Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aahmadbasri
Staff
Staff

Created on ‎12-17-2025 09:44 PM Edited on ‎12-17-2025 09:44 PM By Staff

Article Id 423514

Technical Tip: Local Traffic Policy ID Implicit Deny

Description The article explains the local traffic logs (local out) with policy ID Implicit Deny.
Scope FortiGate.
Solution

The logs can be viewed in Log & Report-> Local Traffic, where the Policy ID shows as Implicit Deny:

 

KB_12_2-25.png

 

The logs are for local outbound traffic. Local out traffic refers to traffic that is generated locally by FortiGate, such as Syslog, Tacacs+, NTP, and connection to FortiGuard. Local out traffic is not to be confused with local in traffic, as local out traffic is not controlled by local in policy that can be configured in 'config firewall local-in-policy'.

 

The policy ID may show as Implicit Deny. This is an expected behavior as there is no local out policy on FortiGate.

The traffic is not actually being denied, and the action for the traffic is accepted. 

 

date=2025-12-16 time=23:57:31 eventtime=1765958250312200246 tz="-0800" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=10.x.x.47 srcport=123 srcintf="root" srcintfrole="undefined" dstip=208.91.112.60 dstport=123 dstintf="mgmt" dstintfrole="lan" srccountry="Reserved" dstcountry="United States" sessionid=605462 proto=17 action="accept" policyid=0 service="NTP" trandisp="noop" app="NTP" duration=180 sentbyte=76 rcvdbyte=76 sentpkt=1 rcvdpkt=1

 

These local out logs will be available if local-out traffic is enabled.

 

config log setting

set local-out enable

end

 

The logs will be generated when on the same session, there is no traffic generated in 180s. For example, the connection to the syslog server is idle for 180s, and the logs will then be generated. 

 

In conclusion, local out traffic will not be processed through any firewall policy on the FortiGate and, by default, relies on routing table lookups to determine the egress interface that is used to initiate the connection.

Local-out traffic will always match the firewall policy ID 0 when it is configured to be logged, as there will be no firewall policy or any local in/out policy to process the traffic.

As long as logging for local-out traffic is enabled, the firewall policy name that will be shown in the GUI will be Implicit Deny. 

 

On the other hand, there is no Implicit Deny rule for local in/out traffic, as local in policy will need to be explicitly defined for traffic required to be blocked. Hence, any Local Traffic logs that show firewall policy name Implicit Deny are indeed a false positive.

 

Related document:

Local-in policy 
88
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.