AnsweredHot!action=close vs. action=accept - The Real Difference? 600C v5.6.6

Author
scheintod
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Status: offline
2019/01/18 06:44:36 (permalink) 5.6
0

action=close vs. action=accept - The Real Difference? 600C v5.6.6

Hello all,

We're using Fortigate 600C and just upgraded FortiOS to v5.6.6 from v5.4.

While using v5.4, action=accept in our traffic logs was only referring to non-TCP connections and we were looking for action=close for successfully ended TCP connections. After we upgraded, the action field in our traffic logs started to take action=accept values for TCP connections as well and we're now having difficulties in differentiating the successfully ended TCP connections.

We've looked at the forums, found this and also went through FortiOS - Log Reference document for v5.6.6 but got no success in understanding the real difference. FortiOS - Log Reference document for v5.6.6 only states the example field values (i.e. close, server-rst, client-rst) without any explanation, very revealing documentation indeed.

What is the real difference between action=accept and action=close in v5.6.6?
 
Any help would be very much appreciated!

PS: Two sample segments from our traffic logs for the same dstport and dstip that got action=accept and action=close respectively are provided below. 
  • action=accept:
    date=2019-01-18 time=00:00:46 type="traffic" subtype="forward" level="notice" vd="root" eventtime=1547758846 dstport=443 dstintfrole="lan" poluuid="cb3dd1b8-bb38-51e5-7544-c313ed6a828c" sessionid=975790564 proto=6 action="accept" policyid=25 policytype="policy" service="HTTPS" trandisp="dnat" tranport=443 duration=600 sentbyte=104 rcvdbyte=84 sentpkt=2 rcvdpkt=2 vpntype="ipsec-static" appcat="unscanned"
  • action=close:
    date=2019-01-18 time=00:00:10 type="traffic" subtype="forward" level="notice" vd="root" eventtime=1547758810 dstport=443 dstintfrole="lan" poluuid="cb3dd1b8-bb38-51e5-7544-c313ed6a828c" sessionid=977138730 proto=6 action="close" policyid=25 policytype="policy" service="HTTPS" trandisp="dnat" tranport=443 duration=3 sentbyte=144 rcvdbyte=124 sentpkt=3 rcvdpkt=3 vpntype="ipsec-static" appcat="unscanned"
post edited by scheintod - 2019/01/19 08:10:58
#1
emnoc
Expert Member
  • Total Posts : 5108
  • Scores: 318
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: action=close vs. action=accept - The Real Difference? 600C v5.6.6 2019/01/18 07:59:20 (permalink)
0
Sounds like you have session accounting  with log-start. Close is what is logged at the "closing" of the session.
 
http://socpuppet.blogspot.com/2018/04/fortios-set-logtraffic-start-enable.html
 
Ken Felix

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#2
scheintod
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: action=close vs. action=accept - The Real Difference? 600C v5.6.6 2019/01/19 08:29:51 (permalink)
0
Hi Ken,

Thank you for your reply. I checked the policy and logtraffic-start is not enabled. Only the command below is there:

set logtraffic all
 
Plus, our traffic logs never take action=start values and this supports my finding above.

Any other ideas? We see both action=accept and action=close for successfully ended TCP connections although logtraffic-start is not enabled and action=accept should be there only for non-TCP connections (UDP etc.) according to the documentation. What is the real difference between action=accept and action=close?

emnoc
Sounds like you have session accounting  with log-start. Close is what is logged at the "closing" of the session.
 
http://socpuppet.blogspot.com/2018/04/fortios-set-logtraffic-start-enable.html
 
Ken Felix




#3
jhouvenaghel_FTNT
Bronze Member
  • Total Posts : 26
  • Scores: 6
  • Reward points: 0
  • Joined: 2007/11/30 00:26:42
  • Status: offline
Re: action=close vs. action=accept - The Real Difference? 600C v5.6.6 2019/01/19 08:34:50 (permalink)
0
Hello,
 
For your TCP connections, could you let me know what is the logid when you see action=close and when you see action=accept
 
Thanks
#4
scheintod
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: action=close vs. action=accept - The Real Difference? 600C v5.6.6 2019/01/19 08:52:54 (permalink)
0
Hi,

For the same policy,
  • action=accept takes logid="0000000020"
  • action=close takes logid="0000000013"
However, on some other policies, action=accept is taking logid="0000000013" as well. On the other hand, action=close never takes logid="0000000020".

Thanks

jhouvenaghel
Hello,
 
For your TCP connections, could you let me know what is the logid when you see action=close and when you see action=accept
 
Thanks




#5
jhouvenaghel_FTNT
Bronze Member
  • Total Posts : 26
  • Scores: 6
  • Reward points: 0
  • Joined: 2007/11/30 00:26:42
  • Status: offline
Re: action=close vs. action=accept - The Real Difference? 600C v5.6.6 2019/01/19 11:34:38 (permalink) ☼ Best Answerby scheintod 2019/01/21 04:18:38
0
You mentionned : "For the same policy,
  • action=accept takes logid="0000000020"
  • action=close takes logid="0000000013"
---> this looks logical for me with 5.6.6 as there has been new log traffic messages sent to FAZ (for example) with action= accept and log id = 20 . In the log ref guide, you will see them as "LOG_ID_TRAFFIC_STAT" (Forward traffic statistics). There are used for "long sessions" (more than 2 minutes)  to give some stats to the FAZ (for example) so that Fortiview would be accurate when the session is still alive.
You may see this log id = 20 as well just before the logid = 13 . In fact , when you have no traffic for some time before the TCP session is closed, then the next packet (ie TCP FIN)  will trigger the log stats entry (log id = 20) and then you will see the expect log id = 13 with action close for the end of TCP session.
 
You indicate : "However, on some other policies, action=accept is taking logid="0000000013" as well"
Is it for TCP traffic ?  If yes, more details would be needed
 
Hope it helps
#6
scheintod
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: action=close vs. action=accept - The Real Difference? 600C v5.6.6 2019/01/21 04:18:23 (permalink)
0
Hi,

Thank you for your detailed reply, it's very enlightening.

Is it somehow possible to disable only LOG_ID_TRAFFIC_STAT (i.e. logid="0000000020")?
 
Thanks

jhouvenaghel
You mentionned : "For the same policy,
  • action=accept takes logid="0000000020"
  • action=close takes logid="0000000013"
---> this looks logical for me with 5.6.6 as there has been new log traffic messages sent to FAZ (for example) with action= accept and log id = 20 . In the log ref guide, you will see them as "LOG_ID_TRAFFIC_STAT" (Forward traffic statistics). There are used for "long sessions" (more than 2 minutes)  to give some stats to the FAZ (for example) so that Fortiview would be accurate when the session is still alive.
You may see this log id = 20 as well just before the logid = 13 . In fact , when you have no traffic for some time before the TCP session is closed, then the next packet (ie TCP FIN)  will trigger the log stats entry (log id = 20) and then you will see the expect log id = 13 with action close for the end of TCP session.
 
You indicate : "However, on some other policies, action=accept is taking logid="0000000013" as well"
Is it for TCP traffic ?  If yes, more details would be needed
 
Hope it helps


#7
jhouvenaghel_FTNT
Bronze Member
  • Total Posts : 26
  • Scores: 6
  • Reward points: 0
  • Joined: 2007/11/30 00:26:42
  • Status: offline
Re: action=close vs. action=accept - The Real Difference? 600C v5.6.6 2019/01/21 06:28:47 (permalink)
0
If you are not interested by these statistics logs sent to the FAZ, the following workaround can be used :
 
config log fortianalyzer filter
    set filter "logid(00020)"
    set filter-type exclude
end
#8
scheintod
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: action=close vs. action=accept - The Real Difference? 600C v5.6.6 2019/01/23 05:21:43 (permalink)
0
Thanks a lot for all the information you've provided, you're very helpful. We'll try the workaround and update this thread as soon as possible.
#9
Jump to:
© 2019 APG vNext Commercial Version 5.5