Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff
Staff

Created on ‎12-03-2020 09:08 AM Edited on ‎06-05-2024 06:16 AM By Moderator

Article Id 196654

Technical Tip: Local traffic logs and policy ID 0

Description


This article describes what local traffic logs look like, the associated policy ID, and related configuration settings.

 

Scope

 

FortiGate.

Solution


Forward traffic logs concern any incoming or outgoing traffic that passes through the FortiGate, like users accessing resources in another network.

Local traffic is traffic that originates or terminates on the FortiGate itself – when it initiates connections to DNS servers, contacts FortiGuard, administrative access, VPNs, communication with authentication servers and similar.
This traffic also generates log messages. Settings for this are available via CLI (disabled by default):

 

config log setting
    set local-in-allow <enable/disable>
    set local-in-deny-unicast <enable/disable>
    set local-in-deny-broadcast <enable/disable>
    set local-out <enable/disable>
end

 

These settings are for incoming traffic (local-in) and outgoing traffic (local-out).
Local traffic does not fall under the same policies as traffic passing through the FortiGate.

Local traffic is allowed or denied instead based on interface configuration (Administrative Access), VPN and VIP configuration, explicitly defined local traffic policies and similar configuration items.
This means local traffic does not have an associated policy ID unless user-defined local policies have been configured.
If there is no user-defined local policy applying to the logged traffic, logs will instead show policy ID 0.

In this case, policy ID 0 is NOT the same as implicit deny.

Example local traffic log (for incoming RIP message):

 

date=2020-12-01 time=01:00:01 devname="lab-FGT01" devid="FGT1KD0000000001" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1606780801000000000 tz="+0100" srcip=10.0.0.2 srcport=38793 srcintf="port1" srcintfrole="lan" dstip=10.0.0.1 dstport=520 dstintf="unknown0" dstintfrole="undefined" sessionid=1000000001 proto=17 action="accept" policyid=0 policytype="local-in-policy" service="udp/520" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" app="RIP" duration=180 sentbyte=52 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appcat="unscanned"
Implicit-deny logs (which share policy ID 0), will be type="traffic" subtype="forward" instead.

 

Similarly, the logs for deamons such as VPN or HTTPS admin interface will be visible IF the "local-in-allow" is enabled under the log settings.

An Example log of admin access can be seen below:

 

ssener_0-1717592632366.png

 

The logs for SSL-VPN / IKE etc will also go under the 'local traffic' section.

42734
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.