Fortinet black logo

Handbook

Using the traffic log

Using the traffic log

The Traffic Log table displays logs related to traffic served by the FortiADC deployment.

By default, the log is filtered to display Server Load Balancing - Layer 4 traffic logs, and the table lists the most recent records first.

You can use the following category filters to review logs of interest:

  • SLB Layer 4—Traffic served by Layer-4 virtual servers
  • SLB HTTP—Traffic served by virtual servers with HTTP profiles
  • SLB TCPS—Traffic served by virtual servers with TCPS profiles
  • SLB RADIUS—Traffic served by virtual servers with RADIUS profiles
  • GLB—Traffic served by global load balancing policies
  • SLB SIP—Traffic served by virtual servers with SIP profiles
  • SLB RDP—Traffic served by virtual servers with RDP profiles
  • SLB DNS —Traffic served by virtual servers with DNS profiles
  • SLB RTSP —Traffic served by virtual servers with RTSP profiles
  • SLB SMTP —Traffic served by virtual servers with SMTP profiles
  • SLB RTMP—Traffic served by virtual servers with RTMP profiles
  • SLB DIAMETER—Traffic served by Diameter profiles
  • SLB MySQL—Traffic served by MySQL profiles.
  • LLB — Traffic served by LLB profiles.

Within each category, you can use Filter Setting controls to filter the table based on the values of matching data:

  • Date
  • Time
  • Proto
  • Service
  • Src
  • Src_port
  • Dst
  • Dst_port
  • Policy
  • Action

The last column in each table includes a link to log details.

Before you begin:

  • You must have Read-Write permission for Log & Report settings.
To view and filter the log:
  1. Go to Log & Report > Log Access > Traffic Logs to display the traffic log.
  2. Click Filter Settings to display the filter tools.
  3. Use the tools to filter on key columns and values.
  4. Click Apply to apply the filter and redisplay the log.

SLB Layer 4 and SLB TCPS logs to GLB log list the log columns in the order in which they appear in the log.

SLB Layer 4 and SLB TCPS logs

Column Example Description
date date=2014-12-01 Log date.
time time=07:50:36 Log time.
log_id log_id=0102007810 Log ID.
type type=traffic Log type.
subtype subtype=slb_tcps Log subtype: slb_layer4, slb_tcps.
pri pri=information Log level.
vd vd=root Virtual domain.
msg_id msg_id=522030 Message ID.
duration duration=55 Session duration.
ibytes ibytes=138 Bytes in.
obytes obytes=303 Bytes out.
proto proto=6 Protocol.
service service=tcps Service.
src src=31.1.1.103 Source IP address in traffic received by FortiADC.
src_port src_port=5534 Source port.
dst dst=21.1.1.101 Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port dst_port=443 Destination port.
trans_src trans_src=31.1.1.103 Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port trans_src_port=5534 Source port in packet sent from FortiADC.
trans_dst trans_dst=21.1.1.101 Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port trans_dst_port=443 Destination port in packet sent from FortiADC.
policy policy=L7vs Virtual server name.
action action=none For most logs, action=none.
srccountry srccountry=Reserved Location of the source IP address.
dstcountry dstcountry=Reserved Location of the destination IP address.
real_server real_server=2_2_2_10 Real server configured name.

SLB HTTP logs

Column Example Description
date date=2014-12-01 Log date.
time time=07:50:36 Log time.
log_id log_id=0102007810 Log ID.
type type=traffic Log type.
subtype subtype=slb_http Log subtype: slb_http.
pri pri=information Log level.
vd vd=root Virtual domain.
msg_id msg_id=522030 Message ID.
duration duration=55 Session duration.
ibytes ibytes=138 Bytes in.
obytes obytes=303 Bytes out.
proto proto=6 Protocol.
service service=http Service.
src src=31.1.1.103 Source IP address in traffic received by FortiADC.
src_port src_port=5534 Source port.
dst dst=21.1.1.101 Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port dst_port=443 Destination port.
trans_src trans_src=31.1.1.103 Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port trans_src_port=5534 Source port in packet sent from FortiADC.
trans_dst trans_dst=21.1.1.101 Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port trans_dst_port=443 Destination port in packet sent from FortiADC.
policy policy=L7vs Virtual server name.
action action=none For most logs, action=none.
http_method http_method=get HTTP method.
http_host http_host=10.61.2.100 Host IP address.
http_agent http_agent=curl/7.29.0 HTTP agent.
http_url= http_url=/ip.php Base URL.
http_qry http_qry=unknown URL parameters after the base URL.
http_cookie http_cookie=unknown Cookie name.
http_retcode http_retcode=200 HTTP return code.
user user=user1 User name.
usergrp usergrp=companyABC User group.
auth_status auth_status=success Authentication success/failure.
srccountry srccountry=Reserved Location of the source IP address.
dstcountry dstcountry=Reserved Location of the destination IP address.
real_server real_server=2_2_2_10 Real server configured name.

SLB RADIUS log

Column Example Description
date date=2014-12-01 Log date.
time time=07:50:36 Log time.
log_id log_id=0102007810 Log ID.
type type=traffic Log type.
subtype subtype=slb_radius. Log subtype: slb_radius.
pri pri=information Log level.
vd vd=root Virtual domain.
msg_id msg_id=522030 Message ID.
duration duration=55 Session duration.
ibytes ibytes=138 Bytes in.
obytes obytes=303 Bytes out.
proto proto=6 Protocol.
service service=radius Service.
src src=31.1.1.103 Source IP address in traffic received by FortiADC.
src_port src_port=5534 Source port.
dst dst=21.1.1.101 Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port dst_port=443 Destination port.
trans_src trans_src=31.1.1.103 Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port trans_src_port=5534 Source port in packet sent from FortiADC.
trans_dst trans_dst=21.1.1.101 Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port trans_dst_port=443 Destination port in packet sent from FortiADC.
policy policy=L7vs Virtual server name.
action action=none For RADIUS, action=auth or acct.
user user=user1 RADIUS accounting username.
srccountry srccountry=Reserved Location of the source IP address.
dstcountry dstcountry=Reserved Location of the destination IP address.
real_server real_server=2_2_2_10 Real server configured name.

SLB RDP logs

Column Example Description
date date=2016-03-18 Log date.
time time=11:48:29 Log time.
log_id log_id=107005800 Log ID.
type type=traffic Log type.
subtype subtype=slb_rdp Log subtype: slb_rdp.
pri pri=information Log level.
vd vd=root Virtual domain.
msg_id msg_id=1321705 Message ID.
duration duration=2 Session duration.
ibytes ibytes=92 Bytes in.
obytes obytes=400 Bytes out.
proto proto=6 Protocol.
service service=http Service.
src src=192.168.1.1 Source IP address in traffic received by FortiADC.
src_port src_port=37869 Source port.
dst dst=192.168.1.142 Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port dst_port=8080 Destination port.
trans_src trans_src=2.2.2.2 Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port trans_src_port=58661 Source port in packet sent from FortiADC.
trans_dst trans_dst=2.2.2.10 Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port trans_dst_port=80 Destination port in packet sent from FortiADC.
policy policy=vs-l7 Virtual server name.
action action=none For most logs, action=none.
srccountry srccountry=Reserved Location of the source IP address.
dstcountry dstcountry=Reserved Location of the destination IP address.
real_server real_server=r_22210 Real server configured name.

SLB SIP logs

Column Example Description
date date=2016-01-29 Log date.
time time=18:06:48 Log time.
log_id log_id=0106001134 Log ID.
type type=traffic Log type.
subtype subtype=slb_sip Log subtype: slb_sip.
pri pri=information Log level.
vd vd=root Virtual domain.
msg_id msg_id=154799 Message ID.
duration duration=1 Session duration.
ibytes ibytes=44346 Bytes in.
obytes obytes=2.2.2.10 Bytes out.
proto proto=6 Protocol.
service service=http Service.
src src=N/A Source IP address in traffic received by FortiADC.
src_port src_port=43672 Source port.
dst dst=192.168.1.142 Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port dst_port=8080 Destination port.
trans_src trans_src=2.2.2.2 Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port trans_src_port=80 Source port in packet sent from FortiADC.
trans_dst trans_dst=N/A Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port trans_dst_port=none Destination port in packet sent from FortiADC.
policy policy=invite Virtual server name.
action action=sip: bob@1.1.1.1 v2.0 Invite sent to.
sip_method sip_method=from: alice@2.2.2.2 Invite sent from.
sip_uri sip_uri=to: server@3.3.3.3 SIP server IP address.
sip_from sip_from=callid:1111111 SIP call ID.
sip_to sip_to=200
sip_callid sip_callid=Reserved Reserved.
sip_retcode sip_retcode=Reserved Reserved.
srccountry srccountry=Reserved Location of the source IP address.
dstcountry dstcountry=Reserved Location of the destination IP address.
real_server real_server=2_2_2_10 Real server configured name.

GLB log

Column Example Description
date date=2014-12-01 Log date.
time time=07:50:36 Log time.
log_id log_id=0102007810 Log ID.
type type=traffic Log type.
subtype subtype=dns Log subtype: dns.
pri pri=information Log severity.
vd vd=root Virtual domain.
msg_id msg_id=522030 Message ID.
proto proto=6 Protocol.
src src=31.1.1.103 Source IP address.
src_port src_port=5534 Source port.
dst dst=21.1.1.101 Destination IP address.
dst_port dst_port=443 Destination port.
policy policy=policy Global load balancing policy name.
action action=none For most logs, action=none.
fqdn fqdn=pool.ntp.org FQDN from client request.
resip resip=4.53.160.75 DNS response IP address.
srccountry srccountry=Reserved Location of the source IP address.
dstcountry dstcountry=Reserved Location of the destination IP address.

LLB log

Column Example Description
date date=2014-12-01 Log date.
time time=07:50:36 Log time.
log_id log_id=0114000000 Log ID.
type type=traffic Log type.
subtype subtype=llb Log subtype: llb
pri pri=information Log severity.
vd vd=root Virtual domain.
msg_id msg_id=522030 Message ID.
duration duration=120 Session duration
ibytes ibytes=1131 Bytes in
obytes obytes=492 Bytes out
proto proto=6 Protocol.
src src=31.1.1.103 Source IP address.
src_port src_port=5534 Source port.
dst dst=21.1.1.101 Destination IP address.
dst_port dst_port=443 Destination port.
policy policy=Link_Policy Link Policy.
action action=vtunnel Group Type (Link Group or Virtual Tunnel) in Link Group
srrcountry srrcountry=Japan Location of the source IP address
dstcountry dstcountry=France location of the destination IP address
gateway gateway=none Gateway in Link Group

Using the traffic log

Using the traffic log

The Traffic Log table displays logs related to traffic served by the FortiADC deployment.

By default, the log is filtered to display Server Load Balancing - Layer 4 traffic logs, and the table lists the most recent records first.

You can use the following category filters to review logs of interest:

  • SLB Layer 4—Traffic served by Layer-4 virtual servers
  • SLB HTTP—Traffic served by virtual servers with HTTP profiles
  • SLB TCPS—Traffic served by virtual servers with TCPS profiles
  • SLB RADIUS—Traffic served by virtual servers with RADIUS profiles
  • GLB—Traffic served by global load balancing policies
  • SLB SIP—Traffic served by virtual servers with SIP profiles
  • SLB RDP—Traffic served by virtual servers with RDP profiles
  • SLB DNS —Traffic served by virtual servers with DNS profiles
  • SLB RTSP —Traffic served by virtual servers with RTSP profiles
  • SLB SMTP —Traffic served by virtual servers with SMTP profiles
  • SLB RTMP—Traffic served by virtual servers with RTMP profiles
  • SLB DIAMETER—Traffic served by Diameter profiles
  • SLB MySQL—Traffic served by MySQL profiles.
  • LLB — Traffic served by LLB profiles.

Within each category, you can use Filter Setting controls to filter the table based on the values of matching data:

  • Date
  • Time
  • Proto
  • Service
  • Src
  • Src_port
  • Dst
  • Dst_port
  • Policy
  • Action

The last column in each table includes a link to log details.

Before you begin:

  • You must have Read-Write permission for Log & Report settings.
To view and filter the log:
  1. Go to Log & Report > Log Access > Traffic Logs to display the traffic log.
  2. Click Filter Settings to display the filter tools.
  3. Use the tools to filter on key columns and values.
  4. Click Apply to apply the filter and redisplay the log.

SLB Layer 4 and SLB TCPS logs to GLB log list the log columns in the order in which they appear in the log.

SLB Layer 4 and SLB TCPS logs

Column Example Description
date date=2014-12-01 Log date.
time time=07:50:36 Log time.
log_id log_id=0102007810 Log ID.
type type=traffic Log type.
subtype subtype=slb_tcps Log subtype: slb_layer4, slb_tcps.
pri pri=information Log level.
vd vd=root Virtual domain.
msg_id msg_id=522030 Message ID.
duration duration=55 Session duration.
ibytes ibytes=138 Bytes in.
obytes obytes=303 Bytes out.
proto proto=6 Protocol.
service service=tcps Service.
src src=31.1.1.103 Source IP address in traffic received by FortiADC.
src_port src_port=5534 Source port.
dst dst=21.1.1.101 Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port dst_port=443 Destination port.
trans_src trans_src=31.1.1.103 Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port trans_src_port=5534 Source port in packet sent from FortiADC.
trans_dst trans_dst=21.1.1.101 Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port trans_dst_port=443 Destination port in packet sent from FortiADC.
policy policy=L7vs Virtual server name.
action action=none For most logs, action=none.
srccountry srccountry=Reserved Location of the source IP address.
dstcountry dstcountry=Reserved Location of the destination IP address.
real_server real_server=2_2_2_10 Real server configured name.

SLB HTTP logs

Column Example Description
date date=2014-12-01 Log date.
time time=07:50:36 Log time.
log_id log_id=0102007810 Log ID.
type type=traffic Log type.
subtype subtype=slb_http Log subtype: slb_http.
pri pri=information Log level.
vd vd=root Virtual domain.
msg_id msg_id=522030 Message ID.
duration duration=55 Session duration.
ibytes ibytes=138 Bytes in.
obytes obytes=303 Bytes out.
proto proto=6 Protocol.
service service=http Service.
src src=31.1.1.103 Source IP address in traffic received by FortiADC.
src_port src_port=5534 Source port.
dst dst=21.1.1.101 Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port dst_port=443 Destination port.
trans_src trans_src=31.1.1.103 Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port trans_src_port=5534 Source port in packet sent from FortiADC.
trans_dst trans_dst=21.1.1.101 Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port trans_dst_port=443 Destination port in packet sent from FortiADC.
policy policy=L7vs Virtual server name.
action action=none For most logs, action=none.
http_method http_method=get HTTP method.
http_host http_host=10.61.2.100 Host IP address.
http_agent http_agent=curl/7.29.0 HTTP agent.
http_url= http_url=/ip.php Base URL.
http_qry http_qry=unknown URL parameters after the base URL.
http_cookie http_cookie=unknown Cookie name.
http_retcode http_retcode=200 HTTP return code.
user user=user1 User name.
usergrp usergrp=companyABC User group.
auth_status auth_status=success Authentication success/failure.
srccountry srccountry=Reserved Location of the source IP address.
dstcountry dstcountry=Reserved Location of the destination IP address.
real_server real_server=2_2_2_10 Real server configured name.

SLB RADIUS log

Column Example Description
date date=2014-12-01 Log date.
time time=07:50:36 Log time.
log_id log_id=0102007810 Log ID.
type type=traffic Log type.
subtype subtype=slb_radius. Log subtype: slb_radius.
pri pri=information Log level.
vd vd=root Virtual domain.
msg_id msg_id=522030 Message ID.
duration duration=55 Session duration.
ibytes ibytes=138 Bytes in.
obytes obytes=303 Bytes out.
proto proto=6 Protocol.
service service=radius Service.
src src=31.1.1.103 Source IP address in traffic received by FortiADC.
src_port src_port=5534 Source port.
dst dst=21.1.1.101 Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port dst_port=443 Destination port.
trans_src trans_src=31.1.1.103 Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port trans_src_port=5534 Source port in packet sent from FortiADC.
trans_dst trans_dst=21.1.1.101 Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port trans_dst_port=443 Destination port in packet sent from FortiADC.
policy policy=L7vs Virtual server name.
action action=none For RADIUS, action=auth or acct.
user user=user1 RADIUS accounting username.
srccountry srccountry=Reserved Location of the source IP address.
dstcountry dstcountry=Reserved Location of the destination IP address.
real_server real_server=2_2_2_10 Real server configured name.

SLB RDP logs

Column Example Description
date date=2016-03-18 Log date.
time time=11:48:29 Log time.
log_id log_id=107005800 Log ID.
type type=traffic Log type.
subtype subtype=slb_rdp Log subtype: slb_rdp.
pri pri=information Log level.
vd vd=root Virtual domain.
msg_id msg_id=1321705 Message ID.
duration duration=2 Session duration.
ibytes ibytes=92 Bytes in.
obytes obytes=400 Bytes out.
proto proto=6 Protocol.
service service=http Service.
src src=192.168.1.1 Source IP address in traffic received by FortiADC.
src_port src_port=37869 Source port.
dst dst=192.168.1.142 Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port dst_port=8080 Destination port.
trans_src trans_src=2.2.2.2 Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port trans_src_port=58661 Source port in packet sent from FortiADC.
trans_dst trans_dst=2.2.2.10 Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port trans_dst_port=80 Destination port in packet sent from FortiADC.
policy policy=vs-l7 Virtual server name.
action action=none For most logs, action=none.
srccountry srccountry=Reserved Location of the source IP address.
dstcountry dstcountry=Reserved Location of the destination IP address.
real_server real_server=r_22210 Real server configured name.

SLB SIP logs

Column Example Description
date date=2016-01-29 Log date.
time time=18:06:48 Log time.
log_id log_id=0106001134 Log ID.
type type=traffic Log type.
subtype subtype=slb_sip Log subtype: slb_sip.
pri pri=information Log level.
vd vd=root Virtual domain.
msg_id msg_id=154799 Message ID.
duration duration=1 Session duration.
ibytes ibytes=44346 Bytes in.
obytes obytes=2.2.2.10 Bytes out.
proto proto=6 Protocol.
service service=http Service.
src src=N/A Source IP address in traffic received by FortiADC.
src_port src_port=43672 Source port.
dst dst=192.168.1.142 Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port dst_port=8080 Destination port.
trans_src trans_src=2.2.2.2 Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port trans_src_port=80 Source port in packet sent from FortiADC.
trans_dst trans_dst=N/A Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port trans_dst_port=none Destination port in packet sent from FortiADC.
policy policy=invite Virtual server name.
action action=sip: bob@1.1.1.1 v2.0 Invite sent to.
sip_method sip_method=from: alice@2.2.2.2 Invite sent from.
sip_uri sip_uri=to: server@3.3.3.3 SIP server IP address.
sip_from sip_from=callid:1111111 SIP call ID.
sip_to sip_to=200
sip_callid sip_callid=Reserved Reserved.
sip_retcode sip_retcode=Reserved Reserved.
srccountry srccountry=Reserved Location of the source IP address.
dstcountry dstcountry=Reserved Location of the destination IP address.
real_server real_server=2_2_2_10 Real server configured name.

GLB log

Column Example Description
date date=2014-12-01 Log date.
time time=07:50:36 Log time.
log_id log_id=0102007810 Log ID.
type type=traffic Log type.
subtype subtype=dns Log subtype: dns.
pri pri=information Log severity.
vd vd=root Virtual domain.
msg_id msg_id=522030 Message ID.
proto proto=6 Protocol.
src src=31.1.1.103 Source IP address.
src_port src_port=5534 Source port.
dst dst=21.1.1.101 Destination IP address.
dst_port dst_port=443 Destination port.
policy policy=policy Global load balancing policy name.
action action=none For most logs, action=none.
fqdn fqdn=pool.ntp.org FQDN from client request.
resip resip=4.53.160.75 DNS response IP address.
srccountry srccountry=Reserved Location of the source IP address.
dstcountry dstcountry=Reserved Location of the destination IP address.

LLB log

Column Example Description
date date=2014-12-01 Log date.
time time=07:50:36 Log time.
log_id log_id=0114000000 Log ID.
type type=traffic Log type.
subtype subtype=llb Log subtype: llb
pri pri=information Log severity.
vd vd=root Virtual domain.
msg_id msg_id=522030 Message ID.
duration duration=120 Session duration
ibytes ibytes=1131 Bytes in
obytes obytes=492 Bytes out
proto proto=6 Protocol.
src src=31.1.1.103 Source IP address.
src_port src_port=5534 Source port.
dst dst=21.1.1.101 Destination IP address.
dst_port dst_port=443 Destination port.
policy policy=Link_Policy Link Policy.
action action=vtunnel Group Type (Link Group or Virtual Tunnel) in Link Group
srrcountry srrcountry=Japan Location of the source IP address
dstcountry dstcountry=France location of the destination IP address
gateway gateway=none Gateway in Link Group