Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vstrabello
New Contributor

Lot of "policyid=0" logs in a few minutes

Hello, we have a bunch of Fortigate devices which are logging several times (about 100k logs in 15 minutes, each device) on our logging platform (we use ELK), and this is overwhelming the disk space. How can we disable the logging on the "default deny policy' in order to stop these logs? Below is the log message that is filling our disk space:

 

<189>date=2015-07-30 time=10:24:41 devname=fw01-xpto devid=FGT60XXXXXXXXXXX logid=0001000014 type=traffic subtype=local level=notice vd=root srcip=XXX.XXX.XXX.XXX srcport=137 srcintf="internal1" dstip=YYY.YYY.YYY.YYY dstport=137 dstintf="root" sessionid=2253947840 action=deny policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="137/udp" proto=17 app="netbios forward" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0

 

Thanks!!

1 Solution
Sylvia
Contributor II

It depends a little bit on the traffic type.

 

Here are some possibilities to stop different kinds of logs:

 

config log setting   set local-in-deny-broadcast {enable | disable}    set local-in-deny-unicast {enable | disable}

end

or

config log <log-destination> filter   set local-traffic {enable | disable} end

 

Because it's port 137 I assume that you "set local-in-deny-broadcast disable".

 

The CLI guide is your friend :)

View solution in original post

8 REPLIES 8
Sylvia
Contributor II

It depends a little bit on the traffic type.

 

Here are some possibilities to stop different kinds of logs:

 

config log setting   set local-in-deny-broadcast {enable | disable}    set local-in-deny-unicast {enable | disable}

end

or

config log <log-destination> filter   set local-traffic {enable | disable} end

 

Because it's port 137 I assume that you "set local-in-deny-broadcast disable".

 

The CLI guide is your friend :)

vstrabello
New Contributor

Thanks! I will try these commands and I will post the results :)

 

 

emnoc
Esteemed Contributor III

FWIW and a ideal

 

Could you just create a policy and place it at end of the sequence with a big deny and no logging. This should match all traffic that doesn't match any "accept" firewall policies from the above and  drop the traffic with no logging.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Sylvia
Contributor II

Are you sure this will match local traffic as well?

emnoc
Esteemed Contributor III

Are all the denies from local traffic? Local means ; " from the firewall" If you have denies from the firewall you should stop the source that's sending imho

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
vstrabello
New Contributor

Sylvia, that worked! I set this: 

 

set local-in-deny-broadcast disable

 

And then the logs stopped to flood. I believe there are some stations sending the 137 to the broadcast address, mathing the implicit rule and then generating the huge amount of logs. After we set this line the logs stopped to flood

 

Emnoc, we will try this in a future test, too. As soon as we get the results, I will post here

 

Thanks!

 

 

Wayne11

Hi

Does anyone know if this is not supported anymore in 6.0.2?

We still get all the local traffic on the FortiAnalyzer with disabled local-traffic.

All Netbios broadcasts port 137 deny packets are still logged.

 

config log fortianalyzer filter   set local-traffic disable

 

Wayne11

Got it solved, after disabling logging the implicit 'policy 0' traffic it became quiet.

Sorry for digging out this old thread.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors