Running version 6.7 and i need to find a definition of the actions i see in my logs. Example below
action = pass vs action = accept.
I would like to see a definition that says some thing like the close action means the connection was closed by the client. Something like that.
the action field in traffic log has the following possible values:
deny accept start dns ip-conn close timeout client-rst server-rst
For regular firewall policy, wad firewall policy or sniffer policy, if it doesn't matched the rules, then action is immediately deny. Otherwise, it could have the rest of the values.
For ngfw firewall policy, it just matched the policy action, which is either accept or deny.
The action is for policy only, utm action (if any utm/security profile is attached to the firewall policy) could be different from the policy action.
I wrote this up a while back for the fields, it might come handy
http://socpuppet.blogspot.com/2016/08/using-execute-log-filters-to-monitor.html
I Believe nothing new has been added, but use the "execute log filter field" Action for tlog is accept or deny
Ken Felix
PCNSE
NSE
StrongSwan
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.