Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MitchK
New Contributor

Logging of local broadcast packets

As everyone here knows, NETBIOS and other local broadcasts are denied by default in the Fortigates, and logging shows every single broadcast. How can this be stopped? I tried to create a rule allowing the broadcasts, which would then cause them not to be logged, but I couldn' t create the rule. Looking at the logs, there is a source interface, but the destination interface is either the VDOM name or " N/A" . Also, the " Service" section of the rule does not contain NETBIOS or Broadcasts or anything like that. Please don' t tell me to " try" this command or that command, I' ve seen them and tried them, they don' t work. Sorry to seem annoyed, but I am. Other brands of firewalls permit EASY construction of a rule that denies these packets and also permits non-logging of the denials. Why doesn' t Fortigate have what would seem to be a no-brainer of a feature?
Mitch Fortigate-300A 4.00 (MR3 Patch5) Fortigate-200B 4.00 (MR3 Patch5) Fortigate-50B 4.00 (MR3 Patch6) FortiAnalyzer 100C (MR3 Patch1)
Mitch Fortigate-300A 4.00 (MR3 Patch5) Fortigate-200B 4.00 (MR3 Patch5) Fortigate-50B 4.00 (MR3 Patch6) FortiAnalyzer 100C (MR3 Patch1)
3 REPLIES 3
Greg_Hennessy
New Contributor

Totally Agree This broadcast logging is getting very tedious. Tens of thousands of extraneous log events per hour with no obvious way of disabling generation. And like you, I have trawled the forum and tried all the suggestions. Greg
TopJimmy
New Contributor

there' s a tech note for it here: http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD33057 If that doesn' t work in your environment, I' d open a ticket to Fortinet and ask them. Complaining here does nothing.
-TJ
-TJ
mbrowndcm
New Contributor III

config log {disk | fortianalyzer | fortianalyzer2 | fortianalyzer3 |memory | syslogd | syslogd2 | syslogd3 | webtrends | fortiguard} filter extended-traffic-log {disable | enable}
 
Described to cover:
 Enable or disable ICSA compliant logs. This setting is independent from the traffic setting.
 Traffic log entries include generating traffic logs:
 • for all dropped ICMP packets
 • for all dropped invalid IP packets (see “check-protocol-header {loose | strict}” on page 416, “anti-replay {disable | loose | strict}” on page 415, and “check-reset-range {disable | strict}” on page 417.
 • for session start and on session deletion
 This setting is not rate limited. A large volume of invalid packets can dramatically increase the number of log entries.
 
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors