Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
championc1
New Contributor

Finding applicable Fortigate rules from hits in FortiAnalyzer logs - Help needed

Hi all,

Is it possible to find the relevant Fortigate FW and Security Policy Rule being used when some traffic is logged ?

The log entries obviously contain the Data Source ID which identifies the Device, but I can be difficult to then identify the VDOM and FW Policy Rule

Cormac Champion
Cormac Champion
5 REPLIES 5
saneeshpv_FTNT

Once you find the matching logs in FAZ, if you click on the logs for more details you can find the VDOM details as well as policy ID as attached

FAZ.png

championc1
New Contributor

Great thanks.  I was looking under Fabric > All rather than under Fortigate > Traffic
The traffic I have is showing as Virtual Domain "root" and a Policy ID of 0 (Zero) - which, if I understand correctly, is the implicit deny rule - and when I look at it, it does indeed show as being a DENY, so I'm a bit confused

Cormac Champion
Cormac Champion
Stephen_Daniel

Policy id 0 is the default implicit deny policy. Drop all. Could you please share a sample log?

Implicit_deny_default.PNG

championc1
New Contributor

See below

cap1.jpgcap2.jpg

Cormac Champion
Cormac Champion
saneeshpv_FTNT

These are your Local Traffic logs originated from FGT or Destined to FGT which will also have Policy ID 0.

 

Please refer to below link for more information

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Local-traffic-logs-and-policy-ID-0/ta-p/19...

Top Kudoed Authors