FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 195043
Article
Description FortiGate units create a firewall policy of 0 (zero) which can appear in the logs.
Components
  • All FortiGate units.
Steps or Commands

When viewing the FortiGate logs, you may find an entry indicating policyid="0". For example:

2008-10-06 00:13:49 log_id=0022013001 type=traffic subtype=violation pri=warning vd=root SN=179089 duration=0 user=N/A group=N/A rule=0 policyid=0 proto=17 service=137/udp app_type=N/A status=deny src=10.181.77.73 srcname=10.181.77.73 dst=10.128.1.161 dstname=10.128.1.161 src_int=N/A dst_int="Internal" sent=0 rcvd=0 src_port=137 dst_port=137 vpn=N/A tran_ip=0.0.0.0 tran_port=0

Any firewall policy that is automatically added by the FortiGate unit has a policy ID number of 0.

The following are the most commonly created by the FortiGate unit

  • The (IPsec) policy for FortiAnalyzer (and FortiManager v3.00) that is automatically added when an IPsec connection to the FortiAnalyzer unit (or FortiManager v 3.00) is enabled has a policy ID number of 0.
  • The policy to allow FortiGuard servers to be automatically added has a policy ID number of 0.
  • When loglocaldeny command is enabled (global setting), connection attempt to FortiGate IP addresses (as well as network broadcast  address since FortiOS  is listening on) not allowed will be dropped with violation and reported by policy ID0 (see sample log above)
  • When Network Zone is defined within a Vdom, intra-zone traffic being set to Allow or Block will be managed by a policy ID 0, if not previously being processed by a regular policy.
  • The (default) drop rule that is the last rule in the policy and that is automatically added has a policy ID number of 0.
  • ipmac binding is enabled on a specific interface. All IP entries not declared in the firewall ipmacbinding table will be rejected by policy ID 0. Refer to Related Articles section below for more information.

Related Articles

Troubleshooting Tip : Message msg="HWaddr-xx:xx:xx:xx:xx:xx is in black list, drop" in a "diagnose...

Troubleshooting Tip : debug flow messages "iprope_in_check() check failed, drop" - "Denied by forwar...