From FortiOS v7.2.4, the ESP packet handling process has the detection of unknown ESP packets enabled by default.

To verify if the feature is enabled, execute the following CLI command:

show full system settings | grep esp
    set detect-unknown-esp enable

When the FortiGate detects an invalid IPsec connection attempt, the IKE daemon drops the unknown ESP packet based on SPI.

When an unknown ESP packet is dropped, an event log is generated.

Below is a sample log:

date=2020-08-11 time=09:28:40 devname=toSite1 devid=FGT60Fxxxxxxxxxx logid="0101037131" type="event" subtype="vpn" level="error" vd="root" eventtime=1597163320747963100 tz="-0700" logdesc="IPsec ESP" msg="IPsec ESP" action="error" remip=131.62.25.102 locip=192.157.116.88 remport=40601 locport=500 outintf="wan1" cookies="N/A" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="N/A" status="esp_error" error_num="Received ESP packet with unknown SPI." spi="f6c9e2x1" seq="02000400"

In some cases, an administrator would not like these logs to be forwarded to the FortiAnalyzer.

Using the logid '0101037131', configure a filter to exclude these logs from being sent to FortiAnalyzer.

config log fortianalyzer filter

    config free-style

        edit 1

            set category event
            set filter "logid 0101037131"
            set filter-type exclude

        next

    end

end

On FortiGate, up to three FortiAnalyzers can be configured.

The same configuration can be applied in 'config log fortianalyzer2 filter' and 'config log fortianalyzer3 filter'.

Related document:

Blocking unwanted IKE negotiations and ESP packets with a local-in policy