So further to this issue, I still have a ticket open with Fortinet and we're investigating.
I found some very strange log data being produced.
When a client connects in to our network via Direct Access, it opens an IP-HTTPS tunnel to the Direct Access server and the traffic in/out of the network is transmitted through this connection.
Exactly every 2 mins, we see a new log entry, same SRCIP and DSTIP, but with a slowly incrementing Sent/Received value.
There are dozens, if not hundreds of these logs entries, for each Direct Access client, but it is my belief that there is actually only one (1) connection and that the total amount of traffic over that connection would be accurately represented by only the latest log entry. e.g. if the log entries start at 0MB and every 2 mins went 1MB, 2MB, 3MB, 4MB, then the amount of data transmitted is 4MB ... not 10MB.
My reasons for believing this is that the amount of Sent/Received data ALWAYS and ONLY ever increases from log entry to log entry; it NEVER decreases (for that combination of SRCIP and DSTIP).
I checked the Session ID of these incrementing log entries and, for each combination of SRCIP and DSTIP, the Session ID is the same.
Yet to be proven though whether this is a bug, or correct operation; I need to do some more diagnostics and I need to check back to September when we were running v5.6.2 to see whether the log data has the same pattern or looks different.
post edited by Frosty - 2018/11/14 16:44:02