Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff
Staff

Created on ‎12-03-2020 09:08 AM Edited on ‎01-31-2022 11:55 PM By Community Manager

Technical Tip: Local traffic logs and policy ID 0

Description


This article describes what local traffic logs look like, the associated policy ID, and related configuration settings.

Solution


Forward traffic logs concern any incoming or outgoing traffic that passes through the FortiGate, like users accessing resources in another network.

Local traffic is traffic that originates or terminates on the FortiGate itself – when it initiates connections to DNS servers, contacts FortiGuard, administrative access, VPNs, communication with authentication servers and similar.
This traffic also generates log messages. Settings for this are available via CLI (disabled by default):

# config log setting
    set local-in-allow <enable/disable>
    set local-in-deny-unicast <enable/disable>
    set local-in-deny-broadcast <enable/disable>
    set local-out <enable/disable>
end

These settings are for incoming traffic (local-in) and outgoing traffic (local-out).
Local traffic does not fall under the same policies as traffic passing through the FortiGate.

Local traffic is allowed or denied instead based on interface configuration (Administrative Access), VPN and VIP configuration, explicitly defined local traffic policies and similar configuration items.
This means local traffic does not have an associated policy ID unless user-defined local policies have been configured.
If there is no user-defined local policy applying to the logged traffic, logs will instead show policy ID 0.

In this case, policy ID 0 is NOT the same as implicit deny.

Example local traffic log (for incoming RIP message):

date=2020-12-01 time=01:00:01 devname="lab-FGT01" devid="FGT1KD0000000001" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1606780801000000000 tz="+0100" srcip=10.0.0.2 srcport=38793 srcintf="port1" srcintfrole="lan" dstip=10.0.0.1 dstport=520 dstintf="unknown0" dstintfrole="undefined" sessionid=1000000001 proto=17 action="accept" policyid=0 policytype="local-in-policy" service="udp/520" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" app="RIP" duration=180 sentbyte=52 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appcat="unscanned"
Implicit-deny logs (which share policy ID 0), will be type="traffic" subtype="forward" instead.
18363
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.