Technical Tip: How to configure the logging of Denied Traffic to a FortiGate interface

bthomaj · ‎04-20-2015

Description

This article describes that session or connection attempts that are established to a FortiGate interface, are by default not logged if they are denied. The following can be configured, so that this information is logged.

Scope

FortiOS 2.80, 3.x,4.x,5.x.

Solution

FortiOS 2.8, 3.x.

1. Enable logging of the denied traffic.

Fortigate # config sys global
(global)# set loglocaldeny enable
(global)# end

It is then possible to check with get sys global to see if loglocaldeny is enabled.

2. Create a deny policy from external to internal and check the logs.

FortiOS 4.x.

Fortigate # config system global
(global)# set fwpolicy-implicit-log enable
(global)# set loglocaldeny enable
(global)# end

This will log denied traffic on implicit Deny policies.

Optional: It is possible to create deny policy and log traffic.

FortiOS 5.x.

Fortigate # config log setting
(global)# set fwpolicy-implicit-log enable

This will log denied traffic on implicit Deny policies.

Optional: This is possible to create deny policy and log traffic.

It is necessary to create a policy with Action DENY, the policy action blocks communication sessions, and it is possible to optionally log the denied traffic. If no security policy matches the traffic, the packets are dropped. A DENY security policy is needed when it is required to log the denied traffic, also called 'violation traffic'.

Other settings to consider:

Fortigate # config log setting
local-in-deny-unicast: enable
local-in-deny-broadcast: enable

GUI :

Related Article:

How to configure the logging of Denied Traffic to a FortiGate interface