In Firewall Policy I have configured data flow policy between two subnets. I have set a schedule for this policy when it is active (specific hours on specific days). I also have full logging enabled for this policy (All Sessions in Logging Options) and would not like to change it.
Is there any way that when this policy is inactive (time outside its activity schedule), its logs are not collected as well? I want to get the effect that logs are collected only when this policy is active.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
When the policy for A to B is inactive, there is traffic from B to A and thats generating logs , is this correct?
B to A traffic is hitting default deny policy and generating logs ? I think if we create a new policy for B to A with logging disabled and create a schedule to activate this policy while A to B is inactive may help us.
Schedule 1 - to Activate A to B policy (action allow with traffic logs)
Schedule 2 - Activate B to A policy (action drop with no traffic logs)
Isn't that the default behavior? Logs are generated when the traffic is matching the active policy. Are you seeing logs for traffic hitting the inactive policy?
@srajeswaran yes, that's the default behavior.
I already write what I want to achieve:
I have a traffic policy between two subnets (A and B). This policy is active for a limited period of time. When it is inactive (out of office hours), it cuts off connectivity between the two subnets (for security reasons).
Unfortunately, in the second of the disconnected networks (B), network devices (e.g. NAS servers) must be running all the time, whose services try to communicate with devices from the first subnet (A) and I cannot change it. So NAS servers from subnet B try to communicate with subnet A 24/h - also when the policy allowing traffic between A and B is inactive.
This results in large amounts of redundant logs during this time. Therefore, I want to completely disable logging while this policy is inactive. Alternatively, maybe there is some way to disable logging of only specific IPs at a given time, or some other idea...
When the policy for A to B is inactive, there is traffic from B to A and thats generating logs , is this correct?
B to A traffic is hitting default deny policy and generating logs ? I think if we create a new policy for B to A with logging disabled and create a schedule to activate this policy while A to B is inactive may help us.
Schedule 1 - to Activate A to B policy (action allow with traffic logs)
Schedule 2 - Activate B to A policy (action drop with no traffic logs)
@srajeswaran - I guess that's what I was after. :)
The second policy, active while the first one is inactive, with disabled logging from specific Source, Destination, Service and Action - Deny does its job. All connections from B to A are blocked by it (they do not reach the Implict Deny) and are not logged.
Another important point is that any other "suspicious" calls from B to A while the second policy is active are still blocked and logged via the Implict Deny policy. Thus, I do not deprive myself of monitoring the remaining network traffic from B to A.
Many thanks again! :)
@srajeswaran I had thought about such a solution before, but there was some obstacle for me to use it (I don't remember what it was). Now I'm going to try to do it again.
Thanks for the tips.
I'll let you know how it went.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.