- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN event duplicates in FortiGate firewall.
Hi Fortigate firewall team,
I have noticed two kind of VPN transaction in my firewall.,
I have received two logs with action="tunnel-up" and action="tunnel-down" from same Remote host IP at same time.
here, tunnel-type = "ssl-web" || "ssl-tunnel".
1st Log:
<190>date=2018-06-12 time=00:30:32 devname=FGT_FW devid=FGT_FW logid="0101039424" type="event" subtype="vpn" level="information" vd="root" logtime=1528126232 logdesc="SSL VPN tunnel up" [style="background-color: #ffff00;"]action="tunnel-up"[/style] [style="background-color: #ff0000;"]tunneltype="ssl-web"[/style] tunnelid=1664155757 [style="background-color: #3366ff;"]remip=182.x.x.x[/style] user="testUser" group="testGrp" dst_host="N/A" reason="login successfully" msg="SSL tunnel established"
2nd Log:
<190>date=2018-06-12 time=00:30:34 devname=FGT_FW devid=FGT_FW logid="0101039947" type="event" subtype="vpn" level="information" vd="root" logtime=1528126234 logdesc="SSL VPN tunnel up" [style="background-color: #ffff00;"]action="tunnel-up"[/style] [style="background-color: #ff0000;"]tunneltype="ssl-tunnel"[/style] tunnelid=1664155757 [style="background-color: #3366ff;"]remip=182.x.x.x[/style] [style="background-color: #00ffff;"]tunnelip=10.x.x.x[/style] user="testUser" group="testGrp" dst_host="N/A" reason="tunnel established" msg="SSL tunnel established"
I have a doubt on above logs.,
1st log which doesn't contain tunnel ip address. but, 2nd log which contains the tunnel ip address. Why this duplication occurs ? Thanks,
Mari Muneeswaran Marimuthu.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think it's because of the "reason". The first one is for user "login successful", then the second one is for "tunnel established" with the tunnel IP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Somashekara Hanumantha Reddy
Please kindly explain this scenario.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Toshi Esumi,
I received few VPN transaction in between these logs.
My VPN logs in below structure.,
<Tunnel-Up> log with tunnel-type = ssl-web
<VPN Traffic by the user>
<Tunnel-Up> log with tunnel-type = ssl-tunnel
<VPN Traffic by the user>
<Tunnel-down> log with tunnel-type = ssl-tunnel
<Tunnel-down> log with tunnel-type = ssl-web
It's confusing. Please clarify my doubt.
Thanks,
Mari Muneeswaran Marimuthu.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post the entire log? If you compare them with "diag debug app sslvpn -1" debug output, they might make sense to you.
