Technical Tip: How to enable local intra-zone traffic logs
| Description | This article describes how to capture local intra-zone traffic logs when intra-zone traffic is set to allow. |
| Scope | FortiGate v7.6.4 and later. |
| Solution | In FortiOS v7.2, v7.4, and v7.6, the only way to see logs for intra-zone traffic (i.e., traffic passing from one zone member to another in the same zone) was to create firewall policies with logging enabled and the same zone interface set as the source and destination.
This solution generated forward traffic logs, but intra-zone traffic implicitly allowed by 'set intrazone allow' without a matching firewall policy was not logged. In FortiOS v7.6.4 and later, whenever intra-zone traffic is allowed through the FortiGate without a firewall policy, local logs will be generated if local-in or local-out logging is enabled. See issue ID 1116108 in FortiOS v7.6.4 Resolved Issues.
Configuration example: In the following example, port2 and port4 are configured in the same zone interface that has set intrazone allow. This configuration allows traffic to be forwarded between members of the same zone without requiring a matching firewall policy.
config system zone edit 'zone' set intrazone allow set interface 'port2' 'port4' next end
Since there is no matching firewall policy, no forward traffic logs are generated. Instead, intra-zone local traffic logs will be generated under Log and Report -> Local Traffic if enabled.
First, enable Local Traffic Log in the Log Settings:
CLI equivalent:
config log setting set local-in-allow enable end
After enabling local logging, check for local intra-zone traffic in the Local Traffic logs:
Related article: |
