Hello,
With 7.0.5 we can see new entries in the logs forward about the implicit policy 0. This is my root source interface who access to the FortiGuard services on the TCP 853 DnsOverTls.
Theses entries match correclty (good point in fact) but why appears in the deny policy ?
And is it possible to fix or hide it ?
Regards,
hixeN
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 06-09-2022 12:23 PM
Hello @hixeN ,
Thank you for posting your query on the Fortinet Forums. Can you provide the information in the detail section on the top right?
Thanks,
hi,
May I know whether you are using DNS filter in the fortigate and enabled sdns in fortiguard settings or dns-over-tls in dns settings? Please share raw log to get more information regarding the log.
Hello,
@Anonymous
The details about the log :
@nithincs
I don't use the dns filter for my acl. This is my configuration about section network/dns :
This logs appears at the upgrade 7.0.1 to 7.0.5
Regards,
Hixen
Hey Hixen,
I think there may be a slight confusion here:
- policy ID 0 is implicit deny, correct
- policy ID 0 is also used in logs for local traffic (traffic that terminates or originates on the FortiGate)
-> such as the FortiGate sending DNS queries, or fetching updates, or an admin login
-> if you log local traffic, all of that will have policy ID 0 usually.
Is this local traffic? Or is this traffic passing through the FortiGate?
If this is traffic through the firewall - what policy should it be using?
I would also suggest checking the session list:
#dia sys session filter dport 853
#dia sys session list
-> this should dump DNS-over-TLS sessions
-> you can check for the 'policyid' bit in a specific session; that should usually be the logged policy ID
-> you can check the 'state' - that may include flags like 'local', meaning local traffic, 'log', meaning the session should be logged, or 'may_dirty' (session should be reevaluated if the policy it goes through changes for some reason)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.