Description
This article describes how to generate logs for matches to the implicit deny policy, as well as a more specific alternative method to capture deny logs.
Scope
FortiGate.
Solution
While verifying the functionality of an implicit deny policy or a newly configured allow policy it is sometimes necessary to view logs for traffic that was denied.
By default, FortiGate will not generate the logs for denied traffic in order to optimize logging resource usage. In some environments, enabling logging on the implicit deny policy which will generate a large volume of logs.
It is possible to enable the ‘Log IPv4 Violation Traffic’ under ‘implicit deny policy’.
To view the logs: 'Right-click' on the Implicit Deny policy and select 'Show matching logs'.
Enabling logging for implicit-deny dropped sessions can also be done from CLI.
config log setting
set fwpolicy-implicit-log enable
end
Alternative Method:
A 'Deny' policy below the intended 'Accept' policy can assist in logging interesting denied traffic, without needing to log all denied traffic.
By only logging denied traffic with a destination IP address in the DC VLAN, the volume of deny logs is reduced. Viewing the logs is done in the same way as the implicit deny logs: 'Right-click' on Firewall Policy and select 'Show matching logs'.
