Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
its-chain
New Contributor II

Created on ‎06-12-2022 03:09 AM

Alert for specific Policy ID

Hi,

I trying to set alert for only specific policy violation.

I tried to enable 

set violation-traffic-logs [enable|disable]

but I receiving a lot of other alerts.

my request can be done?

thanks for the help

Daniel

Labels:
1561
6 REPLIES 6
seshuganesh
Staff
Staff

Created on ‎06-12-2022 09:09 PM

Hi Team,

 

If you want to view logs for specific firewall policy, click on that policy and enable logging for that policy in the end of that policy.

If you want to view implicit deny firewall policy logs, you can use this article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Implicit-deny-logs/ta-p/194602

Please check and keep us posted

1537
0 Kudos
its-chain
New Contributor II
In response to seshuganesh

Created on ‎06-13-2022 05:57 AM

Hi,

thanks for your respone.

I know how to enable logs.

My goal is to set a policy for blocking malicious IP's and receive a notification only for this policy.

1521
0 Kudos
Muhammad_Haiqal
Staff
Staff

Created on ‎06-12-2022 09:42 PM

Hi there,

Based on my understanding, you have multiple Policy and would like to enable logging for specific policy only. 

 

Example:
Policy 1-3 : Enable logging
Policy 4-5 : No logging

 

On policy 4-5, edit each of this policy and turn off "Log Allowed Traffic".

On policy 1-3, enable the "Log Allowed Traffic".

Hope that helps.

 

 

haiqal
1533
0 Kudos
its-chain
New Contributor II
In response to Muhammad_Haiqal

Created on ‎06-13-2022 05:57 AM

Hi,

thanks for your response.

I know how to enable logs.

My goal is to set a policy for blocking malicious IPs and receive a notification only for this policy.

1521
0 Kudos
Muhammad_Haiqal
Staff
Staff
In response to its-chain

Created on ‎06-14-2022 08:11 PM

Hi its-chain,
I think i understand your requirements now.
If the IP is blocked by IPS, you can send email alert. If you are blocking using policy IPv4, this cannot be done.


Here is the reference: https://docs.fortinet.com/document/fortigate/6.2.7/cookbook/526019/email-alerts

Hope that helps.

haiqal
1481
0 Kudos
pminarik
Staff
Staff

Created on ‎06-13-2022 06:06 AM Edited on ‎06-13-2022 06:08 AM

As far as I can see, it isn't possible to do what you're looking for with FortiGate alone.

Alertmail configuration is too vague (on/off for "violation traffic"), and automation stitches do not allow triggering events based on forward traffic logs (checked 7.0.5 & 6.4.9, not sure about 7.2).

 

However, if you have a FortiAnalyzer, you should be able to put something together with its Event Handler. If you're looking for some documentation for that, you can start here .

[ corrections always welcome ]
1519
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.