Hi guys,
According to NSE4, FortiGate will generate traffic logs once a firewall policy closes an IP session. What does that mean? Does that mean when FortiGate sends a FIN packet to the server? Or does that mean when FortiGate sends an ACK packet after it has received a SYN-ACK from the server? I guess is the second option. Could you confirm?
Regards,
Julián
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I would look at the set logtraffic-start enable option, but in normal operation the log category traffic is not written till after the session has closed. This is the only way to get duration and bytes sent/received
Ken
PCNSE
NSE
StrongSwan
If you are not setting the cmd , than the log is written when the policy session is closed. How else would you expect it to log the session?
Since the traffic logs contains numerous values & it can only write those at the session completion time.
e.g
bytes sent/received
duration
etc....
Keep in mind devices like FAZ might have a small delay before the details are review and depends on upload variables ( realtime or delayed )
Ken
PCNSE
NSE
StrongSwan
with logtraffic start , YES!. If you open a new session like a SSH and keep it open.query the logs
e.g
create a new policy for some control traffic and set it top of the sequence
Now doe the following
;
execute log filter category 0
execute log filter device 0 (??? check the number for the MEM FAZ or DISK )
execute log filter field policyid <#>
execute log display
Now do you see any thing for that traffic ?
Now close the session and re-execute the "execute log display" and now you will have the record in the log.
ken
PCNSE
NSE
StrongSwan
Hi Ken,
1. But I did open just one RDP session, not more.
2. I thought the same, but I have googled out and found that sometimes RDP can use UDP 3389 instead of TCP 3389.
3. I will execute ASAP and let you know.
4. I know that and for that reason the logs which showed the transmited bytes are those that were generated after I closed the session (#26 and 27). The first log didn't show the bytes because in that time the session was open. The second log didn't show the bytes either, althought I closed the session at that time.
Regards,
Julián
I know RDP can us udp/3389 but the defined RDP services is tcp.
Do you have a service named udp/3389?
Ken
PCNSE
NSE
StrongSwan
Hi Ken,
I now get you about RDP can use UDP 3389 but the defined RDP services is TCP. But not, I don't have a service namee UDP/3389.
I have checked the sessions ID of the four logs in the log details and they are different, should they be the same?
And here you are the output of the command:
CRO_Principal (root) # show full firewall policy 5 | grep log
set logtraffic all
set logtraffic-start disable
CRO_Principal (root) #
Regards,
Julián
How about running the following
cli-cmd
show full firewall service custom | grep 3389
On the log start, if that's enabled you will get a log message for the start and a log entry for the final log details upon closure.
You can test this over a in/egress interface pair and with regular ipv4/6 firewall-policy
Ken
PCNSE
NSE
StrongSwan
Hi Ken,
The log start is not enabled.
CRO_Principal (root) # show full firewall service custom | grep 3389
set tcp-portrange 3389
CRO_Principal (root) #
Regards,
Julián
Hi Ken,
I have tested with opening a FTP session. Here is the result:
When I open the FTP session, these three logs appeared, all with the transmitted bytes. The first one (#3) have a different session ID, but the last two (#1 and 2) have the same session ID. The log start is not enabled either for this firewall policy. When I closed the FTP session, no more logs were generated. This is very strange, have you tested and verified that a log is only generated when the session is closed (assuming log start is not enabled)?
Regards,
Julián
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.