Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
its-chain
New Contributor

Alert for specific Policy ID

Hi,

I trying to set alert for only specific policy violation.

I tried to enable 

set violation-traffic-logs [enable|disable]

but I receiving a lot of other alerts.

my request can be done?

thanks for the help

Daniel

6 REPLIES 6
seshuganesh
Staff
Staff

Hi Team,

 

If you want to view logs for specific firewall policy, click on that policy and enable logging for that policy in the end of that policy.

If you want to view implicit deny firewall policy logs, you can use this article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Implicit-deny-logs/ta-p/194602

Please check and keep us posted

its-chain

Hi,

thanks for your respone.

I know how to enable logs.

My goal is to set a policy for blocking malicious IP's and receive a notification only for this policy.

Muhammad_Haiqal

Hi there,

Based on my understanding, you have multiple Policy and would like to enable logging for specific policy only. 

 

Example:
Policy 1-3 : Enable logging
Policy 4-5 : No logging

 

On policy 4-5, edit each of this policy and turn off "Log Allowed Traffic".

On policy 1-3, enable the "Log Allowed Traffic".

Hope that helps.

 

 

haiqal
its-chain

Hi,

thanks for your response.

I know how to enable logs.

My goal is to set a policy for blocking malicious IPs and receive a notification only for this policy.

Muhammad_Haiqal

Hi its-chain,
I think i understand your requirements now.
If the IP is blocked by IPS, you can send email alert. If you are blocking using policy IPv4, this cannot be done.


Here is the reference: https://docs.fortinet.com/document/fortigate/6.2.7/cookbook/526019/email-alerts

Hope that helps.

haiqal
pminarik
Staff
Staff

As far as I can see, it isn't possible to do what you're looking for with FortiGate alone.

Alertmail configuration is too vague (on/off for "violation traffic"), and automation stitches do not allow triggering events based on forward traffic logs (checked 7.0.5 & 6.4.9, not sure about 7.2).

 

However, if you have a FortiAnalyzer, you should be able to put something together with its Event Handler. If you're looking for some documentation for that, you can start here .

[ test signature, please ignore ]