Technical Tip : How to prevent the log message "reverse path check fail, drop" from being logged
Description
Solution
Some network implementations may generate an extensive amount of IP packets that have a source IP address which will trigger the following log message :
2012-10-30 10:13:42 log_id=0038000007 type=traffic subtype=other pri=warning status=deny vd="root" src=10.75.2.29 srcname=10.75.2.29 src_port=138 dst=10.75.3.255 dstname=10.75.3.255 dst_country="Reserved" src_country="Reserved" dst_port=138 service=138/udp proto=17 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" vpn="N/A" vpn_type=UNKNOWN(65535) vpn_tunnel="N/A" src_int="port1" dst_int="N/A" SN=55198 app="N/A" app_cat="N/A" user="N/A" group="N/A" msg="reverse path check fail, drop" carrier_ep="N/A" profilegroup="N/A" subapp="N/A" subappcat="N/A"
This message is further described in the related KB article "Details about FortiOS RPF (Reverse Path Forwarding), also called Anti-Spoofing".
Solution
Like other log messages that are of type=traffic and subtype=other, they can be stopped from being sent to log destinations with the following method:
| config log memory filter set extended-traffic-log disable end config log fortianalyzer filter set extended-traffic-log disable end config log disk filter set extended-traffic-log disable end |
If VDOM is enabled:
For FortiAnalyzer, this is in Global mode, while for Memory, it is per VDOM
For FortiAnalyzer, this is in Global mode, while for Memory, it is per VDOM
config global config log fortianalyzer filter set extended-traffic-log disable end end config vdom edit <vdom_name> config log memory filter set extended-traffic-log disable end end td> |
Note that prior to FortiOS 4.0MR3, the parameter "extended-traffic-log" was named "other-traffic".
Related Articles
Technical Note: Details about FortiOS RPF (Reverse Path Forwarding), also called Anti-Spoofing