Hello, we have a bunch of Fortigate devices which are logging several times (about 100k logs in 15 minutes, each device) on our logging platform (we use ELK), and this is overwhelming the disk space. How can we disable the logging on the "default deny policy' in order to stop these logs? Below is the log message that is filling our disk space:
<189>date=2015-07-30 time=10:24:41 devname=fw01-xpto devid=FGT60XXXXXXXXXXX logid=0001000014 type=traffic subtype=local level=notice vd=root srcip=XXX.XXX.XXX.XXX srcport=137 srcintf="internal1" dstip=YYY.YYY.YYY.YYY dstport=137 dstintf="root" sessionid=2253947840 action=deny policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="137/udp" proto=17 app="netbios forward" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0
Thanks!!
Solved! Go to Solution.
It depends a little bit on the traffic type.
Here are some possibilities to stop different kinds of logs:
config log setting set local-in-deny-broadcast {enable | disable} set local-in-deny-unicast {enable | disable}
end
or
config log <log-destination> filter set local-traffic {enable | disable} end
Because it's port 137 I assume that you "set local-in-deny-broadcast disable".
The CLI guide is your friend :)
It depends a little bit on the traffic type.
Here are some possibilities to stop different kinds of logs:
config log setting set local-in-deny-broadcast {enable | disable} set local-in-deny-unicast {enable | disable}
end
or
config log <log-destination> filter set local-traffic {enable | disable} end
Because it's port 137 I assume that you "set local-in-deny-broadcast disable".
The CLI guide is your friend :)
Thanks! I will try these commands and I will post the results :)
FWIW and a ideal
Could you just create a policy and place it at end of the sequence with a big deny and no logging. This should match all traffic that doesn't match any "accept" firewall policies from the above and drop the traffic with no logging.
PCNSE
NSE
StrongSwan
Are you sure this will match local traffic as well?
Are all the denies from local traffic? Local means ; " from the firewall" If you have denies from the firewall you should stop the source that's sending imho
PCNSE
NSE
StrongSwan
Sylvia, that worked! I set this:
set local-in-deny-broadcast disable
And then the logs stopped to flood. I believe there are some stations sending the 137 to the broadcast address, mathing the implicit rule and then generating the huge amount of logs. After we set this line the logs stopped to flood
Emnoc, we will try this in a future test, too. As soon as we get the results, I will post here
Thanks!
Hi
Does anyone know if this is not supported anymore in 6.0.2?
We still get all the local traffic on the FortiAnalyzer with disabled local-traffic.
All Netbios broadcasts port 137 deny packets are still logged.
config log fortianalyzer filter set local-traffic disable
Got it solved, after disabling logging the implicit 'policy 0' traffic it became quiet.
Sorry for digging out this old thread.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.