FortiView - Long-lived-session Handling
Because sessions may last for a long time and traffic logs are only sent at the end of the session, it often occurs that when narrowing searches in FortiView, these long-lived sessions are excluded. To solve this, FortiOS adds an option to generate "interim traffic logs" thereby making a clearer picture of the traffic for a given time range. FortiView can then show the trend of the session history, rather than one big volume at the end of the session. However, these interim logs need to be handled specially for Reports and Events to avoid multiple counting.
To view long-lived sessions:
- For a long-lived session with a duration greater than two minutes, interim traffic logs will be generated with the Log ID of 20, and the sentdelta/rcvddelta fields filled in with an increment of bytes which are sent/received after the start of the session or previous interim traffic log (see VNC session "186001" and "187053" in the example below).
- When a long-lived session ends, a traffic log with a Log ID of 13 will be sent which indicates the session is closed (see VNC session "186001").
- For long-lived sessions in FortiView, if it has not ended, it will not be counted in Sessions, but the sentdelta and recvddelta in related traffic logs will be added when calculating Sent/Received Bytes.
- For example, for the two VNC sessions, session 186001 has ended and is counted, but session 187053 has not ended and is not included in Sessions count (in the example, the number of Sessions is one). sentdelta and recvddelta in traffic logs of both sessions will be included in the Sent/Received Bytes.
- You can drill-down to see the details for calculated sessions (unfinished session are not counted) and Sent/Received bytes (which are both counted).