Skip to main content
hixeN
hixeN
New Member
June 7, 2022
Question

7.0.5 FGT : Logs FortiGuard services access

  • June 7, 2022
  • 3 replies
  • 2188 views

Hello,

 

With 7.0.5 we can see new entries in the logs forward about the implicit policy 0. This is my root source interface who access to the FortiGuard services on the TCP 853 DnsOverTls.

 

Capture d’écran 2022-06-07 101612.jpg

 

Theses entries match correclty (good point in fact) but why appears in the deny policy ?
And is it possible to fix or hide it ?

 

Regards,
hixeN

 

3 replies

A
Anonymous_User
Contributor
June 9, 2022

Hello @hixeN ,

 

Thank you for posting your query on the Fortinet Forums. Can you provide the information in the detail section on the top right?

Thanks,

nithincs
Staff & Editor
nithincs
Staff & Editor
June 12, 2022

hi,

 

May I know whether you are using DNS filter in the fortigate and enabled sdns in fortiguard settings or dns-over-tls in dns settings? Please share raw log to get more information regarding the log.

hixeN
hixeNAuthor
New Member
June 13, 2022

Hello,

 

@Anonymous
The details about the log :

Capture d’écran 2022-06-13 085451_1.jpg Capture d’écran 2022-06-13 085609_2.jpg

 

@nithincs
I don't use the dns filter for my acl. This is my configuration about section network/dns :

Capture d’écran 2022-06-13 090809.jpg

 

This logs appears at the upgrade 7.0.1 to 7.0.5

 

Regards,

Hixen

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
June 13, 2022

Hey Hixen,

I think there may be a slight confusion here:

- policy ID 0 is implicit deny, correct

- policy ID 0 is also used in logs for local traffic (traffic that terminates or originates on the FortiGate)

-> such as the FortiGate sending DNS queries, or fetching updates, or an admin login

-> if you log local traffic, all of that will have policy ID 0 usually.

 

Is this local traffic? Or is this traffic passing through the FortiGate?

If this is traffic through the firewall - what policy should it be using?

I would also suggest checking the session list:
#dia sys session filter dport 853
#dia sys session list
-> this should dump DNS-over-TLS sessions

-> you can check for the 'policyid' bit in a specific session; that should usually be the logged policy ID

-> you can check the 'state' - that may include flags like 'local', meaning local traffic, 'log', meaning the session should be logged, or 'may_dirty' (session should be reevaluated if the policy it goes through changes for some reason)

Terms & ConditionsAccessibility statement