Can't I see LAND attack blocking logs on Foritgate?

Forum|Forum|1 year ago
February 26, 2025
1 reply
986 views

I am practicing land attack block in an offline network with Fortigate 60D. If you "set block-land-attack enable" in "config system settings" and then LAND attack the device, 
won't it be logged? When I look at events or logs, I don't see the log saying it was blocked. 
Where should I look?

Reference material:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/533753/blocking-land-attacks-in-transparent-mode

FortiGate

pminarik

Staff

You will likely need to enable logging of "invalid packets" first:

config log setting

set log-invalid-packet enable

end

After that, you should see this attempt logged in the relevant traffic log (likely Forward, unless the destination is an IP owned by the FGT), as an "implicit deny" log, with the message field saying something like "same src/dst address X.X.X.X, drop".

The same message can be seen in debug flow output, if you're catching the traffic with that.

Worth nothing that if LAND attack blocking is disabled, there's a chance that the packet will be blocked just by RPF check failing. (unless the attack target is in the source interface's subnet, or the attack comes from WAN, where a default route will likely permit "anything" wrt RPF check)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded