Description
This article describes how to generate the deny logs. While testing the firewall functionality of implicit deny policy or allowed policy it is necessary to have logging for denied logs to verify it.
However, FortiGate will not generate the deny logs by default.
Solution
As mentioned in the issue description while testing the firewall functionality of implicit deny policy or allowed policy it is necessary to have deny logs generated to confirm that traffic is hitting the right policy so that the requirement is achieved in other words it confirms that FortiGate is blocking unnecessary traffic.
However, by default FortiGate will not generate the logs for denied logs, especially traffic matching to the 'Implicit deny policy', which is actually to optimize the usage of logging space.
Because in most of the network implementations considerable percentage of traffic matching to the implicit deny policy which will generate huge denied logs.
But sometimes it is required to see the denied traffic information.
It is possible to enable the ‘Log IPv4 Violation Traffic’ under ‘implicit deny policy’.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.