I have only a limited experience with Fortinet products so far.
I ran into a similiar problem on one of my first projects of setting up a Fortigate environment. This environment originally had Fortigate firewalls which did not have separate disks and configuring the log filters for memory did the trick then.
Now I have set up FortiWifi-61F at home and I seem to have problems seeing any logs on my WAN interfaces which should naturally have constant scanning traffic being blocked on them and visible on the Local Traffic logs?
My WAN1 interface is acting as a DHCP Client and connected to a 5G device that is in bridged mode
My WAN2 interface is acting as a DHCP Client and connected to a 4G device that is in bridged mode
I have made a third separate WAN interface as VLAN interface which is connected through a Fortilink to a Fortiswitch and in one of its access ports it has an ADSL router in bridged mode.
5G is currently active as it has the best route.
I was originally running a 6.4 software but upgraded to 7.2. last night
So far I have done the following things (some of the things are on by default i guess)
config log disk setting set status enable end
config log disk filter set severity information set forward-traffic enable set local-traffic enable set multicast-traffic enable set sniffer-traffic enable set ztna-traffic enable set anomaly enable set voip enable set dlp-archive enable end
config log setting set fwpolicy-implicit-log enable set local-in-deny-unicast enable set local-in-deny-broadcast enable set local-out disable end
But even after this I am not seeing really any Local Traffic logs related to the WAN interfaces.
One problem also seems to be that in my FIrewall Policy section, the Implicit Deny rule has only logged 314B worth of traffic. I guess it must only handle traffic going through the firewall and now since there is no Static NAT type configurations at the moment its not logging any denied traffic?
I would really like to see and log even the scanning traffic coming from the Internet and I am wondering what I need to do to get it visible
Hi I'm not sure about what you want to achieve, but consider this .. - firewall policies are for traffic passing through FortiGate unit and if logged than records will be in Forward Traffic log.
- Local Traffic log contains logs of traffic originate from FrotiGate, generated locally so to speak. Any restrictions to this kind of traffic are not handled by normal firewall policies, but by local-in policies for ingress into FortiGate (where traffic do not pass but terminates on FortiGate, like DHCP requests wheer FortiGate is that DHCP server) and by service configurations for egress from FortiGate. So have a look to 'config firewall local-in-policy'.
What I am after is getting the Fortigate to log all the traffic that is destined to any of its interface (but mostly the external interfaces) and blocked/denied/dropped.
At the moment I am receiving such logs from pretty much all the interfaces but the WAN interfaces which seems very odd as basicly as soon as you connect a device to Internet you would see scanning traffic.
I first run into this problem when I was deploying my first Fortigate 600E HA pair. as the device did not have an internal HD/SSD I had to modify the log configurations through CLI to see these and it was no problem after that. However my Fortiwifi 61F does not seem to show the WAN interface blocked connections at all even though I have modified the configurations as shown above in my original post. I just wondering what I am missing configuration wise?
I have 4G, 5G and ADSL connections at home and each of them has a public IP address. (4G and ADSL have a static public IP address, 5G will have a bit later) So each of these Internet facing interfaces should have constant scanning traffic reaching them and being blocked. I would like to get logs of these traffic also.
I assume I do not have to modify any rules as I did not in the case of the 600E devices. But if there is some settings under the actual local-in-policy configurations that affect the logging then I will have a look at them and report back to this post.
you enabled `local-in-deny unicast` in log settings
you aren't accidentally hitting a port that is actually open and expected to process traffic
the packet actually makes it across and reaches your FortiGate (you mentioned you have the FortiGate at home. There's always a chance that a residential ISP is filtering inbound traffic)
... you should be able to see the denied traffic, inbound to your WAN interface, in both the debug flow, and in the local traffic logs.
For verification, pick a random port and run debug flow for it:
diag debug reset
diag debug flow filter clear
diag debug flow filter port 8721 # try to pick a port not used by anything, to minimize "noise" in the debug
diag debug enable
diag debug flow trace start 3 # show only the first three packets matching the filter
Once this is done, run a telnet command, or any other tool of your choice, to probe the same port. You should see the packet processed, and denied, in the debug flow output. Example:
id=20085 trace_id=313 func=print_pkt_detail line=5727 msg="vd-root:0 received a packet(proto=6, <source-ip>:1109-><your-public-ip>:8721) from <WAN-interface>. flag [S], seq 2476414885, ack 0, win 64240"
id=20085 trace_id=313 func=init_ip_session_common line=5898 msg="allocate a new session-00787e44"
id=20085 trace_id=313 func=vf_ip_route_input_common line=2621 msg="find a route: flag=80000000 gw-<wan-ip> via root"
id=20085 trace_id=313 func=fw_local_in_handler line=435 msg="iprope_in_check() check failed on policy 0, drop"
The local traffic log should also contain a matching entry, like so:
The first command it set to enabled and what I am expecting to see is at least some scanning from the Internet using multiple different ports. There is going to be a lot of ports scanned that do not match any service the FW might be running.Have used both Cisco and Palo Alto firewalls and just replaced my home devices some Fortinet FW/AP/SW to practice but Cisco/PA handled this kind of logging a bit more clearly.
There should also be no limitations from the ISP as I work at the ISP that is providing me with the connections :)
I will use the commands you provided to debug the situation and generate traffic to the interfaces when I have time and get back to you. Thank you for the tips so far!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.