Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JJEvans
New Contributor

Created on ‎09-07-2016 08:21 AM

Implicit Deny Log Is blank? How to show traffic?

Hello All,

 

Other firewalls I would see the blocking from outside activity all the time. How do I see the traffic that the Fortinet is blocking from the outside via the Implicit deny?

 

My policy is simple allow all outgoing and block all incoming via implicit deny.

 

The one person on the forum says that traffic is only logged if the logging level is as low as 'Information'. Where do you set the information level?

 

Thank you in advance.

Preview file
51 KB
52721
0 Kudos
27 REPLIES 27
emnoc
Esteemed Contributor III
In response to JJEvans

Created on ‎09-11-2016 11:06 AM

Why would you expect the firewall is not doing it's job ?

 

Did you enable the fwpolicy implicit log and execute the  log  display on the  cli ?

 

 set fwpolicy-implicit-log disable

 

 

reference

http://kb.fortinet.com/kb/documentLink.do?externalID=FD36471

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
4525
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to emnoc

Created on ‎09-11-2016 01:00 PM

Nice reference, Ken! If only the search function would be finding more in the KB, maybe users would use it more...

 

@JJEvans: that should be everything you need, right? Any success?

 

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4525
0 Kudos
JJEvans
New Contributor
In response to ede_pfau

Created on ‎09-17-2016 12:29 AM

Unfortunately no. I still cannot get this firewall on 5.4.1 code to produce deny logs to memory on the implicit deny default rule despite the trying all the posts that the user forum was nice enough to post. I am generating valid deny traffic on the WAN interface but no logs. This is getting frustrating. :(

 

 

XXXXXXX (setting) # show config log setting set fwpolicy-implicit-log enable set local-in-allow enable set local-in-deny-unicast enable set local-in-deny-broadcast enable set local-out enable end XXXXXXX # execute log filter cat 0 XXXXXXX # execute log filter field action deny  XXXXXXX # execute log display 0 logs found. 0 logs returned.

 

Version 5.4.1 XXXXXXX # execute log filter reset XXXXXXX # execute log filter cat 0 XXXXXXX # execute log filter field policyid 0 XXXXXXX # exec log display 0 logs found. 0 logs returned.

4525
0 Kudos
vjoshi_FTNT
Staff
Staff
In response to JJEvans

Created on ‎09-18-2016 05:38 AM

Hi,

 

Are you logging to memory?

- If so, possible cause could be that there are lot of logs generated and the old logs are overwritten by the time you verify them.

 

If you have the disk on the Fortigate or remote logging to Fortianalyzer or Syslog server configured, it will help to isolate the issue.

 

Also, please run the below debug flow command and make sure that the test traffic which you are generating is hitting the implicit deny policy:

 

diag debug enable diag debug flow filter clear diag debug flow filter dport 2222 diag debug flow show console enable diag debug flow show function-name enable diag debug console timestamp enable diag debug flow trace start 10

 

Once the above commands are run, try a telnet on port 2222 on the Fortigate Wan IP.

 

Use 'diag debug disable' to stop the debug

 

Cheers!

 

4525
0 Kudos
JJEvans
New Contributor
In response to vjoshi_FTNT

Created on ‎09-18-2016 06:26 AM

Thank you Vjoshi but that is the problem. There are no logs generated...lol

4525
0 Kudos
vjoshi_FTNT
Staff
Staff
In response to JJEvans

Created on ‎09-18-2016 06:36 AM

Hi JJevans,

 

You mean, no logs at all on the Fortigate?

 

Is it possible to attach the latest config file of the Fortigate?

 

4525
0 Kudos
JJEvans
New Contributor
In response to vjoshi_FTNT

Created on ‎09-18-2016 06:57 AM

Yes of course. Thank you.

Preview file
121 KB
4525
0 Kudos
vjoshi_FTNT
Staff
Staff
In response to JJEvans

Created on ‎09-18-2016 11:17 PM

Hello JJevans, I see the configuration is in place. Could you please try the command "diag log test" and see if you see logs(on GUI too)? Also, I see you using the CLI, to view the logs, please make sure the below: # exec log filter dump Make sure that the device is not disk

4525
0 Kudos
JJEvans
New Contributor
In response to vjoshi_FTNT

Created on ‎09-20-2016 02:25 PM

Yep logs generated. Just none on the implicit deny.

 

exec log filter dump

category: traffic

device: memory

start-line: 1

view-lines: 10

max-checklines: 0

HA member:

 

FGT60D4Q16031189 # diag log test

generating a system event message with level - warning

generating an infected virus message with level - warning

generating a blocked virus message with level - warning

generating a URL block message with level - warning

generating a DLP message with level - warning

generating an IPS log message

generating an anomaly log message

generating an application control IM message with level - information

generating an IPv6 application control IM message with level - information

generating deep application control logs with level - information

generating an antispam message with level - notification

generating an allowed traffic message with level - notice

generating a multicast traffic message with level - notice

generating a ipv6 traffic message with level - notice

generating a wanopt traffic log message with level - notification

generating a HA event message with level - warning

generating a VOIP event message with level - information

generating a DNS event message with level - information

generating authentication event messages

generating a Forticlient message with level - information

generating a URL block message with level - warning

 

FGT60D4Q16031189 #

Preview file
111 KB
4525
0 Kudos
vjoshi_FTNT
Staff
Staff
In response to JJEvans

Created on ‎09-21-2016 11:24 PM

Hello JJevans,

 

From the above test, it is confirmed that the log daemon doesn't have an issue.

On the Fortigate Firewall policy, from LAN > WAN, restrict services or just disable the existing policy(if possible).

 

Then try to ping any external IP from the LAN PC  and verify the logs.

 

When you do this, run the below debug commands:

 

diag debug enable diag debug flow filter clear diag debug flow filter addr 4.2.2.1

diag debug flow filter proto 1 diag debug flow show console enable diag debug flow show function-name enable diag debug console timestamp enable diag debug flow trace start 10

 

Assuming, you will ping '4.2.2.1' from the host, you can change the IP accordingly.

4525
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.