Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Sozo_Admin
New Contributor

Created on ‎11-15-2024 07:40 AM

Fortigate not showing Deny logs

Howdy all,

I am trying to view Deny traffic logs on a Fortigate 30E
(FortiGate 30Ev6.2.15 build1378 (GA)
and they are not showing up.
Via the CLI - log severity level set to Warning
Local logging

 

Here is the details:
CMB-FL01 # show full-configuration log memory filter
config log memory filter
set severity warning
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set filter ‘’
set filter-type include

 

The Fortigate is getting hammered, with alerts coming in thusly: (Sanitized)

 

Message meets Alert condition
date=2024-11-14 time=15:04:05 devname=CMB-FL01 devid=FGT30E5777885133 logid=“0000000013” type=“traffic” subtype=“forward” level=“notice” vd=“root” eventtime=1731621845329636171 tz=“-0700” srcip=194.264.22.254 srcport=56676 srcintf=“wan” srcintfrole=“wan” dstip=93.22.3.19 dstport=10443 dstintf=“lan” dstintfrole=“lan” sessionid=3808968 proto=6 action=“deny” policyid=0 policytype=“policy” service=“tcp/10443” dstcountry=“Canada” srccountry=“Canada” trandisp=“dnat” tranip=195.137.0.254 tranport=443 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat=“unscanned” crscore=30 craction=131072 crlevel=“high”

 

Implicit Deny policy in place - set to log violation Traffic:

Sozo_Admin_0-1731685105459.png

 

Firewall11209×756 28 KB

 

However I can find no deny logs:

Sozo_Admin_1-1731685105471.png

 

Firewall21898×879 30.2 KB

 

Nor can I see the Implicit Deny object when trying to search logs by Policy:

Sozo_Admin_2-1731685105476.png

 

firewall5509×648 86.5 KB

 

 

Sozo_Admin_3-1731685105469.png

 

Firewall41914×841 40.3 KB

 

I don’t know if I am missing something obvious, or have configured something incorrectly.
If anyone has any advice it would be appreciated!
Thanks to any takers.
Sozo

Labels:
972
0 Kudos
13 REPLIES 13
dingjerry_FTNT
Staff
Staff

Created on ‎11-15-2024 08:54 AM

Run the debug flow commands to see whether your denied traffic is hitting a firewall policy with a log setting enabled.

Regards,

Jerry
725
0 Kudos
Sozo_Admin
New Contributor
In response to dingjerry_FTNT

Created on ‎11-15-2024 11:02 AM

Hi dingjerry_FTNT, 

Thanks for that, I am doing so now, appreciate the suggestion. I will update with what I can find there though the implicit deny policy is in place with logging set to log all events from Warning and above it should be hitting that policy.

664
0 Kudos
funkylicious
SuperUser
SuperUser

Created on ‎11-15-2024 09:03 AM

If the destination is the wan IP interface and not a VIP/port forward, try looking under Local Traffic.

"jack of all trades, master of none"
"jack of all trades, master of none"
720
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to funkylicious

Created on ‎11-15-2024 09:49 AM

Agree. So @Sozo_Admin , what is your interesting traffic?  Is it a passthrough traffic or terminated on FGT?

Regards,

Jerry
695
0 Kudos
Sozo_Admin
New Contributor
In response to dingjerry_FTNT

Created on ‎11-15-2024 11:05 AM

Hi again dingjerry_FTNT,

It is external attempts to access (attacks) getting denied by the Fortigate.

I am trying to view the deny logs. (Boss request)

661
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to Sozo_Admin

Created on ‎11-15-2024 11:20 AM

Do you know what denied this traffic?  Regular firewall policy or local-in policy? 

 

Do you know what kind of denied traffic it is?

Regards,

Jerry
654
0 Kudos
Sozo_Admin
New Contributor
In response to dingjerry_FTNT

Created on ‎11-15-2024 12:10 PM

Yes as we can see from the alert "proto=6 action=“deny” policyid=0"

proto=6 is TCP, Action=Deny from policyid=0 which is the implicit deny policy

As logging is enabled as we can see from the images that I;'ve posted, I do not get why I am not able to view the deny logs for it.

615
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to Sozo_Admin

Created on ‎11-15-2024 12:31 PM

Your FGT is 30E model which has a small amount of memory.  And in your FGT GUI, you chose "Memory" to show the logs.  It's pretty easy to flush the old logs.

 

As per the Alert Message, it seems you are also sending logs to FAZ.

 

Can you switch "Memory" to "FortiAnalyzer" in the FGT GUI to see whether you can see the old logs?

Regards,

Jerry
610
0 Kudos
Sozo_Admin
New Contributor
In response to dingjerry_FTNT

Created on ‎11-15-2024 01:38 PM Edited on ‎11-15-2024 01:49 PM

Thanks dingjerryFTNT,

FAZ is not configured, the alert is coming directly from the appliance. Memory is the only option.

Are you thinking old logs are stopping the party? When I perform an execute log display from the GUI's CLI I see new logs for Policy 1.

Thank you for the assists, I am also wondering why the other Policies show white in the GUI but the Deny Policy is grey (see new pic below) in the above pic you can see that it is enabled..

Thanks again! 

 

**Edit: FYI, trying to show matching logs from the GUI for the Deny policy shows nada, however for say Policy 1, it shows logs.

 
 

Screenshot 2024-11-15 142639.png

 

firewall6.png

firewall7.png

588
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.