Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

7.0.5 FGT : Logs FortiGuard services access



With 7.0.5 we can see new entries in the logs forward about the implicit policy 0. This is my root source interface who access to the FortiGuard services on the TCP 853 DnsOverTls.


Capture d’écran 2022-06-07 101612.jpg


Theses entries match correclty (good point in fact) but why appears in the deny policy ?
And is it possible to fix or hide it ?




Not applicable

Hello @hixeN ,


Thank you for posting your query on the Fortinet Forums. Can you provide the information in the detail section on the top right?





May I know whether you are using DNS filter in the fortigate and enabled sdns in fortiguard settings or dns-over-tls in dns settings? Please share raw log to get more information regarding the log.

New Contributor



The details about the log :

Capture d’écran 2022-06-13 085451_1.jpgCapture d’écran 2022-06-13 085609_2.jpg


I don't use the dns filter for my acl. This is my configuration about section network/dns :

Capture d’écran 2022-06-13 090809.jpg


This logs appears at the upgrade 7.0.1 to 7.0.5





Hey Hixen,

I think there may be a slight confusion here:

- policy ID 0 is implicit deny, correct

- policy ID 0 is also used in logs for local traffic (traffic that terminates or originates on the FortiGate)

-> such as the FortiGate sending DNS queries, or fetching updates, or an admin login

-> if you log local traffic, all of that will have policy ID 0 usually.


Is this local traffic? Or is this traffic passing through the FortiGate?

If this is traffic through the firewall - what policy should it be using?

I would also suggest checking the session list:
#dia sys session filter dport 853
#dia sys session list
-> this should dump DNS-over-TLS sessions

-> you can check for the 'policyid' bit in a specific session; that should usually be the logged policy ID

-> you can check the 'state' - that may include flags like 'local', meaning local traffic, 'log', meaning the session should be logged, or 'may_dirty' (session should be reevaluated if the policy it goes through changes for some reason)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++