Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MetaleX
New Contributor

Created on ‎02-06-2007 06:08 AM

The " duration" value in log files

Hello, there is something I don' t understand with my log files. It is the " duration" value. As an example let' s consider this line: WTsyslog[2007-02-06 12:46:17 ip=Z.Z.Z.Z pri=5] id=firewall time=" 2007-02-06 12:46:18" fw=FGT400SomeSerial pri=5 SN=AnotherSerial duration=163 rule=83 policyid=83 proto=443/tcp service=443/tcp status=accept src=Y.Y.Y.Y srcname=Y.Y.Y.Y dst=X.X.X.X dstname=X.X.X.X src_int=port2 dst_int=port1 sent=1180 rcvd=1052 sent_pkt=21 rcvd_pkt=20 src_port=53092 dst_port=443 vpn=n/a tran_ip=W.W.W.W tran_port=443 dir_disp=org tran_disp=noop It has been extracted from a log file of a WebTrends syslog, and comes form a FG400 in WELF format. This connection was done on purpose over 5 seconds long, but the " duration" value is 163. As it is supposed to be the duration of the session in seconds, how can the log say it was more than two minutes long if I closed it after 5 seconds? Is this value specified in another time unit (cents of seconds)? The only stable value I saw in the log is for denied connections: duration=0. The rest is erratic but mostly over 130. Thanks in advance, Alex
4377
0 Kudos
2 REPLIES 2
jtatum1
New Contributor

Created on ‎02-25-2022 01:08 PM

I am having the same question, and not finding much information on what the unit of time is.  This has been open since 2007 and no response from Fortinet?

3108
0 Kudos
Debbie_FTNT
Staff
Staff

Created on ‎02-28-2022 01:50 AM

Hey jtatum1,

we're still catching up a lot; the Forums were changed to Community last November, and we have a team in place to keep a better eye on things.

As for the question in this thread:
- the 'duration' is in seconds

- FortiGate generates the log after a session is removed from its session table

-> in newer firmware versions it also generates interim traffic logs every two minutes for ongoing sessions

-> a session is closed (and the log written) if it times out, an RST packet or FIN/ACK exchange is observed, the session is cleared manually, and a few other reasons (such as a user authentication timing out)

Let me know if you have more questions on the 'duration' field :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
3094
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.