Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Implicit Deny Log Is blank? How to show traffic?

Hello All,


Other firewalls I would see the blocking from outside activity all the time. How do I see the traffic that the Fortinet is blocking from the outside via the Implicit deny?


My policy is simple allow all outgoing and block all incoming via implicit deny.


The one person on the forum says that traffic is only logged if the logging level is as low as 'Information'. Where do you set the information level?


Thank you in advance.

New Contributor

More attachments

New Contributor

Other attachement

Esteemed Contributor III

You have a few options.


1: craft a policy with a deny and log traffic all , re-order it at the bottom of the sequence set the src/dst as ALL/ANY for address and interfaces  then set the "set log traffic all" with the action as deny.



  edit 4294967294

        set dstintf "any"

        set srcintf "wan1"

        set srcaddr "all"

        set dstaddr "all"

        set action deny

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set comment " set this seq# as the lowest"



2: use the log sys command to "LOG" all denies via the CLI




FGT100DSOCPUPPETCENTRO (root) # config log setting


FGT100DSOCPUPPETCENTRO (setting) # show full-configuration  | grep fwpo

    set fwpolicy-implicit-log disable

    set fwpolicy6-implicit-log disable



NOTE none of these should be required imho and experience and can craft a lot of  "white noise" . Here's why, logging drop traffic wastes 1> resource 2> disk/log 3> if syslog is use....excessive network chatter







PCNSE NSE StrongSwan

You set the logging level in the CLI (see CLI Ref. Guide).

IIRC there are settings for 'extended-log' which might be required. Either check the CLI Guide, or

show full | grep extended-

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!

Thank you edu_pfau and emnoc for the insight. It is well appreciated.


I see it: PG 525 - set log-uuid {disable | policy-only | extended}

Esteemed Contributor III

You can double check the logs from the cli



  • execute log filter cat 0 
  • execute log filter field action deny 
  • execute log display[/ul]


    if you see policed 0 than you know it's working ;)




  • PCNSE 



    PCNSE NSE StrongSwan


    set log-uuid
    option is not what I meant and will not help with this.


    Anything in

    config log memory settings

    Ede Kernel panic: Aiee, killing interrupt handler!
    Ede Kernel panic: Aiee, killing interrupt handler!



    You are correct. Thank you. The other commands did not generate logs of the explicit deny.


    PG 269 - log.memory/filter in the 5.4 CLI guide shows  


    set severity {emergency | alert | critical | error | warning | notification | information | debug}


    I will try this when I get home. Thanks again for the insight.


    OK so I have tried all ideas on this post and I still get no output?????? This does not make sense to me. All I want to see is the blocking or dropping from WAN-1 to Internal to make sure the Firewall is doing what it is suppose to do.



    XXXXXXX # config log memory filter


    XXXXXXX (filter) # set severity debug


    XXXXXXX (filter) #

    set Modify value.

    unset Set to default value.

    get Get dynamic and system information.

    show Show configuration.

    abort End and discard last config.

    end End and save last config.


    FGT60D4Q16031189 (filter) # show

    config log memory filter

    set severity debug



    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Top Kudoed Authors