Description
This article describes how to generate the deny logs. While testing the firewall functionality of implicit deny policy or allowed policy it is necessary to have logging for denied logs to verify it.
However, FortiGate will not generate the deny logs by default.
Solution
As mentioned in the issue description while testing the firewall functionality of implicit deny policy or allowed policy it is necessary to have deny logs generated to confirm that traffic is hitting the right policy so that the requirement is achieved in other words it confirms that FortiGate is blocking unnecessary traffic.
However, by default FortiGate will not generate the logs for denied logs, especially traffic matching to the 'Implicit deny policy', which is actually to optimize the usage of logging space.
Because in most of the network implementations considerable percentage of traffic matching to the implicit deny policy which will generate huge denied logs.
But sometimes it is required to see the denied traffic information.
It is possible to enable the ‘Log IPv4 Violation Traffic’ under ‘implicit deny policy’.
Now select the ‘implicit deny policy’ and select ‘show matched logs’.
From CLI, the same can be achieved by doing:
# config log setting
set fwpolicy-implicit-log enable
end
