Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Logging of dropped traffic on external interface

Hi all, New to the forum. I recently purchased a fortigate 60C (v4.0,build5352,101007 (MR2) for my home and love it so far. I' m trying to monitor the traffic that is dropped on my external (Untrusted) interface without any luck. I have turned on logging on the implicit (drop all) built in rule but all that is being logged is internal (trusted) traffic that is dropped. I have also attempted to create a new rule with the source being the external interface and the destination the internal one and placed it at the bottom just above the implicit drop policy. Am I missing something? I find it helpful to see what' s actually getting dropped but in the week that its been online not one packet has been dropped and logged from the Internet. Thanks in advance
9 REPLIES 9
abelio
SuperUser
SuperUser

hello and welcome, use CLI to send the following commands:
 config system global
    set loglocaldeny enable
 end
 
That will enable logging of failed connection attempts to your 60C that use TCP/IP ports other than those for management access It' s a resources consuming setting, so keep an eye on it. regards,

regards




/ Abel

regards / Abel
Not applicable

set loglocaldeny enable
Perfect!! Thank you. This is on my home network so hopefully it won' t consume too many resources.
Not applicable

Is there a CLI command to disable the logging of dropped broadcast traffic? The above command enables me to see dropped external traffic but it also gives me internal netbios broadcasts. Thanks
ede_pfau
SuperUser
SuperUser

You may try:
config system interface
     edit " internal" 
         set broadcast-forward disable
         set netbios-forward disable
     next
 end
  
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Not applicable

Thanks. That doesn' t seem to do anything noticeable. I' m still getting tons of subnet broadcasts advertising netbios. For now, I' ve just set up a filter for a source interface of wan1 but I would like to be able to stop the logging of this traffic if possible.
Not applicable

I have same problem. After: config system global set loglocaldeny enable end I' m getting tons of subnet broadcastsnetbios. How I could except this messages from logs?
Incelli
New Contributor

Hi, you can try: config log disk set extended-traffic-log disable
MitchK
New Contributor

My theory, although I haven' t tried it, is to create a rule permitting netbios broadcasts. In the config for the rule, do not check " log allowed traffic" . This would make the broadcasts allowed, but they would not be logged anymore.
Mitch Fortigate-300A 4.00 (MR3 Patch5) Fortigate-200B 4.00 (MR3 Patch5) Fortigate-50B 4.00 (MR3 Patch6) FortiAnalyzer 100C (MR3 Patch1)
Mitch Fortigate-300A 4.00 (MR3 Patch5) Fortigate-200B 4.00 (MR3 Patch5) Fortigate-50B 4.00 (MR3 Patch6) FortiAnalyzer 100C (MR3 Patch1)
MitchK
New Contributor

Unfortunately, you can' t construct the rule I mentioned above. It' s outrageous that Fortinet provides no method to suppress these broadcasts.
Mitch Fortigate-300A 4.00 (MR3 Patch5) Fortigate-200B 4.00 (MR3 Patch5) Fortigate-50B 4.00 (MR3 Patch6) FortiAnalyzer 100C (MR3 Patch1)
Mitch Fortigate-300A 4.00 (MR3 Patch5) Fortigate-200B 4.00 (MR3 Patch5) Fortigate-50B 4.00 (MR3 Patch6) FortiAnalyzer 100C (MR3 Patch1)
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors