Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiAdam
Contributor II

Implicitly denied traffic not logged while using a VIP with external IP matching interface

Can someone explain to me why using a VIP with an external IP that matches the interface of the firewall causes implicit deny traffic to no longer be logged?  I have implicit deny logging enabled but for whatever reason when I use a VIP with port forwarding it seems to no longer log the denied traffic that had a destination IP of the firewall interface.  I'm running FortiOS 5.0.7.  Do I need to make an additional policy blocking all ports to the VIP an logging it?

6 REPLIES 6
ashukla_FTNT
Staff
Staff

You need to enable match-vip enable under the deny policy.

 

Following is the explanation:

 

If you want to explicitly drop a packet that is not matched with a firewall policy and write a log message when this happens, you can add a general policy (source and destination address set to ANY) to the bottom of a policy list and configure the firewall policy to DENY packets and record a log message when a packet is dropped.

In some cases, when a virtual IP performs destination NAT (DNAT) on a packet, the translated packet may not be accepted by a firewall policy. If this happens, the packet is silently dropped and therefore not matched with the general policy at the bottom of the policy list. To catch these packets, enable match-vip in the general policy. Then the DNATed packets that are not matched by a VIP policy are matched with the general policy where they can be explicitly dropped and logged.

FatalHalt

ashukla wrote:

You need to enable match-vip enable under the deny policy.

 

If you want to explicitly drop a packet that is not matched with a firewall policy and write a log message when this happens, you can add a general policy (source and destination address set to ANY) to the bottom of a policy list and configure the firewall policy to DENY packets and record a log message when a packet is dropped.

Apologies if I'm misunderstanding things. But is this not what rule 0 is for? I understand that DNAT takes place before rule matching in the lifecycle of the firewall, but if I have a policy allowing a VIP on port 5000, shouldn't the only thing that successfully DNATs to that be traffic to that external IP on port 5000? Why does all other traffic just get dropped instead of falling to the implicit deny?

ede_pfau
SuperUser
SuperUser

(source and destination address set to ANY)
...and srcintf, destintf set to ANY as well. to cover all VIP policies with one 'DENY' rule for logging?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
FortiAdam
Contributor II

Thanks for the replies. I think we're headed in the right direction!

 

I created wan1 > DMZ and wan1 > port1 deny rules with match-vip enabled and I'm still not seeing any denied traffic hitting my wan1 interface.  

ashukla_FTNT

FortiAdam wrote:

 

I created wan1 > DMZ and wan1 > port1 deny rules with match-vip enabled and I'm still not seeing any denied traffic hitting my wan1 interface.  

Did you look at under traffic log -> local log?

FortiAdam
Contributor II

I'm viewing the logs on the FAZ so I assume I see both local and forward logs under the traffic logs section.  I see other traffic coming to and from root so I must be seeing local logs too.

I'm going to try this out in lab soon and see if I can replicate the same behavior.  

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors