Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Implicit Deny Log Is blank? How to show traffi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Implicit Deny Log Is blank? How to show traffic?
Hello All,
Other firewalls I would see the blocking from outside activity all the time. How do I see the traffic that the Fortinet is blocking from the outside via the Implicit deny?
My policy is simple allow all outgoing and block all incoming via implicit deny.
The one person on the forum says that traffic is only logged if the logging level is as low as 'Information'. Where do you set the information level?
Thank you in advance.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
- Next »
27 REPLIES 27
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Vjoshi for your assistance. Sorry, I have been busy lately. The issue still persists. So I don't get it. It logs and blocks Internal to WAN. But I cannot get the WAN to Internal to log any deny traffic and since its not logging I cannot confirm its blocking anything. Man this is so frustrating since it is so basic what I need it to do.
Here is the output:
# 2016-10-08 17:23:03 id=20085 trace_id=1 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.10.2:1->4.2.2.1:2048) from internal. type=8, code=0, id=1, seq=24." 2016-10-08 17:23:03 id=20085 trace_id=1 func=init_ip_session_common line=4893 msg="allocate a new session-006e004a" 2016-10-08 17:23:03 id=20085 trace_id=1 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw-50.171.242.1 via wan1" 2016-10-08 17:23:03 id=20085 trace_id=1 func=fw_forward_handler line=557 msg="Denied by forward policy check (policy 1)" 2016-10-08 17:23:08 id=20085 trace_id=2 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.10.2:1->4.2.2.1:2048) from internal. type=8, code=0, id=1, seq=25." 2016-10-08 17:23:08 id=20085 trace_id=2 func=init_ip_session_common line=4893 msg="allocate a new session-006e0078" 2016-10-08 17:23:08 id=20085 trace_id=2 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw-50.171.242.1 via wan1" 2016-10-08 17:23:08 id=20085 trace_id=2 func=fw_forward_handler line=557 msg="Denied by forward policy check (policy 1)" 2016-10-08 17:23:13 id=20085 trace_id=3 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.10.2:1->4.2.2.1:2048) from internal. type=8, code=0, id=1, seq=26." 2016-10-08 17:23:13 id=20085 trace_id=3 func=init_ip_session_common line=4893 msg="allocate a new session-006e00ba" 2016-10-08 17:23:13 id=20085 trace_id=3 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw-50.171.242.1 via wan1" 2016-10-08 17:23:13 id=20085 trace_id=3 func=fw_forward_handler line=557 msg="Denied by forward policy check (policy 1)" 2016-10-08 17:23:18 id=20085 trace_id=4 func=print_pkt_detail line=4742 msg="vd-root received a packet(proto=1, 192.168.10.2:1->4.2.2.1:2048) from internal. type=8, code=0, id=1, seq=27." 2016-10-08 17:23:18 id=20085 trace_id=4 func=init_ip_session_common line=4893 msg="allocate a new session-006e00ee" 2016-10-08 17:23:18 id=20085 trace_id=4 func=vf_ip4_route_input line=1597 msg="find a route: flags=00000000 gw-50.171.242.1 via wan1" 2016-10-08 17:23:18 id=20085 trace_id=4 func=fw_forward_handler line=557 msg="Denied by forward policy check (policy 1)" diag debug disable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does anyone from Fortinet have any insight? I have to assume I am not the only person that wants to see what was blocked by the default or custom Implicit deny rule. TIA
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear,
I am experiencing the same issue, how did you manage to solve this if it is already solved ?
Best regards
/Ali
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FGT40C3912021928 # config log setting FGT40C3912021928 (setting) # set log-invalid-packet enable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have similar problem. I have 60E with 5.6.5. I see the dropped traffic by implicit deny when it traverses the firewall. But I'd like to see also traffic hitting the firewall's WAN1 IP, and being dropped.
I think I enabled all the options in the CLI and GUI:
config log setting
set fwpolicy-implicit-log enable set log-invalid-packet enable set local-in-allow enable set local-in-deny-unicast enable set local-in-deny-broadcast enable
end
config log memory setting set status enable set diskfull overwrite end
Is there anything else I can check?
I'm testing it by sending packets from some host in the internet to the tcp port 12334 on WAN1's IP. I see these packets in diag sniffer packets. But I don't see anywhere these packets in the logs?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume you're sending your logs from the 60E to a remote device, since it doesn't have local storage for logging? Could they be getting filtered out by that device?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found it. In my case, it was filter setting:
config log memory filter set severity information set local-traffic enable end
By default, there is
set local traffic disable
and it is not displayed by
show log memory filter.
So this, and the previous snippet allowed me to see the local traffic. None of these settings were available in the GUI. :(
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You won't see any logs for the implicit rule because there is no traffic hitting the implicit deny.
The any any allow literally allows anything, so the internet traffic is allowed in, I think what you want to do is have your source interface as your LAN port and your destination as WAN, that will allow traffic out, but any traffic coming in is dropped (implicit deny), you can have the destination as 'all' if you want, that will just allow traffic to go to the firewall and back to the LAN if needed.
By default the logging level is informational (level 6), so it should be ok, but if you want to read more about it, you can here:http://docs-legacy.fortinet.com/frec/admin_hlp/1-1-0/index.html#page/FortiRecorder_Help/about_log_se...
Changing the logging information level can be done in the CLI, under 'config log settings'
- « Previous
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,698 -
FortiClient
1,763 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
432 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
209 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1713 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.