|
To log the 'no session matched' event in the traffic log, the option 'log-invalid-packet' needs to be enabled.
config log setting
set log-invalid-packet enable
Then the 'no session matched' log can be recorded in the traffic log. The following is a sample log message of 'no session matched'.
date=2023-09-08 time=12:46:49 logid="0000000007" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1694148409 srcip=10.98.98.101 srcport=61613 srcintf="port2" srcintfrole="undefined" dstip=10.40.30.90 dstport=22 dstintf=unknown-0 dstintfrole="undefined" proto=6 action="deny" policyid=0 policytype="policy" service="SSH" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 msg="no session matched"
Basically, it means that FortiGate has received a packet but there was no established session for it, e.g. the initial TCP 3-way handshake was not seen by FortiGate. One possibility is there was a change of routing path.
For example, initially, the TCP session was routed via an original path without going through FortiGate. Then there was a change of routing causing the TCP session to be routed to this FortiGate. However since FortiGate does not have a session established for this TCP session, the 'no session matched' log is recorded.
|
