Can't I see LAND attack blocking logs on Foritgate?

winterH · ‎02-25-2025

I am practicing land attack block in an offline network with Fortigate 60D.
If you "set block-land-attack enable" in "config system settings" and then LAND attack the device, 
won't it be logged? When I look at events or logs, I don't see the log saying it was blocked. 
Where should I look?

Reference material:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/533753/blocking-land-attacks-in-transpar...

pminarik · ‎02-26-2025

You will likely need to enable logging of "invalid packets" first:

config log setting

set log-invalid-packet enable

end

After that, you should see this attempt logged in the relevant traffic log (likely Forward, unless the destination is an IP owned by the FGT), as an "implicit deny" log, with the message field saying something like "same src/dst address X.X.X.X, drop".

The same message can be seen in debug flow output, if you're catching the traffic with that.

Worth nothing that if LAND attack blocking is disabled, there's a chance that the packet will be blocked just by RPF check failing. (unless the attack target is in the source interface's subnet, or the attack comes from WAN, where a default route will likely permit "anything" wrt RPF check)

[ corrections always welcome ]

Can't I see LAND attack blocking logs on Foritgate?

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website