Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff

Created on ‎09-15-2009 09:55 AM Edited on ‎12-02-2025 05:40 AM By Staff

Article Id 190198

Technical Tip: Configuring a Firewall Policy with action = DENY to log unauthorized traffic, also called 'Violation Traffic'

Description
 
This article describes how to use Firewall Policy to block specific traffic while allowing other traffic.
Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN sub-interfaces.

Firewall policies are instructions the FortiGate unit uses to decide connection acceptance and packet processing for traffic attempting to pass through. When the firewall receives a connection packet, it analyzes the packet’s source address, destination address, and service (by port number), and attempts to locate a firewall policy matching the packet.

If no Firewall Policy matches the traffic, the packets are dropped. Therefore, it is not required to configure a DENY Firewall Policy in the last position to block the unauthorized traffic.
A Firewall Policy with action = DENY is, however, needed when it is required to log the denied traffic, also called 'violation traffic'.

Note:
Storing and viewing the log for denied traffic requires a FortiAnalyzer, a Syslog server, or a FortiGate unit with a local hard disk.

See related articles for more information about Firewall Policies.

Scope
 

FortiGate, NAT, or Transparent mode.


Solution

Configuring a DENY policy

In the example illustrated below from the GUI, the Firewall Policies 1 and 2 will allow DNS and HTTP traffic, whereas Firewall Policy 3 will match and deny ALL other traffic and will log it.
 
Screenshot_1.png

 

CLI Configuration of policy 3:
 
config firewall policy
    edit 3
        set name "Deny"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

Below is an example of a Syslog message reporting some violation (ICMP) traffic:

Warning    10.160.0.110    date=2009-09-14 time=10:16:25 devname=FG300A3906550380 device_id=FG300A3906550380 log_id=0022000003 type=traffic subtype=violation pri=warning fwver=040000 status=deny vd="root" src=10.160.1.10 srcname=10.160.1.10 src_port=0 dst=4.2.2.1 dstname=10.2.2.1 dst_port=0 service=8/icmp proto=1 app_type=N/A duration=0 rule=3 policyid=3 sent=0 rcvd=0 vpn="N/A" src_int="port2" dst_int="port1" SN=12215 user="N/A" group="N/A" carrier_ep="N/A"
 
Note: Starting with newer versions of FortiOS, an Implicit Deny Policy is enabled by default, which automatically blocks all traffic that is not explicitly allowed by the configured firewall policies.
 
This built-in feature ensures a secure posture by denying any traffic that does not meet the criteria of an existing allow rule, eliminating the need to manually configure a separate deny policy for default traffic blocking.
 
For more information about implicit deny behavior and how to monitor its logs, refer to this article: Technical Tip: Implicit deny logs.
 
Note:
A regular deny policy does not block VIP traffic because of how the FortiGate processes packets. See Troubleshooting Tip: VIP traffic not matching the firewall policy with an 'all' destination for guidance on how to block and log VIP traffic.
 
Related article:
Technical Tip: Firewall does not block incoming (WAN to LAN) connection even though deny policy
Labels:
29018
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.