Ciao, we are evaluating ManageEngine Firewall Analyzer 8 fresh install on Ubuntu Linux 12.04 32bit.
One of our most important goal is to check bandwidth usage by protocol.
At this time we use Firewall Analyzer only for reporting purpose and not receiving any data automatically.
We manually imported into analyzer many daily logs from our syslogd server which receive the logs of our Fortigate 60D Firmware Version v5.0,build0252 (GA Patch 5).
On Fortigate all policies have "set logtraffic all", in "config log syslogd filter" all types are enabled, "config log eventfilter" all set to enable.
All reports for any day selected show "inconsistent" value for Inbound Outbound Traffic : less then 20Mb and we know certainly we have much more traffic for a day.
Firewall Analyzer correctly calculate all data collected from syslog import so we take a deep look at logs data generated by Fortigate.
We make a test: used a computer at home to download (ftp get) a huge file (size 670.347.264 byte) from our internal LAN ftp server. File transfer take about 50min.
Looking at the syslogd logs from fortigate we found during period 50 minutes there are only six log records related to the source IP internet we used as client for FTP get,
moreover the total of fields sentbyte is 17165 , rcvdbyte 416948 very different from the size of the file we transferred.
We opened a ticket to Fortinet Support asking why Fortigate's logs dont records all data traffic. This the reply:
______________________________________________________
Dear Customer,
On syslogd transfer records are not stored this is the reason why you see only the records related to when you logged in, when you made an inquiry to that server, when the session was over etc.
The session is defined by when it was initiated and when it was over, it does not give you the information what exactly you have been doing - uploading/downloading and how big was the file you transferred/downloaded.
The bytes you noticed are normal each byte is added when authenticated, when you browse (if link is stored on a different server), some scripts running in the background etc.
There is nothing wrong with what you observed.
______________________________________________________