Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hixeN
New Contributor

Created on ‎06-07-2022 01:21 AM Edited on ‎06-07-2022 04:54 AM

7.0.5 FGT : Logs FortiGuard services access

Hello,

 

With 7.0.5 we can see new entries in the logs forward about the implicit policy 0. This is my root source interface who access to the FortiGuard services on the TCP 853 DnsOverTls.

 

Capture d’écran 2022-06-07 101612.jpg

 

Theses entries match correclty (good point in fact) but why appears in the deny policy ?
And is it possible to fix or hide it ?

 

Regards,
hixeN

 

Labels:
1265
0 Kudos
4 REPLIES 4
Anonymous
Not applicable

Created on ‎06-09-2022 12:23 PM

Hello @hixeN ,

 

Thank you for posting your query on the Fortinet Forums. Can you provide the information in the detail section on the top right?

Thanks,

1210
0 Kudos
nithincs
Staff
Staff

Created on ‎06-11-2022 11:32 PM

hi,

 

May I know whether you are using DNS filter in the fortigate and enabled sdns in fortiguard settings or dns-over-tls in dns settings? Please share raw log to get more information regarding the log.

1179
0 Kudos
hixeN
New Contributor

Created on ‎06-13-2022 12:14 AM

Hello,

 

@Anonymous
The details about the log :

Capture d’écran 2022-06-13 085451_1.jpgCapture d’écran 2022-06-13 085609_2.jpg

 

@nithincs
I don't use the dns filter for my acl. This is my configuration about section network/dns :

Capture d’écran 2022-06-13 090809.jpg

 

This logs appears at the upgrade 7.0.1 to 7.0.5

 

Regards,

Hixen

1163
0 Kudos
Debbie_FTNT
Staff
Staff
In response to hixeN

Created on ‎06-13-2022 01:15 AM

Hey Hixen,

I think there may be a slight confusion here:

- policy ID 0 is implicit deny, correct

- policy ID 0 is also used in logs for local traffic (traffic that terminates or originates on the FortiGate)

-> such as the FortiGate sending DNS queries, or fetching updates, or an admin login

-> if you log local traffic, all of that will have policy ID 0 usually.

 

Is this local traffic? Or is this traffic passing through the FortiGate?

If this is traffic through the firewall - what policy should it be using?

I would also suggest checking the session list:
#dia sys session filter dport 853
#dia sys session list
-> this should dump DNS-over-TLS sessions

-> you can check for the 'policyid' bit in a specific session; that should usually be the logged policy ID

-> you can check the 'state' - that may include flags like 'local', meaning local traffic, 'log', meaning the session should be logged, or 'may_dirty' (session should be reevaluated if the policy it goes through changes for some reason)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1158
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.