Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Akmostafa
New Contributor III

Denied traffic on non utm non implicit policy

Hello team,

Anyone encountered denied traffic log on a firewall policy with "allow" action.

The policy has not utm profiles and the denied traffic is matching all policy criteria!

17 REPLIES 17
Akmostafa

I agree.

However. I believe that If fortigate received a packet that is not a syn packet while no session in the session table, the packet is silently dropped without generating a deny log.

 

I have tested this with a packet generator.

The flow trace shows "no session matched" . The firewall policy is not matched and no logs seen.

srajeswaran

We can ignore the threat ID/threat score parts, its default for deny traffic - ref: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Threat-131072-is-seen-in-logs-when-traffic...

Can you share the raw log for this particular instance  from fortianalyzer.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Akmostafa

Hello,

Here you go.

As mentioned before No FAZ engaged here. The logs are from memory.

 

date=2023-07-18 time=13:15:32 eventtime=1689675333341850875 tz="+0300" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.16.14.4 srcname="HUAWEI_nova_3i-9d54ebeb4a" srcport=40412 srcintf="vlan-14" srcintfrole="lan" dstip=142.250.184.238 dstport=443 dstintf="Internet_2" dstintfrole="wan" srccountry="Reserved" dstcountry="United States" sessionid=517100 proto=6 action="deny" policyid=7 policytype="policy" poluuid="ba294c26-0d0d-51ed-7333-4e09cd30bf81" policyname="Internal to sdwan" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 vwlid=1 vwlquality="Seq_num(3 Internet_2), alive, selected" vwlname="priority-4G" appcat="unscanned" crscore=30 craction=131072 crlevel="high" srchwvendor="Huawei" devtype="Phone" srcfamily="Nova" osname="Android" srchwversion="3i" srcswversion="9" mastersrcmac="e4:0e:ee:fe:72:ce" srcmac="e4:0e:ee:fe:72:ce" srcserver=0
date=2023-07-18 time=13:14:43 eventtime=1689675283442672030 tz="+0300" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.16.14.12 srcname="Android" srcport=48114 srcintf="vlan-14" srcintfrole="lan" dstip=102.132.97.63 dstport=443 dstintf="Internet_2" dstintfrole="wan" srccountry="Reserved" dstcountry="South Africa" sessionid=516816 proto=6 action="deny" policyid=7 policytype="policy" poluuid="ba294c26-0d0d-51ed-7333-4e09cd30bf81" policyname="Internal to sdwan" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 vwlid=1 vwlquality="Seq_num(3 Internet_2), alive, selected" vwlname="priority-4G" appcat="unscanned" crscore=30 craction=131072 crlevel="high" srchwvendor="LG" devtype="Phone" srcfamily="K" osname="Android" srcswversion="12" mastersrcmac="3a:75:b3:74:e6:06" srcmac="3a:75:b3:74:e6:06" srcserver=0
date=2023-07-18 time=13:13:53 eventtime=1689675233714465701 tz="+0300" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.16.14.4 srcname="HUAWEI_nova_3i-9d54ebeb4a" srcport=40412 srcintf="vlan-14" srcintfrole="lan" dstip=142.250.184.238 dstport=443 dstintf="Internet_2" dstintfrole="wan" srccountry="Reserved" dstcountry="United States" sessionid=516596 proto=6 action="deny" policyid=7 policytype="policy" poluuid="ba294c26-0d0d-51ed-7333-4e09cd30bf81" policyname="Internal to sdwan" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 vwlid=1 vwlquality="Seq_num(3 Internet_2), alive, selected" vwlname="priority-4G" appcat="unscanned" crscore=30 craction=131072 crlevel="high" srchwvendor="Huawei" devtype="Phone" srcfamily="Nova" osname="Android" srchwversion="3i" srcswversion="9" mastersrcmac="e4:0e:ee:fe:72:ce" srcmac="e4:0e:ee:fe:72:ce" srcserver=0
date=2023-07-18 time=13:13:24 eventtime=1689675204491597158 tz="+0300" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=172.16.14.4 srcname="HUAWEI_nova_3i-9d54ebeb4a" srcport=57376 srcintf="vlan-14" srcintfrole="lan" dstip=102.132.97.54 dstport=443 dstintf="Internet_2" dstintfrole="wan" srccountry="Reserved" dstcountry="South Africa" sessionid=516360 proto=6 action="deny" policyid=7 policytype="policy" poluuid="ba294c26-0d0d-51ed-7333-4e09cd30bf81" policyname="Internal to sdwan" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 vwlid=1 vwlquality="Seq_num(3 Internet_2), alive, selected" vwlname="priority-4G" appcat="unscanned" crscore=30 craction=131072 crlevel="high" srchwvendor="Huawei" devtype="Phone" srcfamily="Nova" osname="Android" srchwversion="3i" srcswversion="9" mastersrcmac="e4:0e:ee:fe:72:ce" srcmac="e4:0e:ee:fe:72:ce" srcserver=0

Akmostafa
New Contributor III

It is always noted that multiple log entries appear with the same source port. The very first log is an accepted session (closed).

msanjaypadma
Staff
Staff

Hi @Akmostafa ,

 

I hope your traffic is getting denied due to source traffic is marked as threat score 30.  


Refer below article for more details : 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Threat-131072-is-seen-in-logs-when-traffic...
https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/903511/threat-weight

If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.

Thanks,

 

Mayur Padma
Akmostafa
New Contributor III

Hi Mayur, how the traffic is marked with threat score? and how to roll back this marking?

Patterson

@Akmostafa , Can you confirm if your have the FGT added to FAZ(which is having IOC license).

Also check if  the blocked user source is getting listed for the below command.

diag user quarantine list or diag user banned-ip list

Regards,
Patterson
Akmostafa
New Contributor III

Hi Patterson,

None of the above.

Labels
Top Kudoed Authors