This article describes what local traffic logs look like, the associated policy ID, and related configuration settings.
Forward traffic logs concern any incoming or outgoing traffic that passes through the FortiGate, like users accessing resources in another network.
Local traffic is traffic that originates or terminates on the FortiGate itself – when it initiates connections to DNS servers, contacts FortiGuard, administrative access, VPNs, communication with authentication servers and similar.
This traffic also generates log messages. Settings for this are available via CLI (disabled by default):
# config log setting
set local-in-allow <enable/disable>
set local-in-deny-unicast <enable/disable>
set local-in-deny-broadcast <enable/disable>
set local-out <enable/disable>
These settings are for incoming traffic (local-in) and outgoing traffic (local-out).
Local traffic does not fall under the same policies as traffic passing through the FortiGate.
Local traffic is allowed or denied instead based on interface configuration (Administrative Access), VPN and VIP configuration, explicitly defined local traffic policies and similar configuration items.
This means local traffic does not have an associated policy ID unless user-defined local policies have been configured.
If there is no user-defined local policy applying to the logged traffic, logs will instead show policy ID 0.
In this case, policy ID 0 is NOT the same as implicit deny.
Example local traffic log (for incoming RIP message):
date=2020-12-01 time=01:00:01 devname="lab-FGT01" devid="FGT1KD0000000001" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1606780801000000000 tz="+0100" srcip=10.0.0.2 srcport=38793 srcintf="port1" srcintfrole="lan" dstip=10.0.0.1 dstport=520 dstintf="unknown0" dstintfrole="undefined" sessionid=1000000001 proto=17 action="accept" policyid=0 policytype="local-in-policy" service="udp/520" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" app="RIP" duration=180 sentbyte=52 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appcat="unscanned"
Implicit-deny logs (which share policy ID 0), will be type="traffic" subtype="forward" instead.