New Member

Question

Not seeing Local Traffic logs for WAN interfaces?

Forum|Forum|4 years ago
April 12, 2022
2 replies
13260 views

Hi,

I have only a limited experience with Fortinet products so far.

I ran into a similiar problem on one of my first projects of setting up a Fortigate environment. This environment originally had Fortigate firewalls which did not have separate disks and configuring the log filters for memory did the trick then.

Now I have set up FortiWifi-61F at home and I seem to have problems seeing any logs on my WAN interfaces which should naturally have constant scanning traffic being blocked on them and visible on the Local Traffic logs?

My WAN1 interface is acting as a DHCP Client and connected to a 5G device that is in bridged mode

My WAN2 interface is acting as a DHCP Client and connected to a 4G device that is in bridged mode

I have made a third separate WAN interface as VLAN interface which is connected through a Fortilink to a Fortiswitch and in one of its access ports it has an ADSL router in bridged mode.

5G is currently active as it has the best route.

I was originally running a 6.4 software but upgraded to 7.2. last night

So far I have done the following things (some of the things are on by default i guess)

config log disk setting
set status enable
end

config log disk filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set ztna-traffic enable
set anomaly enable
set voip enable
set dlp-archive enable
end

config log setting
set fwpolicy-implicit-log enable
set local-in-deny-unicast enable
set local-in-deny-broadcast enable
set local-out disable
end

But even after this I am not seeing really any Local Traffic logs related to the WAN interfaces.

One problem also seems to be that in my FIrewall Policy section, the Implicit Deny rule has only logged 314B worth of traffic. I guess it must only handle traffic going through the firewall and now since there is no Static NAT type configurations at the moment its not logging any denied traffic?

I would really like to see and log even the scanning traffic coming from the Internet and I am wondering what I need to do to get it visible

FortiGate

xsilver_FTNT

Staff

Hi I'm not sure about what you want to achieve, but consider this ..
- firewall policies are for traffic passing through FortiGate unit and if logged than records will be in Forward Traffic log.

- Local Traffic log contains logs of traffic originate from FrotiGate, generated locally so to speak. Any restrictions to this kind of traffic are not handled by normal firewall policies, but by local-in policies for ingress into FortiGate (where traffic do not pass but terminates on FortiGate, like DHCP requests wheer FortiGate is that DHCP server) and by service configurations for egress from FortiGate. So have a look to 'config firewall local-in-policy'.

JokkeAuthor

New Member

Hi,

What I am after is getting the Fortigate to log all the traffic that is destined to any of its interface (but mostly the external interfaces) and blocked/denied/dropped.

At the moment I am receiving such logs from pretty much all the interfaces but the WAN interfaces which seems very odd as basicly as soon as you connect a device to Internet you would see scanning traffic.

I first run into this problem when I was deploying my first Fortigate 600E HA pair. as the device did not have an internal HD/SSD I had to modify the log configurations through CLI to see these and it was no problem after that. However my Fortiwifi 61F does not seem to show the WAN interface blocked connections at all even though I have modified the configurations as shown above in my original post. I just wondering what I am missing configuration wise?

I have 4G, 5G and ADSL connections at home and each of them has a public IP address. (4G and ADSL have a static public IP address, 5G will have a bit later) So each of these Internet facing interfaces should have constant scanning traffic reaching them and being blocked. I would like to get logs of these traffic also.

I assume I do not have to modify any rules as I did not in the case of the 600E devices. But if there is some settings under the actual local-in-policy configurations that affect the logging then I will have a look at them and report back to this post.

JokkeAuthor

New Member

Seems the command "show full-configuration firewall local-in-policy" is completely blank.

It does not show anything.

The GUI side shows a list of different allowed connections which are probably mostly generated by configuring the firewall interfaces and allowing or enabling different services on them

fw # show full-configuration firewall local-in-policy
config firewall local-in-policy
end

pminarik

Staff

Assuming:

you enabled `local-in-deny unicast` in log settings
you aren't accidentally hitting a port that is actually open and expected to process traffic
the packet actually makes it across and reaches your FortiGate (you mentioned you have the FortiGate at home. There's always a chance that a residential ISP is filtering inbound traffic)

... you should be able to see the denied traffic, inbound to your WAN interface, in both the debug flow, and in the local traffic logs.

For verification, pick a random port and run debug flow for it:

diag debug reset diag debug flow filter clear diag debug flow filter port 8721 # try to pick a port not used by anything, to minimize "noise" in the debug diag debug enable diag debug flow trace start 3 # show only the first three packets matching the filter

Once this is done, run a telnet command, or any other tool of your choice, to probe the same port. You should see the packet processed, and denied, in the debug flow output. Example:

id=20085 trace_id=313 func=print_pkt_detail line=5727 msg="vd-root:0 received a packet(proto=6, <source-ip>:1109-><your-public-ip>:8721) from <WAN-interface>. flag [S], seq 2476414885, ack 0, win 64240" id=20085 trace_id=313 func=init_ip_session_common line=5898 msg="allocate a new session-00787e44" id=20085 trace_id=313 func=vf_ip_route_input_common line=2621 msg="find a route: flag=80000000 gw-<wan-ip> via root" id=20085 trace_id=313 func=fw_local_in_handler line=435 msg="iprope_in_check() check failed on policy 0, drop"

The local traffic log should also contain a matching entry, like so:

date=2022-04-14 time=16:47:55 eventtime=1649947675840558673 tz="+0200" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=<source-ip> srcport=1109 srcintf="<wan-interface>" srcintfrole="undefined" dstip=<wan-ip> dstport=8721 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=7896644 proto=6 action="deny" policyid=0 policytype="local-in-policy" service="tcp/8721" trandisp="noop" app="tcp/8721" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"

If the debug flow shows anything else than "iprope_in_check() check failed on policy 0, drop", it's likely being processed for some other reason. (some feature/function, VIP, etc.)

JokkeAuthor

New Member

Hi,

The first command it set to enabled and what I am expecting to see is at least some scanning from the Internet using multiple different ports. There is going to be a lot of ports scanned that do not match any service the FW might be running.Have used both Cisco and Palo Alto firewalls and just replaced my home devices some Fortinet FW/AP/SW to practice but Cisco/PA handled this kind of logging a bit more clearly.

There should also be no limitations from the ISP as I work at the ISP that is providing me with the connections :)

I will use the commands you provided to debug the situation and generate traffic to the interfaces when I have time and get back to you. Thank you for the tips so far!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded