Technical Tip: How to configure the logging of denied traffic to a FortiGate interface

Description

This article describes How to configure the logging of Denied Traffic to a FortiGate interface.

Scope

For All FortiGate models.

Solution

Session or connection attempts that are established to a FortiGate interface, are by default not logged if they are denied. 

On previous older versions, the following could be configured, so that this information was logged:

1. Enable logging of the denied traffic.

FortiGate # config sys global
(global)# set loglocaldeny enable
(global)# end

It was then possible to check with get sys global to see if loglocaldeny was enabled.

2. Create a deny policy from external to internal and check the logs.

Here is an example of such a log entry:

2004-10-20 14:06:47 log_id=0023013001 type=traffic subtype=violation pri=notice vd=root SN=651 duration=0 policyid=0 proto=6 service=19/tcp status=deny src=172.16.87.184 srcname=172.16.87.184 dst=172.16.87.183 dstname=172.16.87.183 src_int=n/a dst_int=external sent=0 rcvd=0 src_port=784 dst_port=19 vpn=n/a tran_ip=0.0.0.0 tran_port=0

Additional Note: 

The mentioned command in this article is no longer available on the newer versions of FortiOS. 

On later versions, including  v7.2.x, v7.4.x and v7.6.x, the command to use would be:

FortiGate # config log setting

(setting)# set fwpolicy-implicit-log enable

(setting)# end

Another way to do this would be to create a Deny Policy and enable the option 'Log Violation Traffic', as seen in the screenshot below:

Related article:

Technical Tip: Implicit deny logs