Howdy all,
I am trying to view Deny traffic logs on a Fortigate 30E
(FortiGate 30Ev6.2.15 build1378 (GA)
and they are not showing up.
Via the CLI - log severity level set to Warning
Local logging
Here is the details:
CMB-FL01 # show full-configuration log memory filter
config log memory filter
set severity warning
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set filter ‘’
set filter-type include
The Fortigate is getting hammered, with alerts coming in thusly: (Sanitized)
Message meets Alert condition
date=2024-11-14 time=15:04:05 devname=CMB-FL01 devid=FGT30E5777885133 logid=“0000000013” type=“traffic” subtype=“forward” level=“notice” vd=“root” eventtime=1731621845329636171 tz=“-0700” srcip=194.264.22.254 srcport=56676 srcintf=“wan” srcintfrole=“wan” dstip=93.22.3.19 dstport=10443 dstintf=“lan” dstintfrole=“lan” sessionid=3808968 proto=6 action=“deny” policyid=0 policytype=“policy” service=“tcp/10443” dstcountry=“Canada” srccountry=“Canada” trandisp=“dnat” tranip=195.137.0.254 tranport=443 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat=“unscanned” crscore=30 craction=131072 crlevel=“high”
Implicit Deny policy in place - set to log violation Traffic:
However I can find no deny logs:
Nor can I see the Implicit Deny object when trying to search logs by Policy:
I don’t know if I am missing something obvious, or have configured something incorrectly.
If anyone has any advice it would be appreciated!
Thanks to any takers.
Sozo
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Run the debug flow commands to see whether your denied traffic is hitting a firewall policy with a log setting enabled.
Hi dingjerry_FTNT,
Thanks for that, I am doing so now, appreciate the suggestion. I will update with what I can find there though the implicit deny policy is in place with logging set to log all events from Warning and above it should be hitting that policy.
If the destination is the wan IP interface and not a VIP/port forward, try looking under Local Traffic.
Agree. So @Sozo_Admin , what is your interesting traffic? Is it a passthrough traffic or terminated on FGT?
Hi again dingjerry_FTNT,
It is external attempts to access (attacks) getting denied by the Fortigate.
I am trying to view the deny logs. (Boss request)
Do you know what denied this traffic? Regular firewall policy or local-in policy?
Do you know what kind of denied traffic it is?
Yes as we can see from the alert "proto=6 action=“deny” policyid=0"
proto=6 is TCP, Action=Deny from policyid=0 which is the implicit deny policy
As logging is enabled as we can see from the images that I;'ve posted, I do not get why I am not able to view the deny logs for it.
Your FGT is 30E model which has a small amount of memory. And in your FGT GUI, you chose "Memory" to show the logs. It's pretty easy to flush the old logs.
As per the Alert Message, it seems you are also sending logs to FAZ.
Can you switch "Memory" to "FortiAnalyzer" in the FGT GUI to see whether you can see the old logs?
Created on 11-15-2024 01:38 PM Edited on 11-15-2024 01:49 PM
Thanks dingjerryFTNT,
FAZ is not configured, the alert is coming directly from the appliance. Memory is the only option.
Are you thinking old logs are stopping the party? When I perform an execute log display from the GUI's CLI I see new logs for Policy 1.
Thank you for the assists, I am also wondering why the other Policies show white in the GUI but the Deny Policy is grey (see new pic below) in the above pic you can see that it is enabled..
Thanks again!
**Edit: FYI, trying to show matching logs from the GUI for the Deny policy shows nada, however for say Policy 1, it shows logs.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.