Can someone explain to me why using a VIP with an external IP that matches the interface of the firewall causes implicit deny traffic to no longer be logged? I have implicit deny logging enabled but for whatever reason when I use a VIP with port forwarding it seems to no longer log the denied traffic that had a destination IP of the firewall interface. I'm running FortiOS 5.0.7. Do I need to make an additional policy blocking all ports to the VIP an logging it?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You need to enable match-vip enable under the deny policy.
Following is the explanation:
If you want to explicitly drop a packet that is not matched with a firewall policy and write a log message when this happens, you can add a general policy (source and destination address set to ANY) to the bottom of a policy list and configure the firewall policy to DENY packets and record a log message when a packet is dropped.
In some cases, when a virtual IP performs destination NAT (DNAT) on a packet, the translated packet may not be accepted by a firewall policy. If this happens, the packet is silently dropped and therefore not matched with the general policy at the bottom of the policy list. To catch these packets, enable match-vip in the general policy. Then the DNATed packets that are not matched by a VIP policy are matched with the general policy where they can be explicitly dropped and logged.
ashukla wrote:You need to enable match-vip enable under the deny policy.
If you want to explicitly drop a packet that is not matched with a firewall policy and write a log message when this happens, you can add a general policy (source and destination address set to ANY) to the bottom of a policy list and configure the firewall policy to DENY packets and record a log message when a packet is dropped.
Apologies if I'm misunderstanding things. But is this not what rule 0 is for? I understand that DNAT takes place before rule matching in the lifecycle of the firewall, but if I have a policy allowing a VIP on port 5000, shouldn't the only thing that successfully DNATs to that be traffic to that external IP on port 5000? Why does all other traffic just get dropped instead of falling to the implicit deny?
(source and destination address set to ANY)...and srcintf, destintf set to ANY as well. to cover all VIP policies with one 'DENY' rule for logging?
Thanks for the replies. I think we're headed in the right direction!
I created wan1 > DMZ and wan1 > port1 deny rules with match-vip enabled and I'm still not seeing any denied traffic hitting my wan1 interface.
FortiAdam wrote:
I created wan1 > DMZ and wan1 > port1 deny rules with match-vip enabled and I'm still not seeing any denied traffic hitting my wan1 interface.
Did you look at under traffic log -> local log?
I'm viewing the logs on the FAZ so I assume I see both local and forward logs under the traffic logs section. I see other traffic coming to and from root so I must be seeing local logs too.
I'm going to try this out in lab soon and see if I can replicate the same behavior.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.