Implicit Deny Log Is blank? How to show traffic?

JJEvans · ‎09-07-2016

Hello All,

Other firewalls I would see the blocking from outside activity all the time. How do I see the traffic that the Fortinet is blocking from the outside via the Implicit deny?

My policy is simple allow all outgoing and block all incoming via implicit deny.

The one person on the forum says that traffic is only logged if the logging level is as low as 'Information'. Where do you set the information level?

Thank you in advance.

emnoc · ‎09-11-2016

Why would you expect the firewall is not doing it's job ?

Did you enable the fwpolicy implicit log and execute the log display on the cli ?

set fwpolicy-implicit-log disable

reference

http://kb.fortinet.com/kb/documentLink.do?externalID=FD36471

PCNSE

NSE

StrongSwan

ede_pfau · ‎09-11-2016

Nice reference, Ken! If only the search function would be finding more in the KB, maybe users would use it more...

@JJEvans: that should be everything you need, right? Any success?

Ede Kernel panic: Aiee, killing interrupt handler!

JJEvans · ‎09-17-2016

Unfortunately no. I still cannot get this firewall on 5.4.1 code to produce deny logs to memory on the implicit deny default rule despite the trying all the posts that the user forum was nice enough to post. I am generating valid deny traffic on the WAN interface but no logs. This is getting frustrating. :(

XXXXXXX (setting) # show config log setting set fwpolicy-implicit-log enable set local-in-allow enable set local-in-deny-unicast enable set local-in-deny-broadcast enable set local-out enable end XXXXXXX # execute log filter cat 0 XXXXXXX # execute log filter field action deny XXXXXXX # execute log display 0 logs found. 0 logs returned.

Version 5.4.1 XXXXXXX # execute log filter reset XXXXXXX # execute log filter cat 0 XXXXXXX # execute log filter field policyid 0 XXXXXXX # exec log display 0 logs found. 0 logs returned.

vjoshi_FTNT · ‎09-18-2016

Hi,

Are you logging to memory?

- If so, possible cause could be that there are lot of logs generated and the old logs are overwritten by the time you verify them.

If you have the disk on the Fortigate or remote logging to Fortianalyzer or Syslog server configured, it will help to isolate the issue.

Also, please run the below debug flow command and make sure that the test traffic which you are generating is hitting the implicit deny policy:

diag debug enable diag debug flow filter clear diag debug flow filter dport 2222 diag debug flow show console enable diag debug flow show function-name enable diag debug console timestamp enable diag debug flow trace start 10

Once the above commands are run, try a telnet on port 2222 on the Fortigate Wan IP.

Use 'diag debug disable' to stop the debug

Cheers!

JJEvans · ‎09-18-2016

Thank you Vjoshi but that is the problem. There are no logs generated...lol

vjoshi_FTNT · ‎09-18-2016

Hi JJevans,

You mean, no logs at all on the Fortigate?

Is it possible to attach the latest config file of the Fortigate?

JJEvans · ‎09-18-2016

Yes of course. Thank you.

vjoshi_FTNT · ‎09-18-2016

Hello JJevans, I see the configuration is in place. Could you please try the command "diag log test" and see if you see logs(on GUI too)? Also, I see you using the CLI, to view the logs, please make sure the below: # exec log filter dump Make sure that the device is not disk

JJEvans · ‎09-20-2016

Yep logs generated. Just none on the implicit deny.

exec log filter dump

category: traffic

device: memory

start-line: 1

view-lines: 10

max-checklines: 0

HA member:

FGT60D4Q16031189 # diag log test

generating a system event message with level - warning

generating an infected virus message with level - warning

generating a blocked virus message with level - warning

generating a URL block message with level - warning

generating a DLP message with level - warning

generating an IPS log message

generating an anomaly log message

generating an application control IM message with level - information

generating an IPv6 application control IM message with level - information

generating deep application control logs with level - information

generating an antispam message with level - notification

generating an allowed traffic message with level - notice

generating a multicast traffic message with level - notice

generating a ipv6 traffic message with level - notice

generating a wanopt traffic log message with level - notification

generating a HA event message with level - warning

generating a VOIP event message with level - information

generating a DNS event message with level - information

generating authentication event messages

generating a Forticlient message with level - information

generating a URL block message with level - warning

FGT60D4Q16031189 #

vjoshi_FTNT · ‎09-21-2016

Hello JJevans,

From the above test, it is confirmed that the log daemon doesn't have an issue.

On the Fortigate Firewall policy, from LAN > WAN, restrict services or just disable the existing policy(if possible).

Then try to ping any external IP from the LAN PC and verify the logs.

When you do this, run the below debug commands:

diag debug enable diag debug flow filter clear diag debug flow filter addr 4.2.2.1

diag debug flow filter proto 1 diag debug flow show console enable diag debug flow show function-name enable diag debug console timestamp enable diag debug flow trace start 10

Assuming, you will ping '4.2.2.1' from the host, you can change the IP accordingly.