FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bthomaj
Staff
Staff
Article Id 197227

Description

 
This article describes that session or connection attempts that are established to a FortiGate interface, are by default not logged if they are denied.  The following can be configured, so that this information is logged.


Scope

 
FortiOS 2.80, 3.x,4.x,5.x.


Solution

 
FortiOS 2.8, 3.x.

     1. Enable logging of the denied traffic.
 
Fortigate # config sys global
(global)# set loglocaldeny enable
(global)# end
 
 It is then possible to check with get sys global to see if loglocaldeny is enabled.

     2. Create a deny policy from external to internal and check the logs.

FortiOS 4.x.
 
Fortigate # config system global
(global)# set fwpolicy-implicit-log enable
(global)# set loglocaldeny enable
(global)# end
 
This will log denied traffic on implicit Deny policies.

Optional: It is possible to create deny policy and log traffic.

FortiOS 5.x.
 
Fortigate # config log setting
(global)# set fwpolicy-implicit-log enable
 
This will log denied traffic on implicit Deny policies.

Optional: This is possible to create deny policy and log traffic.

It is necessary to create a policy with Action DENY, the policy action blocks communication sessions, and it is possible to optionally log the denied traffic. If no security policy matches the traffic, the packets are dropped. A DENY security policy is needed when it is required to log the denied traffic, also called 'violation traffic'.

Other settings to consider:
 
Fortigate # config log setting
local-in-deny-unicast: enable
local-in-deny-broadcast: enable
 
GUI  : 

logs settings.PNG

 


Related Article:

How to configure the logging of Denied Traffic to a FortiGate interface