| Description | This article explains how to check the external IP addresses hitting the WAN IP address configured on the FortiGate without using live debugging and packet capture. |
| Scope | FortiGate. |
| Solution |
Scenario 1: WAN IP, which is not part of a virtual IP address on the FortiGate. One way to check external IPs arriving at the WAN is to enable local traffic logging. Local traffic includes any traffic that starts from or ends at the FortiGate itself. This includes actions like connecting to DNS servers, contacting FortiGuard, administrative access, VPN connections, and communication with authentication servers. CLI Commands:
config log setting set local-in-allow en set local-in-deny-unicast en set local-in-deny-broadcast en
From v7.6.0 onwards, local traffic logging can be configured for each local-in policy. This enables more precision when logging local-in traffic, as logs can be enabled on specific local-in policies and disabled for others that are less relevant.
CLI Commands:
config log setting set local-in-policy-log {enable | disable} end
config firewall local-in-policy edit <id> set logtraffic {enable | disable} next end
config firewall local-in-policy6 edit <id> set logtraffic {enable | disable} next end
Sample output:
Scenario 2: Monitoring the WAN IP Used in VIP Traffic. In this scenario, traffic matching a virtual IP will not be captured in local traffic logs. It will be logged under the Forward Traffic section. To ensure all sessions matching this VIP are logged, enable logging of all sessions in the Firewall Policy configuration
GUI Configuration:
CLI Commands:
config firewall policy edit 1 set logtraffic all next end
|
