FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anthony_E
Community Manager
Community Manager
Article Id 192533

Description

 

This article describes why Threat ID 131072 is seen in traffic logs for denied traffic.

 

Scope

 

FortiAnalyzer, FortiGate.

 

Solution

 

When no UTM is enabled, Threat ID 131072 is seen in traffic logs for denied traffic on both FortiAnalyzer and FortiGate with:

  • Action: Policy Violation. 
  • Firewall Action: Deny.

Stephen_G_0-1690206087989.png


Threat ID 131072 with Threat Level High and Threat Score 30 shows in logs when traffic is being denied by a policy.
This is not a problem to fix, nor a bug or code error. It is only an indicator that traffic is blocked (when no UTM is present). 

 

If desired traffic is blocked - adjust the policy settings or create new policy to allow it.

If the logs are showing undesired or unknown traffic, the policy is correctly configured. Follow the guide below to remove the messages/logs.

 

Under config log threat-weight setting, threat level is enabled as 'high' by default for a blocked connection, as shown below.

 

config log threat-weight
    set blocked-connection high
end

 

Threat id 131072 convert to binary 100000000000000000.
1 means traffic matches blocked-connection under threat weight.


This threat 131072 is different from the threat ID seen in UTM logs for policies where UTM is enabled.
Below is an example screenshot showing threat 131072 and Action: Deny:policy violation for the security policy when UTM is not enabled.