Finding applicable Fortigate rules from hits in FortiAnalyzer logs - Help needed

championc1 · ‎06-14-2023

Hi all,

Is it possible to find the relevant Fortigate FW and Security Policy Rule being used when some traffic is logged ?

The log entries obviously contain the Data Source ID which identifies the Device, but I can be difficult to then identify the VDOM and FW Policy Rule

Cormac Champion

saneeshpv_FTNT · ‎06-14-2023

Once you find the matching logs in FAZ, if you click on the logs for more details you can find the VDOM details as well as policy ID as attached

championc1 · ‎06-14-2023

Great thanks. I was looking under Fabric > All rather than under Fortigate > Traffic
The traffic I have is showing as Virtual Domain "root" and a Policy ID of 0 (Zero) - which, if I understand correctly, is the implicit deny rule - and when I look at it, it does indeed show as being a DENY, so I'm a bit confused

Cormac Champion

Stephen_Daniel · ‎06-14-2023

Policy id 0 is the default implicit deny policy. Drop all. Could you please share a sample log?

championc1 · ‎06-14-2023

See below

Cormac Champion

saneeshpv_FTNT · ‎06-14-2023

These are your Local Traffic logs originated from FGT or Destined to FGT which will also have Policy ID 0.

Please refer to below link for more information

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Local-traffic-logs-and-policy-ID-0/ta-p/19...

Finding applicable Fortigate rules from hits in FortiAnalyzer logs - Help needed

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website