2012-11-11 15:28:40 log_id=0038000007 type=traffic subtype=other pri=warning status=deny vd=" root" src=172.19.0.11 srcname=172.19.0.11 src_port=49374 dst=172.16.10.12 dstname=172.16.10.12 dst_country=" Reserved" src_country=" Reserved" dst_port=139 service=SAMBA proto=6 app_type=N/A duration=19 rule=2 policyid=2 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name=" N/A" shaper_rcvd_name=" N/A" perip_name=" N/A" vpn=" N/A" vpn_type=UNKNOWN(65535) vpn_tunnel=" N/A" src_int=" port1" dst_int=" wan1" SN=1343653 app=" N/A" app_cat=" N/A" user=" N/A" group=" N/A" msg=" org dir, ack in state syn_sent, drop" carrier_ep=" N/A" profilegroup=" N/A" subapp=" N/A" subappcat=" N/A"looks pretty OK. This is traffic aimed at the remote network behind a VPN tunnel when the tunnel is down. Instead of the tunnel interface traffic is routed to the wan1 interface via the default route. If you don' t want this to happen you can install ' black hole routes' for all RFC1918 private address spaces. You' ll find a post about this in the forums. Now, there' s the other type of error like this one:
2012-11-11 15:26:40 log_id=0038000007 type=traffic subtype=other pri=warning status=deny vd=" root" src=172.19.0.11 srcname=172.19.0.11 src_port=49362 dst=172.16.10.12 dstname=172.16.10.12 dst_country=" Reserved" src_country=" Reserved" dst_port=139 service=SAMBA proto=6 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name=" N/A" shaper_rcvd_name=" N/A" perip_name=" N/A" vpn=" N/A" vpn_type=UNKNOWN(65535) vpn_tunnel=" N/A" src_int=" port1" dst_int=" N/A" SN=0 app=" N/A" app_cat=" N/A" user=" N/A" group=" N/A" msg=" no session matched" carrier_ep=" N/A" profilegroup=" N/A" subapp=" N/A" subappcat=" N/A"where I suspect that the traffic is a broadcast, not addressing any specific target address so the FGT doesn' t know where to route it. The SAMBA service led me to this conclusion. As such, this event is to be expected. There is a CLI only parameter in the interface setup which allows/denies netbios broadcast traffic:
config sys interface ... set netbios-forward enable/disable endYou may experiment with it to see if you get less logs. Coming to logging. I remember a logging command enabling logs for denied traffic to the FGT which is rarely used...I found it:
config sys global set fwpolicy-implicit-log enable set fwpolicy6-implicit-log disable set loglocaldeny disableI would set ' loglocaldeny' to disable first, before starting to fiddle with the netbios setting. HTH
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.