• Removing all overlapping fields between the UTM Logs and Traffic Logs, with the exception of the common fields sessionid, vd, user, and group, and application control critical info, which will be present in both the Traffic Log and Application log.

• Fields have been renamed so that they are the same in all logs.

• Some rarely used fields were removed; for example, profiletype.

• The action field reflects the Firewall action (accept or deny). This will allow you to see from the traffic logs if the session was allowed or blocked and whether it was allowed or blocked by the firewall or by a security feature. If it was a security feature, you will need to look at the UTM logs to determine which feature blocked the traffic.

• The field utmaction is set to the most severe actions across all security features. The severity from highest to lowest is: Block, Reset, Traffic Shape, Allow.

• You can now drill-down from a traffic log to its corresponding UTM logs.

• extended-utm-log and log options for security profiles have been removed.

• Log roll logic have been rewritten so that traffic log file and related utm log files are rolled together. Uploadd will pack these files together to send to a FortiAnalyzer unit.

• An anomaly log category has been added to separate anomaly logs from IPS logs.