Because traffic logs are only sent at the end of a session, long-lived sessions can be unintentionally excluded when narrowing searches in FortiView. To account for this, interim traffic logs can be enabled through FortiOS, allowing FortiView to show the trend of session history rather than one large volume once the session is closed.
For a long-lived session with a duration greater than two minutes, interim traffic logs are generated with the Log ID of 20.
- For interim traffic logs, the sentdelta and rcvddelta fields are filled in with an increment of bytes which are sent/received after the start of the session or previous interim traffic log.
- Interim traffic logs are not counted in Sessions, but the sentdelta and recvddelta in related traffic logs will be added when calculating the sent and received bytes.
When a long-lived session ends, a traffic log with a Log ID of 13 is sent which indicates the session is closed.
When enabled, interim logs must be handled specially for Reports and Events to avoid multiple counting.