Technical Tip: Configuring a Firewall Policy with action = DENY to log unauthorized traffic, also called 'Violation Traffic'
Description
This article describes how to use Firewall Policy to block specific traffic while allowing other traffic.
Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.
Firewall policies are instructions the FortiGate unit uses to decide connection acceptance and packet processing for traffic attempting to pass through. When the firewall receives a connection packet, it analyzes the packet’s source address, destination address, and service (by port number), and attempts to locate a firewall policy matching the packet.
If no Firewall Policy matches the traffic, the packets are dropped. Therefore, it is not required to configure a DENY Firewall Policy in the last position to block the unauthorized traffic.
A Firewall Policy with action = DENY is, however, needed when it is required to log the denied traffic, also called 'violation traffic'.
Note:
Storing and viewing the log for denied traffic requires a FortiAnalyzer, a Syslog server, or a FortiGate unit with a local hard disk.
See related articles for more information about Firewall Policies.
Scope
See related articles for more information about Firewall Policies.
Scope
FortiGate, NAT, or Transparent mode.
Solution
Configuring a DENY policy
In the example illustrated below from the GUI, the Firewall Policies 1 and 2 will allow DNS and HTTP traffic, whereas Firewall Policy 3 will match and deny ALL other traffic and will log it.
CLI Configuration of policy 3:
config firewall policy
edit 3
set name "Deny"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
edit 3
set name "Deny"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Below is an example of a Syslog message reporting some violation (ICMP) traffic:
Warning 10.160.0.110 date=2009-09-14 time=10:16:25 devname=FG300A3906550380 device_id=FG300A3906550380 log_id=0022000003 type=traffic subtype=violation pri=warning fwver=040000 status=deny vd="root" src=10.160.1.10 srcname=10.160.1.10 src_port=0 dst=4.2.2.1 dstname=10.2.2.1 dst_port=0 service=8/icmp proto=1 app_type=N/A duration=0 rule=3 policyid=3 sent=0 rcvd=0 vpn="N/A" src_int="port2" dst_int="port1" SN=12215 user="N/A" group="N/A" carrier_ep="N/A"
Note: Starting with newer versions of FortiOS, an Implicit Deny Policy is enabled by default, which automatically blocks all traffic that is not explicitly allowed by the configured firewall policies.
This built-in feature ensures a secure posture by denying any traffic that does not meet the criteria of an existing allow rule, eliminating the need to manually configure a separate deny policy for default traffic blocking.
For more information about implicit deny behavior and how to monitor its logs, refer to this article: Technical Tip: Implicit deny logs.
Note:
A regular deny policy does not block VIP traffic because of how the FortiGate processes packets. See Troubleshooting Tip: VIP traffic not matching the firewall policy with an 'all' destination for guidance on how to block and log VIP traffic.
Related article: