dst_int=root and service=65535

device_id=FGT800xxxxxxxxx log_id=3 subtype=violation type=traffic timestamp=1268952389 pri=warning itime=1268952410 cluster_id=FGT8003607501543_CID vd=root src=10.0.0.15 srcname=10.0.0.15 src_port=2857 dst=xxxxxxxxxx dstname=xxxxxxxxx dst_port=8402 service=8402/tcp proto=6 app_type=N/A duration=0 rule=0 policyid=0 sent=0 rcvd=0 src_int=dmz dst_int=root SN=1920684 carrier_ep=N/A vpn=N/A status=deny user=N/A group=N/A 2 device_id=FGT800xxxxxxxxxx log_id=7 subtype=other type=traffic timestamp=1268952389 pri=notice itime=1268952410 cluster_id=FGT8003607501543_CID vd=root src=10.0.0.15 srcname=10.0.0.15 src_port=2857 dst=xxxxxxxxxx dstname=xxxxxxxxx dst_port=8402 service=65535/tcp proto=6 app_type=N/A duration=0 rule=0 policyid=0 sent=0 rcvd=0 src_int=dmz dst_int=root SN=1920684 carrier_ep=N/A vpn=N/A status=deny user=N/A group=N/A Couple curiousities here I am hoping someone can clear up for me. Here are a couple sample traffic log entries that are representative of ones that I see periodically on a variety of ports, both TCP and UDP. dst_int=root There is no interface on the box named root. Where does the FortiGate think it is routing this traffic? There is a default route that should catch anything. Destinations with specific static routes and even source/destinations with a matching policy route sometimes disappear with these destination interface = root entry. When this occurs, it does do the two related log entries as seen above. One has the dst_port the same as the service, the other has the proper dst_port but service=65535. Normal traffic always has service = dst_port plus TCP or UDP.