Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hixeN
New Contributor

7.0.5 FGT : Logs FortiGuard services access

Hello,

 

With 7.0.5 we can see new entries in the logs forward about the implicit policy 0. This is my root source interface who access to the FortiGuard services on the TCP 853 DnsOverTls.

 

Capture d’écran 2022-06-07 101612.jpg

 

Theses entries match correclty (good point in fact) but why appears in the deny policy ?
And is it possible to fix or hide it ?

 

Regards,
hixeN

 

4 REPLIES 4
Anonymous
Not applicable

Hello @hixeN ,

 

Thank you for posting your query on the Fortinet Forums. Can you provide the information in the detail section on the top right?

Thanks,

nithincs
Staff
Staff

hi,

 

May I know whether you are using DNS filter in the fortigate and enabled sdns in fortiguard settings or dns-over-tls in dns settings? Please share raw log to get more information regarding the log.

hixeN
New Contributor

Hello,

 

@Anonymous
The details about the log :

Capture d’écran 2022-06-13 085451_1.jpgCapture d’écran 2022-06-13 085609_2.jpg

 

@nithincs
I don't use the dns filter for my acl. This is my configuration about section network/dns :

Capture d’écran 2022-06-13 090809.jpg

 

This logs appears at the upgrade 7.0.1 to 7.0.5

 

Regards,

Hixen

Debbie_FTNT

Hey Hixen,

I think there may be a slight confusion here:

- policy ID 0 is implicit deny, correct

- policy ID 0 is also used in logs for local traffic (traffic that terminates or originates on the FortiGate)

-> such as the FortiGate sending DNS queries, or fetching updates, or an admin login

-> if you log local traffic, all of that will have policy ID 0 usually.

 

Is this local traffic? Or is this traffic passing through the FortiGate?

If this is traffic through the firewall - what policy should it be using?

I would also suggest checking the session list:
#dia sys session filter dport 853
#dia sys session list
-> this should dump DNS-over-TLS sessions

-> you can check for the 'policyid' bit in a specific session; that should usually be the logged policy ID

-> you can check the 'state' - that may include flags like 'local', meaning local traffic, 'log', meaning the session should be logged, or 'may_dirty' (session should be reevaluated if the policy it goes through changes for some reason)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++