So using fgm logs and faz they both show me the same results. for some tcp session we can see number of packets sent and received is 0, along with data transferred 0, this makes sense, tcp handshake probably doesn't complete (or does complete then reject) and no further transactions happens, therefore we have a session with zero bytes transferred. All good.
But for UDP, the packet is just transmitted, now regardless of whether it makes it to the receiver or not, how can it possibly be 0 bytes sent and received and 0 packets sent and received? I see this on both fmg and faz for some traffic.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
When you enable "set logtraffic-start enable" under policy config, the system generates a log as soon as the session is created and this log don't have any data/packets details. These logs shows packets "0", there will be another log generated when the session is closed or after 2 minutes if the session is active for more than 2 minutes with the current packet details/counts.
In below image, both entries are for same session, first one generated at the beginning with "0" packets and the second one generated after the session is closed with the data/packet count.
Hello flamer,
I found this document:
Could you please tell me if it helped?
If not, we will find another solution to reply to your answer.
Thanks,
Hello no that was not related at all sorry.
Hello flamer,
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
Hello Flamer,
I have got an answer from one of our engineers.
He said that you need to check your network, mtu/mss or also in the settings of the fgt to have them send with reliable/not reliable connection.
It is better to open a ticket from our TAC team, it is very hard to give an answer to this type of question without deep troubleshooting.
Kindest regards,
Can you confirm if these are for traffic hitting default deny policy( Policy ID 0) or the logs shows action as accept and a valid non-zero policy?
For TCP as well, even the 3 way handshake packets are counted into the data exchanged using the session.
Can you share one of such logs?
Hello yes the traffic is being accepted by policy.
Screenshot taken -
When you enable "set logtraffic-start enable" under policy config, the system generates a log as soon as the session is created and this log don't have any data/packets details. These logs shows packets "0", there will be another log generated when the session is closed or after 2 minutes if the session is active for more than 2 minutes with the current packet details/counts.
In below image, both entries are for same session, first one generated at the beginning with "0" packets and the second one generated after the session is closed with the data/packet count.
thank you, yes that seems to explain it!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.