Skip to main content
vstrabello
vstrabello
Explorer
July 30, 2015
Solved

Lot of "policyid=0" logs in a few minutes

  • July 30, 2015
  • 5 replies
  • 11973 views

Hello, we have a bunch of Fortigate devices which are logging several times (about 100k logs in 15 minutes, each device) on our logging platform (we use ELK), and this is overwhelming the disk space. How can we disable the logging on the "default deny policy' in order to stop these logs? Below is the log message that is filling our disk space:

 

<189>date=2015-07-30 time=10:24:41 devname=fw01-xpto devid=FGT60XXXXXXXXXXX logid=0001000014 type=traffic subtype=local level=notice vd=root srcip=XXX.XXX.XXX.XXX srcport=137 srcintf="internal1" dstip=YYY.YYY.YYY.YYY dstport=137 dstintf="root" sessionid=2253947840 action=deny policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="137/udp" proto=17 app="netbios forward" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0

 

Thanks!!

    Best answer by Sylvia

    It depends a little bit on the traffic type.

     

    Here are some possibilities to stop different kinds of logs:

     

    config log setting   set local-in-deny-broadcast {enable | disable}    set local-in-deny-unicast {enable | disable}

    end

    or

    config log <log-destination> filter   set local-traffic {enable | disable} end

     

    Because it's port 137 I assume that you "set local-in-deny-broadcast disable".

     

    The CLI guide is your friend :)

    5 replies

    Sylvia
    SylviaAnswer
    Explorer
    July 30, 2015

    It depends a little bit on the traffic type.

     

    Here are some possibilities to stop different kinds of logs:

     

    config log setting   set local-in-deny-broadcast {enable | disable}    set local-in-deny-unicast {enable | disable}

    end

    or

    config log <log-destination> filter   set local-traffic {enable | disable} end

     

    Because it's port 137 I assume that you "set local-in-deny-broadcast disable".

     

    The CLI guide is your friend :)

    vstrabello
    vstrabelloAuthor
    Explorer
    July 30, 2015

    Thanks! I will try these commands and I will post the results :)

     

     

    emnoc
    emnoc
    New Member
    July 30, 2015

    FWIW and a ideal

     

    Could you just create a policy and place it at end of the sequence with a big deny and no logging. This should match all traffic that doesn't match any "accept" firewall policies from the above and  drop the traffic with no logging.

     

     

    Sylvia
    Sylvia
    Explorer
    July 30, 2015

    Are you sure this will match local traffic as well?

    emnoc
    emnoc
    New Member
    July 30, 2015

    Are all the denies from local traffic? Local means ; " from the firewall" If you have denies from the firewall you should stop the source that's sending imho

     

     

    vstrabello
    vstrabelloAuthor
    Explorer
    July 30, 2015

    Sylvia, that worked! I set this: 

     

    set local-in-deny-broadcast disable

     

    And then the logs stopped to flood. I believe there are some stations sending the 137 to the broadcast address, mathing the implicit rule and then generating the huge amount of logs. After we set this line the logs stopped to flood

     

    Emnoc, we will try this in a future test, too. As soon as we get the results, I will post here

     

    Thanks!

     

     

    Wayne11
    Wayne11
    Explorer
    September 27, 2018

    Hi

    Does anyone know if this is not supported anymore in 6.0.2?

    We still get all the local traffic on the FortiAnalyzer with disabled local-traffic.

    All Netbios broadcasts port 137 deny packets are still logged.

     

    config log fortianalyzer filter   set local-traffic disable

     

    Wayne11
    Wayne11
    Explorer
    September 27, 2018

    Got it solved, after disabling logging the implicit 'policy 0' traffic it became quiet.

    Sorry for digging out this old thread.

     

    Terms & ConditionsAccessibility statement