Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Sozo_Admin
Visitor

Created on ‎11-15-2024 07:40 AM

Fortigate not showing Deny logs

Howdy all,

I am trying to view Deny traffic logs on a Fortigate 30E
(FortiGate 30Ev6.2.15 build1378 (GA)
and they are not showing up.
Via the CLI - log severity level set to Warning
Local logging

 

Here is the details:
CMB-FL01 # show full-configuration log memory filter
config log memory filter
set severity warning
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set filter ‘’
set filter-type include

 

The Fortigate is getting hammered, with alerts coming in thusly: (Sanitized)

 

Message meets Alert condition
date=2024-11-14 time=15:04:05 devname=CMB-FL01 devid=FGT30E5777885133 logid=“0000000013” type=“traffic” subtype=“forward” level=“notice” vd=“root” eventtime=1731621845329636171 tz=“-0700” srcip=194.264.22.254 srcport=56676 srcintf=“wan” srcintfrole=“wan” dstip=93.22.3.19 dstport=10443 dstintf=“lan” dstintfrole=“lan” sessionid=3808968 proto=6 action=“deny” policyid=0 policytype=“policy” service=“tcp/10443” dstcountry=“Canada” srccountry=“Canada” trandisp=“dnat” tranip=195.137.0.254 tranport=443 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat=“unscanned” crscore=30 craction=131072 crlevel=“high”

 

Implicit Deny policy in place - set to log violation Traffic:

Sozo_Admin_0-1731685105459.png

 

Firewall11209×756 28 KB

 

However I can find no deny logs:

Sozo_Admin_1-1731685105471.png

 

Firewall21898×879 30.2 KB

 

Nor can I see the Implicit Deny object when trying to search logs by Policy:

Sozo_Admin_2-1731685105476.png

 

firewall5509×648 86.5 KB

 

 

Sozo_Admin_3-1731685105469.png

 

Firewall41914×841 40.3 KB

 

I don’t know if I am missing something obvious, or have configured something incorrectly.
If anyone has any advice it would be appreciated!
Thanks to any takers.
Sozo

Labels:
125
0 Kudos
8 REPLIES 8
dingjerry_FTNT
Staff
Staff

Created on ‎11-15-2024 08:54 AM

Run the debug flow commands to see whether your denied traffic is hitting a firewall policy with a log setting enabled.

Regards,

Jerry
109
0 Kudos
Sozo_Admin
Visitor
In response to dingjerry_FTNT

Created on ‎11-15-2024 11:02 AM

Hi dingjerry_FTNT, 

Thanks for that, I am doing so now, appreciate the suggestion. I will update with what I can find there though the implicit deny policy is in place with logging set to log all events from Warning and above it should be hitting that policy.

48
0 Kudos
funkylicious
SuperUser
SuperUser

Created on ‎11-15-2024 09:03 AM

If the destination is the wan IP interface and not a VIP/port forward, try looking under Local Traffic.

"jack of all trades, master of none"
"jack of all trades, master of none"
104
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to funkylicious

Created on ‎11-15-2024 09:49 AM

Agree. So @Sozo_Admin , what is your interesting traffic?  Is it a passthrough traffic or terminated on FGT?

Regards,

Jerry
79
0 Kudos
Sozo_Admin
Visitor
In response to dingjerry_FTNT

Created on ‎11-15-2024 11:05 AM

Hi again dingjerry_FTNT,

It is external attempts to access (attacks) getting denied by the Fortigate.

I am trying to view the deny logs. (Boss request)

45
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to Sozo_Admin

Created on ‎11-15-2024 11:20 AM

Do you know what denied this traffic?  Regular firewall policy or local-in policy? 

 

Do you know what kind of denied traffic it is?

Regards,

Jerry
38
0 Kudos
Sozo_Admin
Visitor
In response to dingjerry_FTNT

Created on ‎11-15-2024 12:10 PM

Yes as we can see from the alert "proto=6 action=“deny” policyid=0"

proto=6 is TCP, Action=Deny from policyid=0 which is the implicit deny policy

As logging is enabled as we can see from the images that I;'ve posted, I do not get why I am not able to view the deny logs for it.

2
0 Kudos
Sozo_Admin
Visitor
In response to funkylicious

Created on ‎11-15-2024 11:03 AM

Howdy funkylicious,

Destination is LAN, sorry but thanks!

47
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.