| Description |
This article describes how FortiAnalyzer logs show policy ID = 0 accepting traffic. |
| Scope | FortiGate/FortiAnalyzer. |
| Solution |
In reality, Policy ID = 0 (Implicit deny) is not allowing traffic but it shows in FortiAnalyzer logs because it is the last policy that gets checked.
As seen in the below screenshot, FortiAnalyzer logs show policy ID = 0 accepting traffic.
After expanding the FortiAnalyzer log, this traffic is marked as local. This traffic is either generated by FortiGate or terminating on FortiGate itself. In this case, an unknown source was trying to hit FortiGate's external IP on port 4500.
When running debug flow and diag sys session, the policy ID = 4294967295 was accepting traffic. This is the default local-in-policy ID number that this traffic was hitting and allowing it.
By design, when the local in traffic comes in, it will check multiple policy groups, including implicit and explicit policies. 'config firewall local-in-policy' is just the first group. If it passes, it will check several other implicit groups. It will use the last matched policy number.
Default local-in-policy allowing traffic for port 4500.
In this case, the traffic was hitting default local-in-policy which accepted the traffic and as designed checks other policies in line. That is the reason why FortiAnalyzer logs show an accepted log with policy ID = 0. |
Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
- Fortinet Community
- Knowledge Base
- FortiAnalyzer
- Technical Tip: FortiGate Policy ID = 0 (Implicit d...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.