Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JJEvans
New Contributor

Implicit Deny Log Is blank? How to show traffic?

Hello All,

 

Other firewalls I would see the blocking from outside activity all the time. How do I see the traffic that the Fortinet is blocking from the outside via the Implicit deny?

 

My policy is simple allow all outgoing and block all incoming via implicit deny.

 

The one person on the forum says that traffic is only logged if the logging level is as low as 'Information'. Where do you set the information level?

 

Thank you in advance.

27 REPLIES 27
JJEvans
New Contributor

More attachments

JJEvans
New Contributor

Other attachement

emnoc
Esteemed Contributor III

You have a few options.

 

1: craft a policy with a deny and log traffic all , re-order it at the bottom of the sequence set the src/dst as ALL/ANY for address and interfaces  then set the "set log traffic all" with the action as deny.

e.g 

 

  edit 4294967294

        set dstintf "any"

        set srcintf "wan1"

        set srcaddr "all"

        set dstaddr "all"

        set action deny

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set comment " set this seq# as the lowest"

    next

 

2: use the log sys command to "LOG" all denies via the CLI

 

e.g

 

FGT100DSOCPUPPETCENTRO (root) # config log setting

 

FGT100DSOCPUPPETCENTRO (setting) # show full-configuration  | grep fwpo

    set fwpolicy-implicit-log disable

    set fwpolicy6-implicit-log disable

 

 

NOTE none of these should be required imho and experience and can craft a lot of  "white noise" . Here's why, logging drop traffic wastes 1> resource 2> disk/log 3> if syslog is use....excessive network chatter

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau

You set the logging level in the CLI (see CLI Ref. Guide).

IIRC there are settings for 'extended-log' which might be required. Either check the CLI Guide, or

show full | grep extended-

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
JJEvans

Thank you edu_pfau and emnoc for the insight. It is well appreciated.

 

I see it: PG 525 - set log-uuid {disable | policy-only | extended}

emnoc
Esteemed Contributor III

You can double check the logs from the cli

 

 

[ul]
  • execute log filter cat 0 
  • execute log filter field action deny 
  • execute log display[/ul]

     

    if you see policed 0 than you know it's working ;)

     

    Ken

     

  • PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    ede_pfau

    The

    set log-uuid
    option is not what I meant and will not help with this.

     

    Anything in

    config log memory settings
    ?

    Ede Kernel panic: Aiee, killing interrupt handler!
    Ede Kernel panic: Aiee, killing interrupt handler!
    JJEvans

    HI EDE_PFAU,

     

    You are correct. Thank you. The other commands did not generate logs of the explicit deny.

     

    PG 269 - log.memory/filter in the 5.4 CLI guide shows  

     

    set severity {emergency | alert | critical | error | warning | notification | information | debug}

     

    I will try this when I get home. Thanks again for the insight.

    JJEvans

    OK so I have tried all ideas on this post and I still get no output?????? This does not make sense to me. All I want to see is the blocking or dropping from WAN-1 to Internal to make sure the Firewall is doing what it is suppose to do.

     

     

    XXXXXXX # config log memory filter

     

    XXXXXXX (filter) # set severity debug

     

    XXXXXXX (filter) #

    set Modify value.

    unset Set to default value.

    get Get dynamic and system information.

    show Show configuration.

    abort End and discard last config.

    end End and save last config.

     

    FGT60D4Q16031189 (filter) # show

    config log memory filter

    set severity debug

    end

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors