Description
This articles describes the additional traffic statistics logs sent from FortiGate to FortiAnalyzer to show consistent session stats when the session is still open in FortiAnalyzer FortiView.
The additional logs are "interim" logs for long live sessions, they are generated every 2 minutes and they are identified in the logs by logid=20 and action=accept.
These logs are sent every 2 minutes based on a traffic triggered meter. If there is no traffic within 2 minutes, the next packet received will trigger the log.
When a session is closed, the log entry will appear just before the expected log message with firewall action equal to close.
Solution
The following commands is to disable these statistics logs sent to FortiAnalyzer:
config log fortianalyzer filter
set filter "logid(00020)"
set filter-type exclude
end
As of firmware version 7.0.x, the design has been changed as following:
Config log FortiAnalyzer filter:
config free-style
edit 0
set category traffic
set filter "logid 00020"
set filter-type exclude
next
end
end
Note: In general when putting 0 as ID in config, FortiGate will assign the next available ID for the setting.
Related document:
https://docs.fortinet.com/document/fortigate/7.0.1/cli-reference/479620/config-log-fortianalyzer-fil...
