What to do with Threat 131072

smxko · ‎12-02-2024

Hi,

please refer to the screenshots - why is the FortiGate blocking legit HTTPS and HTTP traffic? The policy and the corresponding SDWAN rule should alllow everything. It just doesn't make any sense and the provided article is not helpful at all.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Threat-131072-is-seen-in-logs-when-t...

AEK · ‎12-02-2024

Hello

Please double-click on one log entry then share the shown details.

AEK

DPadula · ‎12-02-2024

Hi smxko,

Added the column 'Threat Score' to confirm if it is populated with value 30.

I suggest you to run the commands below to understand why the traffic is being blocked.

diagnose debug reset

diagnose debug disable

diagnose debug console timestamp enable

diagnose debug flow filter clear

diagnose debug flow filter proto 6

diagnose debug flow filter addr x.x.x.x

diagnose debug flow filter port 443

diagnose debug flow show function-name enable

diagnose debug enable

diagnose debug flow trace start 500

### To disable the debug

diagnose debug disable

Post the output here.

dingjerry_FTNT · ‎12-02-2024

Hi @smxko ,

Like what the KB article you referred to said, it is actually just traffic being blocked by the firewall policy.

Could you please share the FGT config and one raw log message with this issue?

Meanwhile, the debug flow outputs will help us more as well.

Regards,

Jerry

smxko · ‎12-02-2024

I found it - it's violation traffic that is logged when a user is connected but did not accept the disclaimer through the voucher portal. Took some time to put put one and one together :D But thanks for your quick help!

sjoshi · ‎12-03-2024

Hi,

config log threat-weight
set blocked-connection high >> see what you have set here..can you change it to other value other than high and see
end

Let us know if this helps.
Salon Raj Joshi

What to do with Threat 131072

Nominate a Forum Post for Knowledge Article Creation