Technical Tip: FortiGate log information: traffic log with firewall policy of 0 (zero) 'policyid=0'

When viewing the FortiGate logs, you may find an entry indicating policyid="0". For example:

2008-10-06 00:13:49 log_id=0022013001 type=traffic subtype=violation pri=warning vd=root SN=179089 duration=0 user=N/A group=N/A rule=0 policyid=0 proto=17 service=137/udp app_type=N/A status=deny src=10.181.77.73 srcname=10.181.77.73 dst=10.128.1.161 dstname=10.128.1.161 src_int=N/A dst_int="Internal" sent=0 rcvd=0 src_port=137 dst_port=137 vpn=N/A tran_ip=0.0.0.0 tran_port=0

Any firewall policy that is automatically added by the FortiGate unit has a policy ID number of 0.

The following are the most commonly created by the FortiGate unit:

• The (IPsec) policy for FortiAnalyzer (and FortiManager v3.00) that is automatically added when an IPsec connection to the FortiAnalyzer unit (or FortiManager v3.00) is enabled has a policy ID number of 0.

• The policy to allow FortiGuard servers to be automatically added has a policy ID number of 0.

• When the loglocaldeny command is enabled (global setting), connection attempts to FortiGate IP addresses (as well as network broadcast address since FortiOS  is listening on) not allowed will be dropped with violation and reported by policy ID0 (see sample log above).

• When Network Zone is defined within a Vdom, intra-zone traffic being set to Allow or Block will be managed by a policy ID 0, if not previously processed by a regular policy.

• The (default) drop rule that is the last in the policy and that is automatically added has a policy ID number of 0.
  
  
• IPmac binding is enabled on a specific interface. All IP entries not declared in the firewall IPmacbinding table will be rejected by policy ID 0. Refer to the Related Articles section below for more information.
  
  
• For locally-sourced traffic by FortiGate, for example, load-balancing health monitors towards Real-Servers behind FortiGate:

FortiGate IP: 10.1.1.10.

Real Server IP: 172.16.33.33.

"state=00004204 tuple-num=2 policyid=0
dir=0 act=0 hook=3 10.1.1.10:22608->172.16.33.33:8080(0.0.0.0:0)
dir=1 act=0 hook=1 172.16.33.33:8080->10.1.1.10:22608(0.0.0.0:0)"

Note: Starting in FortiOS 7.6, local-in traffic can be logged per local-in policy. When per-policy local-in logging is enabled, local traffic logs can show the actual local-in policy ID (for example, when policytype="local-in-policy" / local-in-policy6) instead of policyid=0, improving attribution for accepts/denies related to administrative access and other local services.

Related articles:

• Troubleshooting Tip: Message msg="HWaddr-xx:xx:xx:xx:xx:xx is in black list, drop" in a 'diagnose debug flow' output
• Troubleshooting Tip: debug flow messages 'iprope_in_check() check failed, drop' - 'Denied by forward policy check' - 'reverse path check fail, drop'
• Logging local traffic per local-in policy - FortiGate new features