Technical Tip: Policy traffic logs are not visible when a Loopback and a VIP is used

amrit · ‎08-17-2024

Description

This article describes how to make policy traffic logs visible when a loopback and VIP objects are used in the firewall policy.

Scope

FortiGate.

Solution

In a scenario where a Public IP has to be translated to a private IP for SSL VPN access via loopback, the policy traffic logs are not displayed.

Example:

id=65308 trace_id=198 func=print_pkt_detail line=5857 msg="vd-root:0 received a packet(proto=6, 10.11.15.2:54413->10.11.15.1:10443) tun_id=0.0.0.0 from port2. flag [S], seq 911784195, ack 0, win 65535"
id=65308 trace_id=198 func=init_ip_session_common line=6043 msg="allocate a new session-53d73037, tun_id=0.0.0.0"
id=65308 trace_id=198 func=get_new_addr line=1239 msg="find DNAT: IP-10.12.17.1, port-10443"
id=65308 trace_id=198 func=fw_pre_route_handler line=184 msg="VIP-10.12.17.1:10443, outdev-port2"
id=65308 trace_id=198 func=__ip_session_run_tuple line=3445 msg="DNAT 10.11.15.1:10443->10.12.17.1:10443"
id=65308 trace_id=198 func=__vf_ip_route_input_rcu line=2001 msg="find a route: flag=80000000 gw-0.0.0.0 via root"
id=65308 trace_id=198 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=51, len=4"
id=65308 trace_id=198 func=fw_local_in_handler line=615 msg="iprope_in_check() check failed on policy 15, drop"

This is expected behavior because FortiGate considers this as local unicast traffic, and these logs are only visible in the local traffic logs if local-in-deny-unicast is enabled in the log settings:

config log setting
set local-in-deny-unicast enable
end