New Member

Question

Implicit Deny Log Is blank? How to show traffic?

Forum|Forum|9 years ago
September 7, 2016
7 replies
61344 views

Hello All,

Other firewalls I would see the blocking from outside activity all the time. How do I see the traffic that the Fortinet is blocking from the outside via the Implicit deny?

My policy is simple allow all outgoing and block all incoming via implicit deny.

The one person on the forum says that traffic is only logged if the logging level is as low as 'Information'. Where do you set the information level?

Thank you in advance.

FW Policy.jpg

JJEvansAuthor

New Member

More attachments

Log Settings.jpg

JJEvansAuthor

New Member

Other attachement

Implicit Deny Policy.jpg

emnoc

New Member

You have a few options.

1: craft a policy with a deny and log traffic all , re-order it at the bottom of the sequence set the src/dst as ALL/ANY for address and interfaces then set the "set log traffic all" with the action as deny.

e.g

edit 4294967294

set dstintf "any"

set srcintf "wan1"

set srcaddr "all"

set dstaddr "all"

set action deny

set schedule "always"

set service "ALL"

set logtraffic all

set comment " set this seq# as the lowest"

next

2: use the log sys command to "LOG" all denies via the CLI

e.g

FGT100DSOCPUPPETCENTRO (root) # config log setting

FGT100DSOCPUPPETCENTRO (setting) # show full-configuration | grep fwpo

set fwpolicy-implicit-log disable

set fwpolicy6-implicit-log disable

NOTE none of these should be required imho and experience and can craft a lot of "white noise" . Here's why, logging drop traffic wastes 1> resource 2> disk/log 3> if syslog is use....excessive network chatter

ede_pfau

SuperUser

You set the logging level in the CLI (see CLI Ref. Guide).

IIRC there are settings for 'extended-log' which might be required. Either check the CLI Guide, or

show full | grep extended-

JJEvansAuthor

New Member

Thank you Vjoshi for your assistance. Sorry, I have been busy lately. The issue still persists. So I don't get it. It logs and blocks Internal to WAN. But I cannot get the WAN to Internal to log any deny traffic and since its not logging I cannot confirm its blocking anything. Man this is so frustrating since it is so basic what I need it to do.

Here is the output:

# 2016-10-08 17:23:03 id=20085 trace_id=1 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.10.2:1->4.2.2.1:2048) from internal. type=8, code=0, id=1, seq=24." 2016-10-08 17:23:03 id=20085 trace_id=1 func=init_ip_session_common line=4893 msg="allocate a new session-006e004a" 2016-10-08 17:23:03 id=20085 trace_id=1 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw-50.171.242.1 via wan1" 2016-10-08 17:23:03 id=20085 trace_id=1 func=fw_forward_handler line=557 msg="Denied by forward policy check (policy 1)" 2016-10-08 17:23:08 id=20085 trace_id=2 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.10.2:1->4.2.2.1:2048) from internal. type=8, code=0, id=1, seq=25." 2016-10-08 17:23:08 id=20085 trace_id=2 func=init_ip_session_common line=4893 msg="allocate a new session-006e0078" 2016-10-08 17:23:08 id=20085 trace_id=2 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw-50.171.242.1 via wan1" 2016-10-08 17:23:08 id=20085 trace_id=2 func=fw_forward_handler line=557 msg="Denied by forward policy check (policy 1)" 2016-10-08 17:23:13 id=20085 trace_id=3 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.10.2:1->4.2.2.1:2048) from internal. type=8, code=0, id=1, seq=26." 2016-10-08 17:23:13 id=20085 trace_id=3 func=init_ip_session_common line=4893 msg="allocate a new session-006e00ba" 2016-10-08 17:23:13 id=20085 trace_id=3 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw-50.171.242.1 via wan1" 2016-10-08 17:23:13 id=20085 trace_id=3 func=fw_forward_handler line=557 msg="Denied by forward policy check (policy 1)" 2016-10-08 17:23:18 id=20085 trace_id=4 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.10.2:1->4.2.2.1:2048) from internal. type=8, code=0, id=1, seq=27." 2016-10-08 17:23:18 id=20085 trace_id=4 func=init_ip_session_common line=4893 msg="allocate a new session-006e00ee" 2016-10-08 17:23:18 id=20085 trace_id=4 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw-50.171.242.1 via wan1" 2016-10-08 17:23:18 id=20085 trace_id=4 func=fw_forward_handler line=557 msg="Denied by forward policy check (policy 1)" diag debug disable

FW Policy TS.jpg

JJEvansAuthor

New Member

Does anyone from Fortinet have any insight? I have to assume I am not the only person that wants to see what was blocked by the default or custom Implicit deny rule. TIA

ali40

New Member

Dear,

I am experiencing the same issue, how did you manage to solve this if it is already solved ?

Best regards

/Ali

sheng99999

New Member

FGT40C3912021928 # config log setting FGT40C3912021928 (setting) # set log-invalid-packet enable

Rystan

New Member

I have similar problem. I have 60E with 5.6.5. I see the dropped traffic by implicit deny when it traverses the firewall. But I'd like to see also traffic hitting the firewall's WAN1 IP, and being dropped.

I think I enabled all the options in the CLI and GUI:

config log setting

set fwpolicy-implicit-log enable set log-invalid-packet enable set local-in-allow enable set local-in-deny-unicast enable set local-in-deny-broadcast enable

end

config log memory setting set status enable set diskfull overwrite end

Is there anything else I can check?

I'm testing it by sending packets from some host in the internet to the tcp port 12334 on WAN1's IP. I see these packets in diag sniffer packets. But I don't see anywhere these packets in the logs?

tanr

New Member

I assume you're sending your logs from the 60E to a remote device, since it doesn't have local storage for logging? Could they be getting filtered out by that device?

Rystan

New Member

I found it. In my case, it was filter setting:

config log memory filter set severity information set local-traffic enable end

By default, there is

set local traffic disable

and it is not displayed by

show log memory filter.

So this, and the previous snippet allowed me to see the local traffic. None of these settings were available in the GUI. :(

jbeesley

New Member

You won't see any logs for the implicit rule because there is no traffic hitting the implicit deny.

The any any allow literally allows anything, so the internet traffic is allowed in, I think what you want to do is have your source interface as your LAN port and your destination as WAN, that will allow traffic out, but any traffic coming in is dropped (implicit deny), you can have the destination as 'all' if you want, that will just allow traffic to go to the firewall and back to the LAN if needed.

By default the logging level is informational (level 6), so it should be ok, but if you want to read more about it, you can here:http://docs-legacy.fortinet.com/frec/admin_hlp/1-1-0/index.html#page/FortiRecorder_Help/about_log_severity_levels.html#ww1096475

Changing the logging information level can be done in the CLI, under 'config log settings'

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded