Implicit Deny Log Is blank? How to show traffic?

JJEvans · ‎09-07-2016

Hello All,

Other firewalls I would see the blocking from outside activity all the time. How do I see the traffic that the Fortinet is blocking from the outside via the Implicit deny?

My policy is simple allow all outgoing and block all incoming via implicit deny.

The one person on the forum says that traffic is only logged if the logging level is as low as 'Information'. Where do you set the information level?

Thank you in advance.

JJEvans · ‎09-07-2016

More attachments

JJEvans · ‎09-07-2016

Other attachement

emnoc · ‎09-07-2016

You have a few options.

1: craft a policy with a deny and log traffic all , re-order it at the bottom of the sequence set the src/dst as ALL/ANY for address and interfaces then set the "set log traffic all" with the action as deny.

e.g

edit 4294967294

set dstintf "any"

set srcintf "wan1"

set srcaddr "all"

set dstaddr "all"

set action deny

set schedule "always"

set service "ALL"

set logtraffic all

set comment " set this seq# as the lowest"

next

2: use the log sys command to "LOG" all denies via the CLI

e.g

FGT100DSOCPUPPETCENTRO (root) # config log setting

FGT100DSOCPUPPETCENTRO (setting) # show full-configuration | grep fwpo

set fwpolicy-implicit-log disable

set fwpolicy6-implicit-log disable

NOTE none of these should be required imho and experience and can craft a lot of "white noise" . Here's why, logging drop traffic wastes 1> resource 2> disk/log 3> if syslog is use....excessive network chatter

PCNSE

NSE

StrongSwan

ede_pfau · ‎09-07-2016

You set the logging level in the CLI (see CLI Ref. Guide).

IIRC there are settings for 'extended-log' which might be required. Either check the CLI Guide, or

show full | grep extended-

Ede Kernel panic: Aiee, killing interrupt handler!

JJEvans · ‎09-07-2016

Thank you edu_pfau and emnoc for the insight. It is well appreciated.

I see it: PG 525 - set log-uuid {disable | policy-only | extended}

emnoc · ‎09-07-2016

You can double check the logs from the cli

[ul]

execute log filter cat 0

execute log filter field action deny

execute log display[/ul]

if you see policed 0 than you know it's working ;)

Ken

PCNSE

NSE

StrongSwan

ede_pfau · ‎09-08-2016

The

set log-uuid

option is not what I meant and will not help with this.

Anything in

config log memory settings

?

Ede Kernel panic: Aiee, killing interrupt handler!

JJEvans · ‎09-08-2016

HI EDE_PFAU,

You are correct. Thank you. The other commands did not generate logs of the explicit deny.

PG 269 - log.memory/filter in the 5.4 CLI guide shows

set severity {emergency | alert | critical | error | warning | notification | information | debug}

I will try this when I get home. Thanks again for the insight.

JJEvans · ‎09-11-2016

OK so I have tried all ideas on this post and I still get no output?????? This does not make sense to me. All I want to see is the blocking or dropping from WAN-1 to Internal to make sure the Firewall is doing what it is suppose to do.

XXXXXXX # config log memory filter

XXXXXXX (filter) # set severity debug

XXXXXXX (filter) #

set Modify value.

unset Set to default value.

get Get dynamic and system information.

show Show configuration.

abort End and discard last config.

end End and save last config.

FGT60D4Q16031189 (filter) # show

config log memory filter

set severity debug

end

Implicit Deny Log Is blank? How to show traffic?

Nominate a Forum Post for Knowledge Article Creation