Fortigate incorrectly counts..??

Jirka1 · ‎11-09-2018

Hi guys,

I have encountered a very strange problem. The management commissioned me to produce an employee report. We have FGT100D (5.6.6) in transparent mode and FAZ200D (6.0.3). This employee uses Bitcoin's wallet on his PC. The problem is that the report shows me that in about 1 week he transferred about 1,3TB of data and his network card on the PC shows about 90GB. The same result (about 90GB) shows our backbone router.

Standart Policy cfg: App control (monitor all), Web filter (some cat forbidden) and cert. inspect. Thats all.

Fortigate is lying? If so, this is a very unpleasant finding - especially because reports are regularly used to check employees ...

Thanks Jirka

Dave_Hall · ‎11-09-2018

he duration in the graph in the pic looks to be for about 10 days (end looks count off though) while the duration listed in the Ethernet status indicates 8+ days connected. Aside from that, I wouldn't trust the byte count on the Ethernet status activity. Perform a netstat -s or netstat -e on the CMD line.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Jirka1 · ‎11-09-2018

Hi Dave, thank you for your reaction. I checked the transferred data using cmd:

Yes, the differences from the network card are there, but even lower. I also checked the total internet traffic on the our core box, and the whole network produced around 890GB of data for the whole week. While Fortigate shows only 1.3TB data for this single user....

Jirka1 · ‎11-09-2018

And another anomaly - from our core box we collect the flow data and send it to the collector. Do you really think that in 8 days our network produces 17.2TB of logs? The collector stores 134MB of data in 8 days..

neonbit · ‎11-11-2018

Is your policy logging all sessions or UTM sessions only?

Jirka1 · ‎11-11-2018

always all session

Jirka1 · ‎11-13-2018

FYI: I created a TAC request and the answer is: The issue you are experiencing appears to be matching a recently reported bug 0523445. This problem seems to occur when traffic logs forwarded to FortiAnalyzer contain long-lived UDP and TCP sessions. To confirm if you are your issue is matching this bug ID, could you please drill down to the 5-minute report of for the affected source IP so that you can see all individual sessions.Then please compare some of the sessions that transmitted most data and compare their session-id. If you can see the same session-ID multiple times, you than you are experiencing the same issue as reported in the bug.

Jirka

Frosty · ‎11-14-2018

This is exactly what I found with a report of mine; long-lived TCP sessions in my case, resulted in ever-incrementing, multiple log entries, causing ridiculous data results. See my thread here:

[link]https://forum.fortinet.com/tm.aspx?m=168332[/link]

Frosty · ‎12-03-2018

Hi Jirka,

Have you received any further news? I am still waiting for confirmation from Fortinet Support that my bug report is officially the same as yours.

In the meantime, I see that v5.6.7 has been released, however Bug ID 0523445 was not listed among the items fixed.

Steve

Jirka1 · ‎12-03-2018

Hey Frosty, yes, here is the TAC answer:

Hello Jirka,

I would like to inform you that FAZ 6.0.4, which should be released in the middle of December 2018, will contain a fix for this problem to prevent the duplication of the event logs. Additionally, the development team is planning to enhance the logging accuracy in FortiOS 5.6.8 by adding delta traffic counters into syslog messages. Since FortiOS 5.6.7 was released two days ago, you can expect the release of FortiOS 5.6.8 in around March 2019.

Jirka