Hi we' re getting a lot of " deny" traffic to our broadcast address after implementing a 100D and we aren' t sure if this is normal or not.
The lan > lan policy is set to accept any and all so not sure why UDP and other DHCP/relay traffic is showing up as denied with the red circle with a line through it.
From the hints at the bottom: Policy ID = 0. That means that the traffic defaulted past all the known policies and hit the implicit policy: fail all. Check to see that you do have your policies configured as you think you do.
Also I now see that the destination interface is ' root' . Is your policy destination WAN or ANY? This traffic that is being blocked is broadcast traffic.
IMHO this is simply a display artifact - in some younger firmware versions the so called ' extended log' level is enabled by default. Traffic to the broadcast address in your LAN is not forwarded by the (routing) firewall so it' s dropped. And logged if ' extended logging' is enabled.
Simply disable it (see CLI Reference v5). No need to worry.
Why on earth would you have a policy like yours? If the traffic originates and terminates on the same LAN, it will never see the firewall... Am I missing something? That would be like opening the front door, then going into the kitchen from bathroom...
I never understood that either but on our old box, which was configured by fortinet and copied over manually to this new box, I believe the reason was that the default gateway is the Fortigate, not the core switch in this setup. I can only guess on that one - it didnt make sense to me either. The older forticate (4.0MR3) didnt have the same level of logging this new one does (5.0.6) and we' re getting a lot of replication errors between site-site tunnels even though they can ping and name resolution works fine, etc..basically trying to find a needle in a haystack here since it only started happening after implementing the new fortigate.
Just for clarification for future readers, you can have LAN to LAN rules (hair-pin) if the LAN port has multiple IP subnets bound to it, and you want to allow traffic from one subnet to the other. Obviously, in this case (especially with the firewall rule explicitly listing ALL and ALL as the source and destination subnets, it doesn' t apply, and this rule should probably be removed entirely.
So you are still seeing actual manifestations of this error then (the Active Directory)?
I don' t think broadcast forwarding is the issue here, as that is supposed to allow broadcast traffic to step over to another interface or subnet.
Just to update: called support and they agreed this traffic is normal and is nothing to be concerned about. Turns out, the Active Directory endpoint replication issues were because the remote office was having power problems and the switch that housed the domain controllers was crashing on and off due to a faulty battery-backup. Talk about bad timing/coincidence..thinking the newly implemented firewall was the problem had nothing to do with the replication problems. It was the branch office not reporting problems back down here so we had no idea what was going on.
Thanks for all the help guys!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.