This article explains the mechanism of FortiWeb traffic log, including the meaning of response code 0
Scope
FortiWeb.
Topology
FortiWeb.
Solution
Diagram:
Client —- FortiWeb (WAF) —- Real Server (RS).
The mechanism of the FortiWeb traffic log is as below:
Step 1: Client sent HTTP request to WAF, RS response data to WAF. WAF response data to the client, there is a tlog with the correct HTTP code. This is a standard situation.
Client:
% curl -sk -D - -o /dev/null 'vip1.internal.lab' | head -2 HTTP/1.1 200 OK Server: nginx/1.6.2
Capture:
diag network sniffer port1 'port 80 and host 172.26.167.21' 4 0 a filters=[port 80 and host 172.26.167.21] interface=[port1] 2024-08-13 10:26:50.194644 172.26.167.21.56454 -> 10.109.30.9.80: syn 488743468 2024-08-13 10:26:50.194746 10.109.30.9.80 -> 172.26.167.21.56454: syn 2856766223 ack 488743469 2024-08-13 10:26:50.259251 172.26.167.21.56454 -> 10.109.30.9.80: ack 2856766224 2024-08-13 10:26:50.259253 172.26.167.21.56454 -> 10.109.30.9.80: psh 488743469 ack 2856766224 2024-08-13 10:26:50.259364 10.109.30.9.80 -> 172.26.167.21.56454: ack 488743549 2024-08-13 10:26:50.268430 10.109.30.9.80 -> 172.26.167.21.56454: psh 2856766224 ack 488743549 2024-08-13 10:26:50.332865 172.26.167.21.56454 -> 10.109.30.9.80: ack 2856766715 2024-08-13 10:26:50.333912 172.26.167.21.56454 -> 10.109.30.9.80: fin 488743549 ack 2856766715 2024-08-13 10:26:50.334723 10.109.30.9.80 -> 172.26.167.21.56454: fin 2856766715 ack 488743550 2024-08-13 10:26:50.399756 172.26.167.21.56454 -> 10.109.30.9.80: ack 2856766716
Tlog:
v015xxxxdate=2024-08-13 time=12:26:50 log_id=30000001 msg_id=000009810172 device_id=FVVM08TM22000169 eventtime=1723544810267911205 vd="root" timezone="(GMT+1:00)Belgrade,Bratislava,Budapest,Ljubljana,Prague" timezone_dayst="GMTb-2" type=traffic subtype="http" pri=notice proto=tcp service=http status=success reason=none policy="lab_spolicy" original_src=172.26.167.21 src=172.26.167.21 src_port=56454 dst=10.198.3.30 dst_port=80 http_request_time=5 http_response_time=1 http_request_bytes=80 http_response_bytes=347 http_method=get http_url="/" http_agent="curl/8.6.0" http_retcode=200 msg="HTTP get request from 172.26.167.21:56454 to 10.198.3.30:80" original_srccountry="Reserved" srccountry="Reserved" content_switch_name="none" server_pool_name="vl198_spool" http_host="vip1.internal.lab" user_name="Unknown" http_refer="none" http_version="1.x" dev_id=68D4D0E0374C6C418288956723B875B42E17 cipher_suite="none" x509_cert_subject="none"
Step 2: Client sent HTTP request to WAF, RS does notrespond data to WAF.
Connection is ended with WAF from the client side, WAF sends FIN to RS, and there is a tlog with HTTP code 0.
Client:
% curl -m 10 vip1.internal.lab curl: (28) Operation timed out after 10006 milliseconds with 0 bytes received
Capture:
diag network sniffer port1 'port 80 and host 172.26.167.21' 4 0 a filters=[port 80 and host 172.26.167.21] interface=[port1] 2024-08-13 10:14:21.764667 172.26.167.21.56149 -> 10.109.30.9.80: syn 1029527710 2024-08-13 10:14:21.764758 10.109.30.9.80 -> 172.26.167.21.56149: syn 682109709 ack 1029527711 2024-08-13 10:14:21.826888 172.26.167.21.56149 -> 10.109.30.9.80: ack 682109710 2024-08-13 10:14:21.826890 172.26.167.21.56149 -> 10.109.30.9.80: psh 1029527711 ack 682109710 2024-08-13 10:14:21.826992 10.109.30.9.80 -> 172.26.167.21.56149: ack 1029527791 2024-08-13 10:14:31.762911 172.26.167.21.56149 -> 10.109.30.9.80: fin 1029527791 ack 682109710 2024-08-13 10:14:31.763832 10.109.30.9.80 -> 172.26.167.21.56149: fin 682109710 ack 1029527792 2024-08-13 10:14:31.824507 172.26.167.21.56149 -> 10.109.30.9.80: ack 682109711
Tlog:
v015xxxxdate=2024-08-13 time=12:14:31 log_id=30000001msg_id=000009810083 device_id=FVVM08TM22000169 eventtime=1723544071763907702 vd="root" timezone="(GMT+1:00)Belgrade,Bratislava,Budapest,Ljubljana,Prague" timezone_dayst="GMTb-2" type=traffic subtype="http" pri=notice proto=tcp service=http status=success reason=none policy="lab_spolicy" original_src=172.26.167.21 src=172.26.167.21 src_port=56149 dst=10.198.3.30 dst_port=8099 http_request_time=1 http_response_time=0 http_request_bytes=80 http_response_bytes=0 http_method=get http_url="/" http_agent="curl/8.6.0" http_retcode=0 msg="HTTP get request from 172.26.167.21:56149 to 10.198.3.30:8099" original_srccountry="Reserved" srccountry="Reserved" content_switch_name="none" server_pool_name="vl198_dummy" http_host="vip1.internal.lab" user_name="Unknown" http_refer="none" http_version="1.x" dev_id=68D4D0E0374C6C418288956723B875B42E17 cipher_suite="none" x509_cert_subject="none"
Step 3: Connection is ended with WAF from the server side, WAF sends FIN to RS, and there is a tlog with HTTP code 0.
Client:
% curl vip1.internal.lab/reset curl: (52) Empty reply from server
Capture:
diag network sniffer port3 'port 80' 4 0 a filters=[port 80] interface=[port3] 2024-08-12 12:44:24.595011 10.198.3.13.11498 -> 10.198.3.30.80: syn 2544364718 2024-08-12 12:44:24.595438 10.198.3.30.80 -> 10.198.3.13.11498: syn 3382863383 ack 2544364719 2024-08-12 12:44:24.595475 10.198.3.13.11498 -> 10.198.3.30.80: ack 3382863384 2024-08-12 12:44:24.595539 10.198.3.13.11498 -> 10.198.3.30.80: psh 2544364719 ack 3382863384 2024-08-12 12:44:24.595751 10.198.3.30.80 -> 10.198.3.13.11498: ack 2544364966 2024-08-12 12:44:24.595964 10.198.3.30.80 -> 10.198.3.13.11498: fin 3382863384 ack 2544364966 2024-08-12 12:44:24.596152 10.198.3.13.11498 -> 10.198.3.30.80: ack 3382863385 2024-08-12 12:44:24.597151 10.198.3.13.11498 -> 10.198.3.30.80: fin 2544364966 ack 3382863385 2024-08-12 12:44:24.597390 10.198.3.30.80 -> 10.198.3.13.11498: ack 2544364967
Tlog:
v015xxxxdate=2024-08-12 time=14:44:24 log_id=30000001 msg_id=000009801326 device_id=FVVM08TM22000169 eventtime=1723466664596821115 vd="root" timezone="(GMT+1:00)Belgrade,Bratislava,Budapest,Ljubljana,Prague" timezone_dayst="GMTb-2" type=traffic subtype="http" pri=notice proto=tcp service=http status=success reason=none policy="lab_spolicy" original_src=172.26.48.4 src=172.26.48.4 src_port=58724 dst=10.198.3.30 dst_port=80 http_request_time=1 http_response_time=0 http_request_bytes=85 http_response_bytes=0 http_method=get http_url="/reset" http_agent="curl/8.6.0" http_retcode=0 msg="HTTP get request from 172.26.48.4:58724 to 10.198.3.30:80" original_srccountry="Reserved" srccountry="Reserved" content_switch_name="none" server_pool_name="vl198_spool" http_host="vip1.internal.lab" user_name="Unknown" http_refer="none" http_version="1.x" dev_id=B46180B85F6C0371E745576918307A3C9C56 cipher_suite="none" x509_cert_subject="none"