Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Marklar
New Contributor

Local Traffic logs

Hi we' re getting a lot of " deny" traffic to our broadcast address after implementing a 100D and we aren' t sure if this is normal or not. example attached The lan > lan policy is set to accept any and all so not sure why UDP and other DHCP/relay traffic is showing up as denied with the red circle with a line through it. Thanks
10 REPLIES 10
rwpatterson
Valued Contributor III

From the hints at the bottom: Policy ID = 0. That means that the traffic defaulted past all the known policies and hit the implicit policy: fail all. Check to see that you do have your policies configured as you think you do. Also I now see that the destination interface is ' root' . Is your policy destination WAN or ANY? This traffic that is being blocked is broadcast traffic.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ShrewLWD
Contributor

I believe you may also need to enable broadcast-forward on the Lan set broadcast-forward enable
Marklar
New Contributor

Geez..more hidden CLI commands! grrr This is policy #17 from lan > lan...why would this not allow it?
ede_pfau
Esteemed Contributor III

IMHO this is simply a display artifact - in some younger firmware versions the so called ' extended log' level is enabled by default. Traffic to the broadcast address in your LAN is not forwarded by the (routing) firewall so it' s dropped. And logged if ' extended logging' is enabled. Simply disable it (see CLI Reference v5). No need to worry.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
rwpatterson
Valued Contributor III

Why on earth would you have a policy like yours? If the traffic originates and terminates on the same LAN, it will never see the firewall... Am I missing something? That would be like opening the front door, then going into the kitchen from bathroom...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Marklar
New Contributor

I never understood that either but on our old box, which was configured by fortinet and copied over manually to this new box, I believe the reason was that the default gateway is the Fortigate, not the core switch in this setup. I can only guess on that one - it didnt make sense to me either. The older forticate (4.0MR3) didnt have the same level of logging this new one does (5.0.6) and we' re getting a lot of replication errors between site-site tunnels even though they can ping and name resolution works fine, etc..basically trying to find a needle in a haystack here since it only started happening after implementing the new fortigate.
Marklar
New Contributor

*Active Directory replication errors
ShrewLWD
Contributor

Just for clarification for future readers, you can have LAN to LAN rules (hair-pin) if the LAN port has multiple IP subnets bound to it, and you want to allow traffic from one subnet to the other. Obviously, in this case (especially with the firewall rule explicitly listing ALL and ALL as the source and destination subnets, it doesn' t apply, and this rule should probably be removed entirely. So you are still seeing actual manifestations of this error then (the Active Directory)? I don' t think broadcast forwarding is the issue here, as that is supposed to allow broadcast traffic to step over to another interface or subnet.
Marklar
New Contributor

Just to update: called support and they agreed this traffic is normal and is nothing to be concerned about. Turns out, the Active Directory endpoint replication issues were because the remote office was having power problems and the switch that housed the domain controllers was crashing on and off due to a faulty battery-backup. Talk about bad timing/coincidence..thinking the newly implemented firewall was the problem had nothing to do with the replication problems. It was the branch office not reporting problems back down here so we had no idea what was going on. Thanks for all the help guys!
Labels
Top Kudoed Authors