FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Dongkwan
Staff
Staff
Article Id 268950
Description

This article describes that he hit count and bytes of the implicit deny rule do not increase on the proxy policy.

The deny log was generated, but the hit count does not increase.

 

This feature has been added after 7.4.0 the version.

 

Configuration:

 

config system interface

    edit "port1"

        set vdom "root"

        set ip 10.200.1.1 255.255.255.0

        set allowaccess ping

        set fail-detect enable

        set type physical

        set explicit-web-proxy enable

        set alias "External"

        set monitor-bandwidth enable

        set role wan

        set snmp-index 1

    next

    edit "port3"

        set vdom "root"

        set ip 10.0.1.254 255.255.255.0

        set allowaccess ping https ssh snmp

        set type physical

        set alias "Internal"

        set snmp-index 3

    next

 

config system settings

    set gui-explicit-proxy enable

 

config firewall policy

    edit 1

        set name "allow-all"

        set uuid b194844a-9c8c-51ed-eda0-9ec8ad8dc5ef

        set srcintf "port3"

        set dstintf "port1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set inspection-mode proxy

        set http-policy-redirect enable

        set ssl-ssh-profile "deep-inspection"

        set logtraffic all

        set nat enable

    next

 

config firewall proxy-policy

    edit 1

        set uuid 2bad4510-9c8c-51ed-0021-b3cee3d6de50

        set name "test"

        set proxy transparent-web

        set srcintf "port3"

        set dstintf "port1"

        set srcaddr "all"

        set dstaddr "all"

        set service "webproxy"

        set status disable

        set schedule "always"

        set logtraffic all

    next

end

Scope

FortiGate v7.0, v7.2.

Solution

Implemented the collection and clear statistics of implicit deny on the 7.4.0 version. The hit count increased when the packet hit the implicit deny rule on the proxy policy.

Contributors