Description

This article describes why Threat ID 131072 is seen in traffic logs for denied traffic.

Scope

FortiAnalyzer, FortiGate.

Solution

When no UTM is enabled, Threat ID 131072 is seen in traffic logs for denied traffic on both FortiAnalyzer and FortiGate with:

• Action: Policy Violation. 
• Firewall Action: Deny.
  
  

Threat ID 131072 with Threat Level High and Threat Score 30 shows in logs implies traffic is being denied by a policy. It is only an indicator that traffic is blocked (when no UTM is present). The Threat Score and Level is a value given based on the action taken by the firewall policies for the specific traffic.

An example of this can be packets coming from the client or server after a session has been closed, those packets will be dropped as there are no matching sessions. Essentially, the firewall is just generating a log for those packets with a Threat score of 30 as 30 is the default value for a high-level threat score, any packets that are blocked-connection are considered high-level.

If desired traffic is blocked - adjust the policy settings or create a new policy to allow it. If the logs show undesired or unknown traffic, the policy is correctly configured. Follow the guide below to remove the messages/logs.

Under the config log threat-weight setting, the threat level is enabled as 'high' by default for a blocked connection, as shown below.

config log threat-weight
    set blocked-connection high
end

Threat id 131072 convert to binary 100000000000000000.
1 means traffic matches blocked-connection under threat weight.

This threat 131072 is different from the threat ID seen in UTM logs for policies where UTM is enabled. Below is an example screenshot showing threat 131072 and Action: Deny: policy violation for the security policy when UTM is not enabled.