Skip to main content
User2451
User2451
Visitor III
April 20, 2024
Question

Simple explanation enabling the LOGGING of blocked implicit traffic that actually works?

  • April 20, 2024
  • 1 reply
  • 8158 views

Hello,

I apologize in advance for the newbie inquiry; however the answer to this question seems to lack any definitive/updated explanation; I have checked search engine sources, this forum etc; and all the explanations don't actually answer the question in a way that produces a result, i.e, allowing one to simply log denied WAN traffic that is attempting to interact with the firewall

I get that logging denied traffic via the implicit deny rule is disabled by default; and this makes sense as if enabled it could generate massive logs that many would consider to be irrelevant.   So all I want to do it is enable it and see what is going on.

So I have set the Implicit Deny baseline policy and enabled "Log IPV4 Violation Traffic"; however, this wouldn't seem to be the answer I am looking for because by default there should be no "violation traffic" coming through the firewall if it is all blocked by this rule.    Whether Log IPV4 Violation Traffic its disabled or enabled, no traffic is shown as logged. 

I attempted to use the see L I and input some command line suggested in this forum supposedly to solve this problem under this forum heading "This article describes how to troubleshoot missing implicit deny logs." 

^^ This completely fails as well

I have also attempted to create a separate rule that mirrors the implicit deny rule and put it at the bottom of the FW rule stack and enable logging; but this also fails to log denied incoming WAN traffic. 

Despite all of these steps which I believed I have correctly followed; implicit deny rule shows 0 bytes logged and no where in the logs (that I can locate at least) shows incoming traffic that was rejected by the firewall.

So, is there actually a coherent answer to this simple question that actually works?  My two previous firewalls (not forty based); you could enable this by clicking a single option; then when you checked logs, you actually could see the immediate results.  It doesn't really make sense that such a seemingly simple process should be so hard to instantiate; either I have completely missed something or this answer/information is being suppressed for some strange reason.

Thanks in advance for any assistance/advice

1 reply

AEK
SuperUser
AEK
SuperUser
April 20, 2024

Hi @User2451 

If you don't have any VIP allowing access from WAN to some internal service then I think you will find nothing under Log & Report > Forward Traffic, but you will find many (thousands) denied traffic logs under Log & Report > Local Traffic. You may first need to enable Local Traffic Log under Log & Report > Log Settings.

That's normal because if you don't have any VIP then any entering traffic from WAN is considered for the firewall itself, not for the published internal server (if any).

AEK
    User2451
    User2451Author
    Visitor III
    April 20, 2024

    Hello AEK,

    Thank you for the response.  I half solved this problem by doing the following.

    Log & Report --> Local Traffic, top right hand corner, switch "log location" from Cloud to Local (memory); at this point, I can see the blocked/denied WAN traffic saved to the memory of the device.

    However; the problem remains in the fact I can't see this same implicit deny local traffic when using the cloud; which I have set-up for the device and set to log traffic; in the cloud/cloud filter; I can only see my local traffic saved; not default deny/WAN traffic.

    Might you (or anyone) know how to enable these specific "default-deny" logs in the cloud environment so when I log into the cloud or use cloud filter in the GUI I can see these implicit deny logs?

    They seem to only be being recorded in the memory for some reason. 

    Thanks again for the help.

    AEK
    SuperUser
    AEK
    SuperUser
    April 20, 2024

    The below command may probably help:

    config log fortiguard filter
      set local-traffic [enable|disable]

     

    AEK
    Terms & ConditionsAccessibility statement