Technical Tip: How to configure the logging of Denied Traffic to a FortiGate interface
Description
Scope
Solution
1. Enable logging of the denied traffic.
(global)# set loglocaldeny enable
(global)# end
2. Create a deny policy from external to internal and check the logs.
FortiOS v4.x.
(global)# set fwpolicy-implicit-log enable
(global)# set loglocaldeny enable
(global)# end
FortiOS v5.x.
(global)# set fwpolicy-implicit-log enable
Optional: This is possible to create a deny policy and log traffic.
It is necessary to create a policy with Action DENY, the policy action blocks communication sessions, and it is possible to optionally log the denied traffic. If no security policy matches the traffic, the packets are dropped. A DENY security policy is needed when it is required to log the denied traffic, also called 'violation traffic'.
Other settings to consider:
local-in-deny-unicast: enable
local-in-deny-broadcast: enable
Additional Note:
The mentioned command in this article (set loglocaldeny enable) is no longer available on the newer versions of FortiOS.
On later versions, including v7.2.x and v7.4.x, the command to use would be:
Fortigate # config log setting
(setting)# set fwpolicy-implicit-log enable
(setting)# end
Another way to do this would be to create a Deny Policy and enable the option 'Log Violation Traffic', as seen on the screenshot below:
The GUI view for logging the local-in denied traffic will be as follows, to log the denied traffic:
And on CLI, it would be the same as the previous versions:
Fortigate # config log setting
(setting)# set local-in-deny-unicast enable
(setting)# set local-in-deny-broadcast enable
Related article:
Technical Tip: How to configure the logging of Denied Traffic to a FortiGate interface