Description
This article describes why Threat ID 131072 is seen in traffic logs for denied traffic.
Scope
FortiAnalyzer, FortiGate.
Solution
When no UTM is enabled, Threat ID 131072 is seen in traffic logs for denied traffic on both FortiAnalyzer and FortiGate with:
- Action: Policy Violation.
- Firewall Action: Deny.
Threat ID 131072 with Threat Level High and Threat Score 30 shows in logs when traffic is being denied by a policy.
This is not a problem to fix, nor a bug or code error. It is only an indicator that traffic is blocked (when no UTM is present).
If desired traffic is blocked - adjust the policy settings or create new policy to allow it.
If the logs are showing undesired or unknown traffic, the policy is correctly configured. Follow the guide below to remove the messages/logs.
Under config log threat-weight setting, threat level is enabled as 'high' by default for a blocked connection, as shown below.
config log threat-weight
set blocked-connection high
end
Threat id 131072 convert to binary 100000000000000000.
1 means traffic matches blocked-connection under threat weight.
This threat 131072 is different from the threat ID seen in UTM logs for policies where UTM is enabled.
Below is an example screenshot showing threat 131072 and Action: Deny:policy violation for the security policy when UTM is not enabled.
