- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Implicit Deny Log Is blank? How to show traffi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Implicit Deny Log Is blank? How to show traffic?
Hello All,
Other firewalls I would see the blocking from outside activity all the time. How do I see the traffic that the Fortinet is blocking from the outside via the Implicit deny?
My policy is simple allow all outgoing and block all incoming via implicit deny.
The one person on the forum says that traffic is only logged if the logging level is as low as 'Information'. Where do you set the information level?
Thank you in advance.
- « Previous
- Next »
27 REPLIES 27
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Vjoshi for your assistance. Sorry, I have been busy lately. The issue still persists. So I don't get it. It logs and blocks Internal to WAN. But I cannot get the WAN to Internal to log any deny traffic and since its not logging I cannot confirm its blocking anything. Man this is so frustrating since it is so basic what I need it to do.
Here is the output:
# 2016-10-08 17:23:03 id=20085 trace_id=1 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.10.2:1->4.2.2.1:2048) from internal. type=8, code=0, id=1, seq=24." 2016-10-08 17:23:03 id=20085 trace_id=1 func=init_ip_session_common line=4893 msg="allocate a new session-006e004a" 2016-10-08 17:23:03 id=20085 trace_id=1 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw-50.171.242.1 via wan1" 2016-10-08 17:23:03 id=20085 trace_id=1 func=fw_forward_handler line=557 msg="Denied by forward policy check (policy 1)" 2016-10-08 17:23:08 id=20085 trace_id=2 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.10.2:1->4.2.2.1:2048) from internal. type=8, code=0, id=1, seq=25." 2016-10-08 17:23:08 id=20085 trace_id=2 func=init_ip_session_common line=4893 msg="allocate a new session-006e0078" 2016-10-08 17:23:08 id=20085 trace_id=2 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw-50.171.242.1 via wan1" 2016-10-08 17:23:08 id=20085 trace_id=2 func=fw_forward_handler line=557 msg="Denied by forward policy check (policy 1)" 2016-10-08 17:23:13 id=20085 trace_id=3 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.10.2:1->4.2.2.1:2048) from internal. type=8, code=0, id=1, seq=26." 2016-10-08 17:23:13 id=20085 trace_id=3 func=init_ip_session_common line=4893 msg="allocate a new session-006e00ba" 2016-10-08 17:23:13 id=20085 trace_id=3 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw-50.171.242.1 via wan1" 2016-10-08 17:23:13 id=20085 trace_id=3 func=fw_forward_handler line=557 msg="Denied by forward policy check (policy 1)" 2016-10-08 17:23:18 id=20085 trace_id=4 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.10.2:1->4.2.2.1:2048) from internal. type=8, code=0, id=1, seq=27." 2016-10-08 17:23:18 id=20085 trace_id=4 func=init_ip_session_common line=4893 msg="allocate a new session-006e00ee" 2016-10-08 17:23:18 id=20085 trace_id=4 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw-50.171.242.1 via wan1" 2016-10-08 17:23:18 id=20085 trace_id=4 func=fw_forward_handler line=557 msg="Denied by forward policy check (policy 1)" diag debug disable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does anyone from Fortinet have any insight? I have to assume I am not the only person that wants to see what was blocked by the default or custom Implicit deny rule. TIA
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear,
I am experiencing the same issue, how did you manage to solve this if it is already solved ?
Best regards
/Ali
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FGT40C3912021928 # config log setting FGT40C3912021928 (setting) # set log-invalid-packet enable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have similar problem. I have 60E with 5.6.5. I see the dropped traffic by implicit deny when it traverses the firewall. But I'd like to see also traffic hitting the firewall's WAN1 IP, and being dropped.
I think I enabled all the options in the CLI and GUI:
config log setting
set fwpolicy-implicit-log enable set log-invalid-packet enable set local-in-allow enable set local-in-deny-unicast enable set local-in-deny-broadcast enable
end
config log memory setting set status enable set diskfull overwrite end
Is there anything else I can check?
I'm testing it by sending packets from some host in the internet to the tcp port 12334 on WAN1's IP. I see these packets in diag sniffer packets. But I don't see anywhere these packets in the logs?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume you're sending your logs from the 60E to a remote device, since it doesn't have local storage for logging? Could they be getting filtered out by that device?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found it. In my case, it was filter setting:
config log memory filter set severity information set local-traffic enable end
By default, there is
set local traffic disable
and it is not displayed by
show log memory filter.
So this, and the previous snippet allowed me to see the local traffic. None of these settings were available in the GUI. :(
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You won't see any logs for the implicit rule because there is no traffic hitting the implicit deny.
The any any allow literally allows anything, so the internet traffic is allowed in, I think what you want to do is have your source interface as your LAN port and your destination as WAN, that will allow traffic out, but any traffic coming in is dropped (implicit deny), you can have the destination as 'all' if you want, that will just allow traffic to go to the firewall and back to the LAN if needed.
By default the logging level is informational (level 6), so it should be ok, but if you want to read more about it, you can here:http://docs-legacy.fortinet.com/frec/admin_hlp/1-1-0/index.html#page/FortiRecorder_Help/about_log_se...
Changing the logging information level can be done in the CLI, under 'config log settings'
- « Previous
- Next »
Related Posts
- SD-WAN and none interface 310 Views
- Simple explanation enabling the LOGGING of... 419 Views
- Connecting Two SIP Trunks with Different... 445 Views
- Fortigate 80E Policy not being recognized 646 Views
- Policy Routes with SD WAN -... 253 Views
Labels
-
FortiGate
6,923 -
FortiClient
1,365 -
5.2
801 -
5.4
639 -
FortiManager
598 -
FortiAnalyzer
437 -
6.0
416 -
5.6
362 -
FortiAP
361 -
FortiSwitch
357 -
FortiClient EMS
280 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
168 -
6.4
128 -
FortiNAC
122 -
FortiGuard
111 -
IPsec
97 -
FortiGateCloud
91 -
FortiSIEM
91 -
SSL-VPN
85 -
FortiCloud Products
85 -
FortiToken
75 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
FortiEDR
42 -
SD-WAN
41 -
Fortivoice
41 -
FortiDNS
37 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
VLAN
27 -
High Availability
27 -
FortiAuthenticator
26 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
FortiConverter
21 -
FortiGate v5.2
19 -
DNS
19 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
SAML
17 -
LDAP
17 -
Certificate
17 -
BGP
16 -
VDOM
16 -
FortiMonitor
14 -
Interface
14 -
Logging
14 -
Authentication
13 -
FortiGate v5.0
13 -
FortiLink
13 -
Routing
13 -
FortiDDoS
13 -
FortiCASB
12 -
NAT
11 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Fortigate Cloud
9 -
4.0MR2
9 -
SSID
8 -
FortiBridge
8 -
WAN optimization
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
IP address management - IPAM
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
Web application firewall profile
6 -
Proxy policy
5 -
Packet capture
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 986 | |
| 821 | |
| 457 | |
| 440 | |
| 131 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.