Have to toss it back and forth with the folks here and think about what this will do in terms of log load. I have implicit deny logging enabled but for whatever reason when I use a VIP with port forwarding it seems to no longer log the denied traffic that had a destination IP of the firewall interface. This is valuable in providing a quick snapshot to determine if you need to dig deeper into the traffic that is hitting this policy. The second policy is supposed to act as an implicit deny for all other traffic attempting to authenticate with our IPSEC VPN. My question is whether or not the actual "Policy ID 0" is the implicit deny rule and if it is why am I seeing logs from it because I shouldn't as far as I can tell. how to identify the origin of this ? To allow any traffic through FortiGate on any port, configure the IPv4 policy with 'action' set to 'Accept/Permit'. I think we're headed in the right direction! Optional: You can create deny policy and log traffic . Deny security policies deny traffic that is coming into the network. | Terms of Service | Privacy Policy, WAN Optimization, Web Cache, and Explicit Proxy, Advanced static routing example: ECMP failover and load balancing, Redistributing and blocking routes in BGP, Intermediate System to Intermediate System Protocol (IS-IS), Single Sign-On using a FortiAuthenticator unit, Lowering the power level to reduce RF interference, Using static IPs in a CAPWAP configuration, Configuring FortiGate units for PCI DSS compliance, Overview of WiFi controller configuration, Defining a wireless network interface (SSID), Configuring firewall policies for the SSID, Configuring the built-in access point on a FortiWiFi unit, Wireless client load balancing for high-density deployments, Preventing IP fragmentation of packets in CAPWAP tunnels, Combining WiFi and wired networks with a software switch, FortiAP local bridging (Private Cloud-Managed AP), Using bridged FortiAPs to increase scalability, Viewing device location data on the FortiGate unit, How does a FortiGate Protect Your Network, Changing the default column setting on the policy page, To Enable or Disable Optionally Displayed Features, Configuring FortiGate multicast forwarding, Install the FortiGate unit in a physically secure location, Change the admin account name and limit access to this account, Only allow administrative access to the external interface when needed, When enabling remote access, configure Trusted Hosts and Two-factor Authentication, Change the default administrative port to a non-standard port, Modify administrator account Lockout Duration and Threshold values, FortiController-5902D fast path architecture, Synchronizing the configuration (and settings that are not synchronized), Preparing the FortiGates before you set up a FGCP cluster, Configuring FortiGate units for FGCP HA operation, Identifying the cluster and cluster units, Device failover, link failover, and session failover, FortiGate HA compatibility with DHCP and PPPoE, Clusters of three or four FortiGate units, FGCP configuration examples and troubleshooting, How to set up FGCP clustering (recommended steps), Setting up two new FortiGates as an FGCP cluster, Adding a new FortiGate to an operating cluster, Active-active HA cluster in Transparent mode, FortiGate-5000 active-active HA cluster with FortiClient licenses, Example converting a standalone FortiGate unit to a cluster, Example FGCP HA and 802.3ad aggregated interfaces, FortiGate Session Life Support Protocol (FGSP), How to use this guide to configure an IPsec VPN, Configure the dynamically-addressed VPN peer, FortiClient-to-FortiGate VPN configuration steps, Configure the FortiClient Endpoint Security application, FortiClient dialup-client configuration example, FortiGate dialup-client configuration steps, Configure the server to accept FortiGate dialup-client connections, Example FortiGate unit as IKE Mode Config server, Example FortiGate unit as IKE Mode Config client, Creating an Internet browsing security policy, Routing all remote traffic through the VPN tunnel, Configure the VPN peers - route-based VPN, Redundant route-based VPN configuration example, Partially-redundant route-based VPN example, Obtaining IPv6 addresses from an IPv6 DHCP server, Blocking IPv6 packets by extension headers, Configure hosts in an SNMP v1/2c community to send queries or receive traps, Chapter 19 - Managing a FortiSwitch with a FortiGate, Chapter 20 - Parallel Path Processing - Life of a Packet, Example 3 Dialup IPsec VPN with Application Control, Overriding FortiGuard website categorization, Creating a custom signature to block access to example.com, Creating a custom signature to block the SMTP “vrfy” command, Creating a custom signature to block files according to the file's hash value, Security Profiles and Virtual domains (VDOMs), Using wildcards and Perl regular expressions, Multiple user groups with different access permissions, Upgrading the firmware - web-based manager, Installing firmware from a system reboot using the CLI, Reverting to a previous firmware version - web-based manager, Reverting to a previous firmware version - CLI, FortiGate features and capabilities matrix - NAT and Transparent mode, Maximum number of Interfaces in Transparent Mode, Installing a FortiGate in Transparent mode, Using Port Pairing to Simplify Transparent Mode, Management IP configuration in Transparent mode, IPsec configuration example 1 - remote sites in different subnets, IPsec configuration example 2 - remote sites in the same subnet and one remote subnet, Transparent mode reminder and best practices, Chapter 30 - WAN Optimization, Web Cache, Explicit Proxy, and WCCP, There is a disparity in the effectiveness of deny policies.

That would just about wreck the logs/SIEM server though if that was the case though so pros and cons for sure.

In this case I noticed this while setting up a proof of concept for a SIEM solution (the Fortinet one). Oftentimes this is a good way to find custom ports or protocols that may have been overlooked as a part of the implementation process and could have been causing your users heartache. This is true for any traffic allowed through your firewall and out to the internet, but this is even more true when it comes to denied traffic. A Firewall Policy with action = DENY is however needed when it is required to log the denied traffi c, also called "violation traffic".

0515255 was my bug report. See related articles for more information about Firewall Policies. By default, this In my experience, only in special cases one is interested to see denied traffic, mostly while troubleshooting. Its as if there is no implicit deny for these local in policies or something. Is the Policy ID 0 represents "implicit rule" of the firewall ? Im not seeing how these IP addresses could try and authenticate when I specified a small group of public IP addresses that are allowed. Hey everyone, Hoping you can clarify something for me. ... On our production 500E fortigate with 6.0.10 firmware in HA there are plenty of FW rules which have 0 Hit counts and 0 Bytes shown. Re: Fortigate interfaces mac address changed, Re: rating overrides broken again in 6.2.5, Re: upgrade FortiOS 6.2.4 => src-vis crash.