Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Not seeing Local Traffic logs for WAN interfaces?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not seeing Local Traffic logs for WAN interfaces?
Hi,
I have only a limited experience with Fortinet products so far.
I ran into a similiar problem on one of my first projects of setting up a Fortigate environment. This environment originally had Fortigate firewalls which did not have separate disks and configuring the log filters for memory did the trick then.
Now I have set up FortiWifi-61F at home and I seem to have problems seeing any logs on my WAN interfaces which should naturally have constant scanning traffic being blocked on them and visible on the Local Traffic logs?
My WAN1 interface is acting as a DHCP Client and connected to a 5G device that is in bridged mode
My WAN2 interface is acting as a DHCP Client and connected to a 4G device that is in bridged mode
I have made a third separate WAN interface as VLAN interface which is connected through a Fortilink to a Fortiswitch and in one of its access ports it has an ADSL router in bridged mode.
5G is currently active as it has the best route.
I was originally running a 6.4 software but upgraded to 7.2. last night
So far I have done the following things (some of the things are on by default i guess)
config log disk setting
set status enable
end
config log disk filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set ztna-traffic enable
set anomaly enable
set voip enable
set dlp-archive enable
end
config log setting
set fwpolicy-implicit-log enable
set local-in-deny-unicast enable
set local-in-deny-broadcast enable
set local-out disable
end
But even after this I am not seeing really any Local Traffic logs related to the WAN interfaces.
One problem also seems to be that in my FIrewall Policy section, the Implicit Deny rule has only logged 314B worth of traffic. I guess it must only handle traffic going through the firewall and now since there is no Static NAT type configurations at the moment its not logging any denied traffic?
I would really like to see and log even the scanning traffic coming from the Internet and I am wondering what I need to do to get it visible
Labels:
- Labels:
-
FortiGate
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi I'm not sure about what you want to achieve, but consider this ..
- firewall policies are for traffic passing through FortiGate unit and if logged than records will be in Forward Traffic log.
- Local Traffic log contains logs of traffic originate from FrotiGate, generated locally so to speak. Any restrictions to this kind of traffic are not handled by normal firewall policies, but by local-in policies for ingress into FortiGate (where traffic do not pass but terminates on FortiGate, like DHCP requests wheer FortiGate is that DHCP server) and by service configurations for egress from FortiGate. So have a look to 'config firewall local-in-policy'.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
What I am after is getting the Fortigate to log all the traffic that is destined to any of its interface (but mostly the external interfaces) and blocked/denied/dropped.
At the moment I am receiving such logs from pretty much all the interfaces but the WAN interfaces which seems very odd as basicly as soon as you connect a device to Internet you would see scanning traffic.
I first run into this problem when I was deploying my first Fortigate 600E HA pair. as the device did not have an internal HD/SSD I had to modify the log configurations through CLI to see these and it was no problem after that. However my Fortiwifi 61F does not seem to show the WAN interface blocked connections at all even though I have modified the configurations as shown above in my original post. I just wondering what I am missing configuration wise?
I have 4G, 5G and ADSL connections at home and each of them has a public IP address. (4G and ADSL have a static public IP address, 5G will have a bit later) So each of these Internet facing interfaces should have constant scanning traffic reaching them and being blocked. I would like to get logs of these traffic also.
I assume I do not have to modify any rules as I did not in the case of the 600E devices. But if there is some settings under the actual local-in-policy configurations that affect the logging then I will have a look at them and report back to this post.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems the command "show full-configuration firewall local-in-policy" is completely blank.
It does not show anything.
The GUI side shows a list of different allowed connections which are probably mostly generated by configuring the firewall interfaces and allowing or enabling different services on them
fw # show full-configuration firewall local-in-policy
config firewall local-in-policy
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming:
- you enabled `local-in-deny unicast` in log settings
- you aren't accidentally hitting a port that is actually open and expected to process traffic
- the packet actually makes it across and reaches your FortiGate (you mentioned you have the FortiGate at home. There's always a chance that a residential ISP is filtering inbound traffic)
... you should be able to see the denied traffic, inbound to your WAN interface, in both the debug flow, and in the local traffic logs.
For verification, pick a random port and run debug flow for it:
diag debug reset
diag debug flow filter clear
diag debug flow filter port 8721 # try to pick a port not used by anything, to minimize "noise" in the debug
diag debug enable
diag debug flow trace start 3 # show only the first three packets matching the filterOnce this is done, run a telnet command, or any other tool of your choice, to probe the same port. You should see the packet processed, and denied, in the debug flow output. Example:
id=20085 trace_id=313 func=print_pkt_detail line=5727 msg="vd-root:0 received a packet(proto=6, <source-ip>:1109-><your-public-ip>:8721) from <WAN-interface>. flag [S], seq 2476414885, ack 0, win 64240"
id=20085 trace_id=313 func=init_ip_session_common line=5898 msg="allocate a new session-00787e44"
id=20085 trace_id=313 func=vf_ip_route_input_common line=2621 msg="find a route: flag=80000000 gw-<wan-ip> via root"
id=20085 trace_id=313 func=fw_local_in_handler line=435 msg="iprope_in_check() check failed on policy 0, drop"The local traffic log should also contain a matching entry, like so:
date=2022-04-14 time=16:47:55 eventtime=1649947675840558673 tz="+0200" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=<source-ip> srcport=1109 srcintf="<wan-interface>" srcintfrole="undefined" dstip=<wan-ip> dstport=8721 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=7896644 proto=6 action="deny" policyid=0 policytype="local-in-policy" service="tcp/8721" trandisp="noop" app="tcp/8721" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low"
If the debug flow shows anything else than "iprope_in_check() check failed on policy 0, drop", it's likely being processed for some other reason. (some feature/function, VIP, etc.)
[ corrections always welcome ]
Created on 04-14-2022 04:26 PM Edited on 04-14-2022 04:28 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The first command it set to enabled and what I am expecting to see is at least some scanning from the Internet using multiple different ports. There is going to be a lot of ports scanned that do not match any service the FW might be running.Have used both Cisco and Palo Alto firewalls and just replaced my home devices some Fortinet FW/AP/SW to practice but Cisco/PA handled this kind of logging a bit more clearly.
There should also be no limitations from the ISP as I work at the ISP that is providing me with the connections :)
I will use the commands you provided to debug the situation and generate traffic to the interfaces when I have time and get back to you. Thank you for the tips so far!
Labels
-
FortiGate
9,519 -
FortiClient
1,932 -
FortiManager
804 -
5.2
801 -
5.4
639 -
FortiAnalyzer
621 -
FortiSwitch
521 -
FortiAP
509 -
FortiClient EMS
477 -
6.0
416 -
5.6
362 -
FortiMail
344 -
SSL-VPN
309 -
IPsec
287 -
6.2
251 -
FortiAuthenticator v5.5
234 -
FortiNAC
228 -
FortiWeb
228 -
5.0
196 -
FortiGuard
151 -
SD-WAN
148 -
FortiAuthenticator
136 -
6.4
128 -
Firewall policy
112 -
FortiGateCloud
105 -
FortiSIEM
104 -
FortiCloud Products
103 -
FortiToken
97 -
Wireless Controller
88 -
Customer Service
83 -
FortiProxy
72 -
High Availability
69 -
4.0MR3
64 -
FortiEDR
63 -
ZTNA
63 -
Fortivoice
62 -
Routing
61 -
VLAN
59 -
FortiADC
58 -
FortiGate-VM
57 -
DNS
57 -
BGP
54 -
SAML
51 -
Authentication
51 -
RADIUS
50 -
FortiSandbox
49 -
LDAP
48 -
NAT
48 -
FortiExtender
46 -
Certificate
46 -
SSO
45 -
FortiDNS
43 -
FortiGate v5.4
37 -
FortiLink
36 -
VDOM
35 -
Application control
35 -
FortiSwitch v6.4
34 -
Logging
34 -
Interface
33 -
FortiConnect
32 -
FortiWAN
31 -
Virtual IP
29 -
Web profile
29 -
FortiGate v5.2
26 -
FortiConverter
26 -
FortiPAM
26 -
SSL SSH inspection
24 -
FortiPortal
23 -
Static route
22 -
FortiGate Cloud
21 -
Traffic shaping
21 -
Automation
21 -
FortiSwitch v6.2
20 -
SSID
20 -
SNMP
19 -
FortiMonitor
18 -
WAN optimization
18 -
OSPF
16 -
System settings
16 -
FortiDDoS
15 -
Security profile
15 -
Web application firewall profile
15 -
IP address management - IPAM
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
FortiCASB
14 -
API
14 -
Admin
14 -
IPS signature
13 -
Proxy policy
13 -
FortiManager v5.0
12 -
FortiAP profile
12 -
FortiManager v4.0
11 -
FortiRecorder
11 -
Explicit proxy
11 -
Traffic shaping policy
11 -
Web rating
11 -
Intrusion prevention
11 -
FortiBridge
10 -
Fabric connector
10 -
Port policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiAnalyzer v5.0
9 -
FortiWeb v5.0
9 -
DNS filter
9 -
Users
9 -
Traffic shaping profile
9 -
FortiDeceptor
8 -
FortiCache
8 -
RMA Information and Announcements
8 -
trunk
8 -
Antivirus profile
8 -
Fortinet Engage Partner Program
8 -
4.0
7 -
FortiToken Cloud
6 -
Packet capture
6 -
Authentication rule and scheme
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
Application signature
5 -
DLP profile
5 -
DoS policy
5 -
Email filter profile
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
NAC policy
4 -
DLP sensor
4 -
Netflow
4 -
Protocol option
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
VoIP profile
4 -
Multicast routing
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
DLP Dictionary
3 -
Multicast policy
3 -
Vulnerability Management
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
File filter
2 -
Schedule
2 -
Zone
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2140 | |
| 1189 | |
| 770 | |
| 451 | |
| 347 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.