Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
duenlim
Staff
Staff

Created on ‎09-22-2025 11:45 PM

Article Id 409489

Technical Tip: FortiProxy not generate implicit deny logs

Description This article describes how to enable implicit deny log when traffic matches the default implicit deny policy.
Scope FortiProxy v7.4 and v7.6.
Solution

The WAD debug log shows the traffic matches the policy ID '0', which is an implicit deny policy. But, there is no denying log generation. Use the following debugging command to display the traffic for the Explicit Proxy Service:

 

diagnose wad filter src 10.47.5.104
diagnose wad debug enable category policy
diagnose wad debug enable level verbose
diagnose debug enable

 

To stop the debug, run the commands:


diagnose debug disable
diagnose debug reset

 

The WAD debug output shows client 10.47.5.104 sends an HTTP request to https://activation.webex.com and matches the policy ID '0' Policy Denied:

[V][p:1109][s:4] wad_nontp_cache_make :2171 Matched webproxy object web-proxy
[I][p:1109][s:4][r:7] wad_http_conn_req_classify :6403 no security profile HTTPS/HTTP, tport=443
[V][p:1109][s:4][r:7] wad_http_req_check_policy :14119 start match policy vd=0(ses_ctx:x|Phx|M|Hh|C|A7|O) (10.47.5.104:49597@3->200.200.200.201:443@3) absUrl=1
[I][p:1109][s:4][r:7] wad_fast_match_is_enable :4034 fast matching is enabled
[V][p:1109][s:4][r:7] wad_fast_match_get_addr :3741 Get key src:10.47.5.104
[V][p:1109][s:4][r:7] wad_fast_match_get_dst_intf :3771 Get key dst intf:1
[V][p:1109][s:4][r:7] wad_fast_match_pol_array :3808 Try to maching pol:0, 0/1(pos/sz)
[I][p:1109][s:4][r:7] wad_fast_match_pol_array :3839 fw_pol_id=2(pol_ctx:xhcf|Ad|7?|=p) pol_id=0(pflag:Hf|W|U|A) asyn_info=1
[W][p:1109][s:4][r:7] wad_fast_match_pol_array :3871 No policy matched
[I][p:1109][s:4][r:7] wad_fw_policy_async_match :7709 pol_ctx:xhcf|Ad|7?|=d
[I][p:1109][s:4][r:7] wad_http_req_policy_set :11839 match policy-id=0(pol_ctx:xhcf|Ad|7?|=d) vd=0(ses_ctx:x|Phx|Mde|Hh|C|A7|O) (10.47.5.104:49597@3 -> 200.200.200.201:443@3)
[E][p:1109][s:4][r:7] wad_http_req_proc_policy :11340 POLICY DENIED

 

By default, implicit deny logging is disabled in the Explicit Proxy Service. To enable logging for implicit deny or policy deny, it has to be done via CLI commands:

 

config log setting
    set fwpolicy-implicit-log enable <----- Default is disabled.
end

 

Note:

Enabling implicit deny logging will generate a huge volume of logs.

 

The logging denied traffic generates. 

 DenyLog.png
39
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.