DescriptionThis article explains how FortiAnalyzer
handles the field change from Status
to Action in FortiOS logs starting in
FortiOS 5.2.
It also summarizes what the possible values are for status and action fields.
As outlined in the FortiOS Log
Reference documentations for v5.0 and v5.2, changes were made in v5.2 for the
name of the status.
FortiGate v4.3 and v5.0 use status
while FortiGate v5.2 and later uses action.
FortiAnalyzer v5.2.x needs to handle both FortiGate v5.0 and v5.2 logs. When
FortiAnalyzer collects logs, it does not distinguish log versions so it creates
a set of all log fields and values.
In more recent FortiAnalyzer versions (v5.2.x and higher), the FortiAnalyzer
only records action, placing the status value (if included) in the action field.
For FortiGate v5.0, the status field
in the traffic log could have five possible values:
- accept: for the end of non-TCP traffic.
- close: for the end of TCP session closed with a FIN/FIN-ACK/RST-.
- deny: for traffic blocked by a firewall policy.
- start: for TCP session start log (special option to enable logging at the
start of a session). This means it is allowed by a firewall policy.
- timeout: for the end of a TCP session which is closed because it was idle.
For FortiGate v5.2, action could have six possible values:
- close: for the end of TCP session closed with a FIN/FIN-ACK/RST.
- deny: for traffic blocked by a firewall policy.
- dns: for DNS that failed for the session.
- ip-conn: for IP connection that failed for the session (host is not
reachable).
- start: for TCP session start log (special option to enable logging at
start of a session). This means allowed by a firewall policy.
- timeout: for the end of a TCP session which is closed because it was idle.
The FortiGate Log Message Reference v5.0 and FortiOS Log Reference Guide v5.2 are both available in
the Fortinet
Document Library.
