Description
This article describes that session or connection attempts that are established to a FortiGate interface are, by default, not logged if they are denied. The following can be configured so that this information is logged.
Scope
FortiOS v2.80, v3.x, v4.x, v5.x.
Solution
FortiOS v2.8, v3.x.
1. Enable logging of the denied traffic.
1. Enable logging of the denied traffic.
Fortigate # config sys global
(global)# set loglocaldeny enable
(global)# end
(global)# set loglocaldeny enable
(global)# end
It is then possible to check with get sys global to see if loglocaldeny is enabled.
2. Create a deny policy from external to internal and check the logs.
FortiOS v4.x.
2. Create a deny policy from external to internal and check the logs.
FortiOS v4.x.
Fortigate # config system global
(global)# set fwpolicy-implicit-log enable
(global)# set loglocaldeny enable
(global)# end
(global)# set fwpolicy-implicit-log enable
(global)# set loglocaldeny enable
(global)# end
This will log denied traffic on implicit Deny policies.
FortiOS v5.x.
Fortigate # config log setting
(global)# set fwpolicy-implicit-log enable
(global)# set fwpolicy-implicit-log enable
This will log denied traffic on implicit Deny policies.
Optional: This is possible to create a deny policy and log traffic.
It is necessary to create a policy with Action DENY, the policy action blocks communication sessions, and it is possible to optionally log the denied traffic. If no security policy matches the traffic, the packets are dropped. A DENY security policy is needed when it is required to log the denied traffic, also called 'violation traffic'.
Other settings to consider:
Optional: This is possible to create a deny policy and log traffic.
It is necessary to create a policy with Action DENY, the policy action blocks communication sessions, and it is possible to optionally log the denied traffic. If no security policy matches the traffic, the packets are dropped. A DENY security policy is needed when it is required to log the denied traffic, also called 'violation traffic'.
Other settings to consider:
Fortigate # config log setting
local-in-deny-unicast: enable
local-in-deny-broadcast: enable
local-in-deny-unicast: enable
local-in-deny-broadcast: enable
GUI:
Additional Note:
The mentioned command in this article (set loglocaldeny enable) is no longer available on the newer versions of FortiOS.
On later versions, including v7.2.x and v7.4.x, the command to use would be:
Fortigate # config log setting
(setting)# set fwpolicy-implicit-log enable
(setting)# end
Another way to do this would be to create a Deny Policy and enable the option 'Log Violation Traffic', as seen on the screenshot below:
The GUI view for logging the local-in denied traffic will be as follows, to log the denied traffic:
And on CLI, it would be the same as the previous versions:
Fortigate # config log setting
(setting)# set local-in-deny-unicast enable
(setting)# set local-in-deny-broadcast enable
Related article:
Technical Tip: How to configure the logging of Denied Traffic to a FortiGate interface
