Local Traffic logs

From the hints at the bottom: Policy ID = 0. That means that the traffic defaulted past all the known policies and hit the implicit policy: fail all. Check to see that you do have your policies configured as you think you do. Also I now see that the destination interface is ' root' . Is your policy destination WAN or ANY? This traffic that is being blocked is broadcast traffic.

I believe you may also need to enable broadcast-forward on the Lan set broadcast-forward enable

IMHO this is simply a display artifact - in some younger firmware versions the so called ' extended log' level is enabled by default. Traffic to the broadcast address in your LAN is not forwarded by the (routing) firewall so it' s dropped. And logged if ' extended logging' is enabled. Simply disable it (see CLI Reference v5). No need to worry.

I never understood that either but on our old box, which was configured by fortinet and copied over manually to this new box, I believe the reason was that the default gateway is the Fortigate, not the core switch in this setup. I can only guess on that one - it didnt make sense to me either. The older forticate (4.0MR3) didnt have the same level of logging this new one does (5.0.6) and we' re getting a lot of replication errors between site-site tunnels even though they can ping and name resolution works fine, etc..basically trying to find a needle in a haystack here since it only started happening after implementing the new fortigate.

*Active Directory replication errors

Just for clarification for future readers, you can have LAN to LAN rules (hair-pin) if the LAN port has multiple IP subnets bound to it, and you want to allow traffic from one subnet to the other. Obviously, in this case (especially with the firewall rule explicitly listing ALL and ALL as the source and destination subnets, it doesn' t apply, and this rule should probably be removed entirely. So you are still seeing actual manifestations of this error then (the Active Directory)? I don' t think broadcast forwarding is the issue here, as that is supposed to allow broadcast traffic to step over to another interface or subnet.

Just to update: called support and they agreed this traffic is normal and is nothing to be concerned about. Turns out, the Active Directory endpoint replication issues were because the remote office was having power problems and the switch that housed the domain controllers was crashing on and off due to a faulty battery-backup. Talk about bad timing/coincidence..thinking the newly implemented firewall was the problem had nothing to do with the replication problems. It was the branch office not reporting problems back down here so we had no idea what was going on. Thanks for all the help guys!