Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Local Traffic logs
Hi we' re getting a lot of " deny" traffic to our broadcast address after implementing a 100D and we aren' t sure if this is normal or not.
example attached
The lan > lan policy is set to accept any and all so not sure why UDP and other DHCP/relay traffic is showing up as denied with the red circle with a line through it.
Thanks
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From the hints at the bottom: Policy ID = 0. That means that the traffic defaulted past all the known policies and hit the implicit policy: fail all. Check to see that you do have your policies configured as you think you do.
Also I now see that the destination interface is ' root' . Is your policy destination WAN or ANY? This traffic that is being blocked is broadcast traffic.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe you may also need to enable broadcast-forward on the Lan
set broadcast-forward enable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Geez..more hidden CLI commands! grrr
This is policy #17 from lan > lan...why would this not allow it?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IMHO this is simply a display artifact - in some younger firmware versions the so called ' extended log' level is enabled by default. Traffic to the broadcast address in your LAN is not forwarded by the (routing) firewall so it' s dropped. And logged if ' extended logging' is enabled.
Simply disable it (see CLI Reference v5). No need to worry.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why on earth would you have a policy like yours? If the traffic originates and terminates on the same LAN, it will never see the firewall... Am I missing something? That would be like opening the front door, then going into the kitchen from bathroom...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I never understood that either but on our old box, which was configured by fortinet and copied over manually to this new box, I believe the reason was that the default gateway is the Fortigate, not the core switch in this setup. I can only guess on that one - it didnt make sense to me either. The older forticate (4.0MR3) didnt have the same level of logging this new one does (5.0.6) and we' re getting a lot of replication errors between site-site tunnels even though they can ping and name resolution works fine, etc..basically trying to find a needle in a haystack here since it only started happening after implementing the new fortigate.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
*Active Directory replication errors
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just for clarification for future readers, you can have LAN to LAN rules (hair-pin) if the LAN port has multiple IP subnets bound to it, and you want to allow traffic from one subnet to the other. Obviously, in this case (especially with the firewall rule explicitly listing ALL and ALL as the source and destination subnets, it doesn' t apply, and this rule should probably be removed entirely.
So you are still seeing actual manifestations of this error then (the Active Directory)?
I don' t think broadcast forwarding is the issue here, as that is supposed to allow broadcast traffic to step over to another interface or subnet.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to update: called support and they agreed this traffic is normal and is nothing to be concerned about. Turns out, the Active Directory endpoint replication issues were because the remote office was having power problems and the switch that housed the domain controllers was crashing on and off due to a faulty battery-backup. Talk about bad timing/coincidence..thinking the newly implemented firewall was the problem had nothing to do with the replication problems. It was the branch office not reporting problems back down here so we had no idea what was going on.
Thanks for all the help guys!