoureux .

 

1) rcvdbyte is the bytes received for the initiator.

2) sentbyte is the bytes sent by the initiator.

3) I don't think so.

Regards,

Jerry
142
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to amoureux

Created on ‎01-02-2025 08:31 AM

Keep it in mind: 

 

The log is for the initiator/responder, not for FortiProxy itself.

Regards,

Jerry
142
amoureux
New Contributor
In response to dingjerry_FTNT

Created on ‎01-02-2025 08:33 AM

thanks a lot for the information. by any chance, is there a link/documentation to better clarify this? based on the ID99 documentation, i believe it only says received bytes without the relativity. i think the relativity from whether it is for fortiproxy itself or the initiator/responder is quite important esp for security monitoring purposes.  

136
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to amoureux

Created on ‎01-02-2025 08:35 AM

Unfortunately, there is no such a doc for it. You may open a technical ticket to ask for a tech doc for it.

Regards,

Jerry
135
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.