Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
amoureux
New Contributor II

Created on ‎01-02-2025 07:24 AM

Interpreting bytes telemetry in Log99 of fortiproxy

Hi guys,

I need some assistance in clarifying some of the information I'm seeing in log 99 from my fortiproxy, particularly the rcvdbytes and sentbytes.

Question 1: Does the received bytes refer to the amount of bytes received by the fortiproxy from user or vice versa?

Question 2: Does the sent bytes refer to the amount of bytes sent by user to the dest or vice versa?

Question 3: Does the HTTP method or any other telemetry within the rawlogs that may affect the order of how we see the bytes?

This is crucial because it allows me to understand if there are potential malicious exfiltration happening in my environment.

Thanks!

Labels:
463
0 Kudos
3 Solutions
dingjerry_FTNT
Staff
Staff
In response to amoureux

Created on ‎01-02-2025 08:30 AM

Thank you, @amoureux .

 

1) rcvdbyte is the bytes received for the initiator.

2) sentbyte is the bytes sent by the initiator.

3) I don't think so.

Regards,

Jerry

View solution in original post

442
dingjerry_FTNT
Staff
Staff
In response to amoureux

Created on ‎01-02-2025 08:31 AM

Keep it in mind: 

 

The log is for the initiator/responder, not for FortiProxy itself.

Regards,

Jerry

View solution in original post

441
dingjerry_FTNT
Staff
Staff
In response to amoureux

Created on ‎01-02-2025 08:35 AM

Unfortunately, there is no such a doc for it. You may open a technical ticket to ask for a tech doc for it.

Regards,

Jerry

View solution in original post

434
8 REPLIES 8
dingjerry_FTNT
Staff
Staff

Created on ‎01-02-2025 08:15 AM

Hi @amoureux ,

 

Can you explain, or attach a screenshot of what log 99 is?

Regards,

Jerry
450
0 Kudos
amoureux
New Contributor II
In response to dingjerry_FTNT

Created on ‎01-02-2025 08:25 AM

Hi, 

Thanks for the reply.

I'm referring to this - 99 - LOG_ID_TRAFFIC_HTTP_TRANSACTION | FortiProxy 7.6.0 | Fortinet Document Library

446
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to amoureux

Created on ‎01-02-2025 08:30 AM

Thank you, @amoureux .

 

1) rcvdbyte is the bytes received for the initiator.

2) sentbyte is the bytes sent by the initiator.

3) I don't think so.

Regards,

Jerry
443
dingjerry_FTNT
Staff
Staff
In response to amoureux

Created on ‎01-02-2025 08:31 AM

Keep it in mind: 

 

The log is for the initiator/responder, not for FortiProxy itself.

Regards,

Jerry
442
amoureux
New Contributor II
In response to dingjerry_FTNT

Created on ‎01-02-2025 08:33 AM

thanks a lot for the information. by any chance, is there a link/documentation to better clarify this? based on the ID99 documentation, i believe it only says received bytes without the relativity. i think the relativity from whether it is for fortiproxy itself or the initiator/responder is quite important esp for security monitoring purposes.  

436
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to amoureux

Created on ‎01-02-2025 08:35 AM

Unfortunately, there is no such a doc for it. You may open a technical ticket to ask for a tech doc for it.

Regards,

Jerry
435
amoureux
New Contributor II
In response to dingjerry_FTNT

Created on ‎03-19-2025 08:03 PM

Can I ask how do I raise a technical ticket for this? Thanks in advance. 

40
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to amoureux

Created on ‎03-19-2025 09:10 PM Edited on ‎03-19-2025 09:10 PM

Hi @amoureux ,

 

1) You need to register an account on https://support.fortinet.com/

2) You need to register this device in this account;

3) You need to apply a valid support contract to the device.

 

Then please follow the instructions in this doc to create a ticket:

 

https://community.fortinet.com/tpykb84852/attachments/tpykb84852/TKB36/26/90/3.01%20Ticket%20Creatio...

Regards,

Jerry
31
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.