- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- What is Policy ID 0 and why lot of denied traffic ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is Policy ID 0 and why lot of denied traffic on this policy?
Hi All,
I have a problem with Policy ID 0, which is blocking certain broadcast traffic which is generating huge size of logs.
I googled and found the following command could stop this traffic:
config log setting set local-in-deny-broadcast {enable | disable} set local-in-deny-unicast {enable | disable} end But my question is, why is it generating this much of deny logs ? how to identify the origin of this ? Please help me ... Firewall version: 5.0.7 Thanks a trillion in advance !!! Regards, Sridhar Sre
Warmest Regards,
Sri Sre
Warmest Regards, Sri Sre
Labels:
- Labels:
-
5.0
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> why is it generating this much of deny logs ? how to identify the origin of this ?
Look at the logs - they will tell you origin and destination.
I had similar problem, but not "huge size of logs". Destination was a (EIGRP) multicast address and it was received on a transparent mode VDOM that was also a management VDOM.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can try to use
config system settings
set ses-denied-traffic enable
end
to reduce the number of logs for denied traffic
Regards,
Sylvia
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Alex,
thanks for the reply,
these logs are due to policy ID 0 and would like to stop log this traffic, how to do that ?
Thanks in advance !!!
Warmest Regards,
Sri Sre
Warmest Regards, Sri Sre
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the Policy ID 0 represents "implicit rule" of the firewall ?
If that is the case, I get accept log too through this policy ID 0 :(
Warmest Regards,
Sri Sre
Warmest Regards, Sri Sre
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"policy 0" is the last, implicit DENY ALL policy which is triggered if no other policy created by the admin matches the traffic. As with broadcasts, the FGT will drop broadcast traffic by default; what you see are these events.
Please follow your own suggestion and configure
config log settingand post back if that reduces your logging volume.
set local-in-deny-broadcast {enable | disable}
set local-in-deny-unicast {enable | disable}
end
You can as well find the source of these broadcasts and try to reduce these.
@Sylvia's suggestion
config system settingsonly influences the session table. I don't think that including denied sessions will help you finding the reason for it but you might give it a try. The default is 'disable' and you should set it to 'disable' once you are done debugging.
set ses-denied-traffic enable
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ede,
Thanks for the response. but I still get accept / closed / update in the status, after I apply "set local-in-deny disable".
I have following settings:
ROCKOne (setting) # get brief-traffic-format: disable daemon-log : disable fwpolicy-implicit-log: disable (in some of the firewalls it is enabled, if I disable it, will this stop all the deny logging for implicit rule) fwpolicy6-implicit-log: disable gui-location : disk local-in-allow : enable local-in-deny : disable local-out : disable log-invalid-packet : disable log-user-in-upper : disable neighbor-event : disable resolve-apps : enable resolve-hosts : enable resolve-ip : disable resolve-port : enable user-anonymize : disable
What would be the out come of the following:
fwpolicy-implicit-log: disable
local-in-deny : disable
Will this log any traffic? or stop all the logs of the implicit rule ?
I do not have option " broadcast " to disable it
I'm so confused :('
Thanks in advance !!!
Warmest Regards,
Sri Sre
Warmest Regards, Sri Sre
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
'local-in-deny' set to 'disable' will prevent logging of denied traffic directed to the FGT itself.
Detailed settings for logging changed from version to version so some options might not be available on your FGT.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If you see accept/close on policy ID 0 it seems to me that the traffic is targeted to the firewall's IP address.
You have a local allowed traffic enabled for logging:
local-in-allow : enable
Try to disable it whether it helps.
AtiT
AtiT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear All,
Thanks a lot for your responses. Could you please help me with the below one ?
fwpolicy-implicit-log: disable (in some of the firewalls it is enabled, if I disable it, will this stop all the deny logging for implicit rule)
Which status it should be: disable or enable ?
Thanks in advance !!!
Warmest Regards,
Sri Sre
Warmest Regards, Sri Sre
Related Posts
- Allow policy for dynamic remote IP 98 Views
- How to enable a "Log violation... 366 Views
- IPsec phase1 negotiation failes due to... 151 Views
- Fortiproxy - how exactly is traffic... 75 Views
- are excessive tcp reset errors related... 201 Views
Labels
-
FortiGate
6,655 -
FortiClient
1,327 -
5.2
801 -
5.4
639 -
FortiManager
576 -
FortiAnalyzer
421 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
271 -
FortiMail
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
158 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
76 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
65 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
29 -
SD-WAN
29 -
FortiConnect
24 -
High Availability
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Logging
13 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.