Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jaco
New Contributor

Created on ‎09-21-2014 11:25 PM

FortiOS 5.0.7 log subtype=forward status=deny

Hi, I saw the massive this log in FG ↓, do have anybody to know this log does represent? date=2014-09-22 time=09:04:19 logid=0000000013 type=traffic subtype=forward level=notice vd=VDOM-1 srcip=XXXX srcport=28759 srcintf=" Vlan-1169" dstip=XXXX dstport=2195 dstintf=" Vlan-3501" sessionid=2690761781 status=deny policyid=0 dstcountry=" United States" srccountry=" Reserved" trandisp=noop service=TCP_1024_65535 proto=6 duration=0 sentbyte=0 rcvdbyte=0 date=2014-09-22 time=09:04:19 logid=0000000013 type=traffic subtype=forward level=notice vd=VDOM-1 srcip=XXXX srcport=28755 srcintf=" Vlan-1169" dstip=XXXX dstport=2195 dstintf=" Vlan-3501" sessionid=2690761780 status=deny policyid=0 dstcountry=" United States" srccountry=" Reserved" trandisp=noop service=TCP_1024_65535 proto=6 duration=0 sentbyte=0 rcvdbyte=0 date=2014-09-22 time=09:04:19 logid=0000000013 type=traffic subtype=forward level=notice vd=VDOM-1 srcip=XXXX srcport=28756 srcintf=" Vlan-1169" dstip=XXXX dstport=2195 dstintf=" Vlan-3501" sessionid=2690761782 status=deny policyid=0 dstcountry=" United States" srccountry=" Reserved" trandisp=noop service=TCP_1024_65535 proto=6 duration=0 sentbyte=0 rcvdbyte=0
12344
0 Kudos
3 REPLIES 3
ede_pfau
SuperUser
SuperUser

Created on ‎09-21-2014 11:35 PM

Hi, and welcome to the forums!
policyid=0
This is the implicit deny policy at the end of the policy table. If traffic does not match any policy then this policy will deny it finally. You can suppress logging implicit policy traffic. The option depends on the version of FortiOS used.

Ede


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
2714
0 Kudos
Jaco
New Contributor
In response to ede_pfau

Created on ‎09-22-2014 12:05 AM

Oh, but why are policy 0 deny ? What could cause this log generated? Addition to deny log I have seen allow log.↓ and what is mean " transip=noop" date=2014-09-22 time=09:04:24 logid=0000000013 type=traffic subtype=forward level=notice vd=VDOM-1 srcip=XXXX srcport=27431 srcintf=" Vlan-1169" dstip=XXXX dstport=2195 dstintf=" Vlan-3501" sessionid=2690748667 status=close policyid=100040 dstcountry=" United States" srccountry=" Reserved" trandisp=snat transip=XXXX transport=27431 service=TCP_1024_65535 proto=6 duration=35 sentbyte=183 rcvdbyte=128 sentpkt=4 rcvdpkt=3 date=2014-09-22 time=09:04:21 logid=0000000013 type=traffic subtype=forward level=notice vd=VDOM-1 srcip=XXXX srcport=28849 srcintf=" Vlan-1169" dstip=XXXX dstport=2195 dstintf=" Vlan-3501" sessionid=2690762802 status=deny policyid=0 dstcountry=" United States" srccountry=" Reserved" trandisp=noop service=TCP_1024_65535 proto=6 duration=0 sentbyte=0 rcvdbyte=0
2714
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎09-22-2014 12:39 AM

As I said traffic that is not matched by any policy is implicitly matched by policy 0 and discarded. " transip=noop" refers to NAT in NAT/routing mode. In this case, there is no NAT rule. Value can be " snat, dnat, noop" . Maybe it would be a good idea if you got the " Log Message Reference" for FortiOS v5, available on http://docs.fortinet.com . All field names are documented, for the traffic log and all other log sources. (From that, I deducted that your FGT is running FOS v5 - " subtype=forward" is only introduced in v5).

Ede


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
2714
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.