Skip to main content
therculano
therculano
Explorer III
August 28, 2025
Solved

Rule blocking an authorized address

  • August 28, 2025
  • 2 replies
  • 760 views

Hello! 

Can you explain why a deny happend on this log? The address is release in the rule, but it was blocked anyway, just a single time. Screenshot_1.jpg

date=2025-08-28 time=10:08:20 id=7543622580939259925 itime=2025-08-28 10:08:21 euid=3 epid=6003 dsteuid=3 dstepid=101 logflag=3 logver=704082795 sfsid=0 type=traffic subtype=forward level=notice action=deny policyid=52 sessionid=147382898 srcip=172.30.171.217 dstip=138.59.163.69 srcport=42401 dstport=443 trandisp=noop duration=44 proto=6 sentbyte=180 rcvdbyte=0 sentpkt=3 rcvdpkt=0 logid=0000000013 service=HTTPS app=HTTPS appcat=unscanned srcintfrole=lan dstintfrole=wan srcserver=0 policytype=policy eventtime=1756386501043559039 crscore=30 craction=131072 crlevel=high srcuuid=498de162-e8a6-51ef-6775-922ed917fc34 dstuuid=5d5a000e-f37d-51ef-1ff6-866a1aaf3cde poluuid=f050e110-e89d-51ef-5c4c-a43178bb4c78 srcmac=56:84:20:f4:60:02 mastersrcmac=56:84:20:f4:60:02 srccountry=Reserved dstcountry=Brazil srcintf=lan dstintf=wan2 policyname=Boleto_digital threatwgts=30 threatcnts=1 threatlvls=3 threats=blocked-connection threattyps=blocked-connection tz=-0300 vd=root csf=UNF_SEC_FABRIC dtime=2025-08-28 10:08:20 itime_t=1756386501 devname=FGT100F_ALF srcuuid_name=SAP Server dstuuid_name=Boleto Digital - Itau

Best answer by AEK

Try debug the flow to see what is blocking the traffic.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Debug-flow-tool/ta-p/213238

2 replies

sokatvo2
sokatvo2
New Member
August 28, 2025

It appears you have most things covered. One additional thing that might be a good idea is to create an app-filter for high risk score apps and app categories and use the filter for an app block rule. Using an app filter can be useful, because it scales automatically as new app-ids are created, if they fall into the right criteria, they'll automatically get added to that app filter.

    AEK
    SuperUser
    AEK
    SuperUser
    August 28, 2025

    Are you using security profiles in the related rule? Did your check the related UTM logs?

    AEK
      therculano
      therculanoAuthor
      Explorer III
      August 28, 2025

      Yes, I do, but my security profile is just monitoring it. I'm using web filter just to see the URLs that are being accessed and couldn't find the web filter log for this deny event, so probably it was blocked before the rating. 

      AEK
      SuperUser
      AEKAnswer
      SuperUser
      September 1, 2025

      Try debug the flow to see what is blocking the traffic.

      https://community.fortinet.com/t5/FortiGate/Technical-Tip-Debug-flow-tool/ta-p/213238

      AEK
        Terms & ConditionsAccessibility statement