Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mtse
Staff
Staff

Created on ‎07-24-2025 10:29 PM Edited on ‎07-24-2025 10:29 PM By Community Manager

Article Id 402816

Technical Tip: IPv6 deny log ID 0001000014 was recorded even though IPV6 is not enabled

Description

This article describes that when a deny log with logid '0001000014' is triggered with IPv6 traffic, even though IPv6 is not enabled in the FortiGate.

 

For example:

 

mtse_0-1753152775165.png
Scope FortiGate.
Solution

This is the expected behavior if the 'implicit' deny log is enabled as described in the KB article below: Technical Tip: Implicit deny logs

 

In the example above, the FortiGate receives regular IPv6 multicast packets with destination MAC ff02::fb. If deny log is enabled (fwpolicy-implicit-log enable) and logging of denied broadcast/multicast traffic is enabled (local-in-deny-broadcast), such denied IPv6 multicast will be recorded in the 'Local Traffic' log.

 

config log setting

    set fwpolicy-implicit-log enable

    set local-in-allow enable

    set local-in-deny-unicast enable

    set local-in-deny-broadcast enable

end

 

If such deny logs for IPv6 multicast traffic are not preferred to be recorded, there can be two solutions.

  1. Disable logging of all denied broadcast/multicast traffic. But please note that this not only stops triggering of the deny log for IPv6 broadcast/multicast traffic, it also stops the deny log for IPv4 broadcast/multicast traffic.

 

config log setting

    set local-in-deny-broadcast disable

 

  1. Configure the log filter to exclude sending such 'deny' log to the syslog server or FortiAnalyzer. The deny log will still be recorded locally in FortiGate (if local logging to memory or disk is enabled), but FortiGate will not send the log to the syslog server or FortiAnalyzer.

 

For example:

Configure a 'free-style' log filter to exclude sending of logs with the field 'policytype' being' local-in-policy6'(deny traffic matching the local-in IPv6 policy).

 

config log fortianalyzer filter

    config free-style

        edit 1

            set category traffic

            set filter "policytype local-in-policy6"

            set filter-type exclude

        next

    end

 

date=2025-07-18 time=10:41:58 eventtime=1752806518298563869 tz="+0800" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=fe80::5775:7bbb:1aaa:3a8f srcport=5353 srcintf="port10" srcintfrole="undefined" dstip=ff02::fb dstport=5353 dstintf="unknown-0" dstintfrole="undefined" replysrcintf="root" sessionid=2341 proto=17 action="deny" policyid=0 policytype="local-in-policy6" service="udp/5353" trandisp="noop" app="udp/5353" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 msg="Connection Failed"

 

Related article:

Technical Tip: Configuring advanced syslog free-style filters
425
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.