Log Your Denied Traffic – A Simple Step For Added Network Visibility

Beyond network security, one of the main goals of a Next-Generation Firewall (NGFW) is to provide visibility into your network. The more visibility you have, the more you can do with the information you are able to see. This is true for any traffic allowed through your firewall and out to the internet, but this is even more true when it comes to denied traffic.

By default, Fortinet’s FortiGate firewalls are set up to implicitly deny any traffic that does not match any other firewall policies. So, once you build out all your IPv4 policies explicitly allowing the specific traffic you need to traverse the firewall, everything else is inherently blocked. This is why we recommend locking down your firewall policies as tightly as possible. This includes limiting source and destination addresses, as well as ports and protocols. Beyond that, we also recommend applying UTM security profiles to any policies that will be beneficial. We like to enable full logging on every policy so we can get as much log data as possible. We certainly understand this can cause a large number of logs and your logging platform can get overwhelmed, so ensure that you have enough logging capability to maximize your logging wherever possible.

Implicit Deny Policy

Now that all your policies are in place with logging enabled, you should be able to see all denied traffic, right? Well, there is one additional step you need to complete in order to know what is happening throughout the network: enable logging on that implicit deny policy.

How to enable logging on that implicit deny policy

Below your list of IPv4 firewall policies is the Implicit Deny policy that is in place on all FortiGate firewalls. By default, this policy is not set to log traffic that is blocked by the firewall. You will still see blocked traffic that may be hitting one of your UTM security profiles, but if there is any traffic traversing your firewall that is not explicitly allowed through an existing IPv4 policy, you will not see it unless you log this Implicit Deny policy.

To do this, all you need to do is edit the Implicit Deny IPv4 policy, check the ‘Log Violation Traffic’ radio button, and then click OK. This is a simple step, but really provides a lot of benefits when you are reviewing your logs. Now, anytime you look at the Forward Traffic Logs on your FortiGate or in your FortiAnalyzer, you can search for “Policy ID = 0” and see all of the traffic that is hitting the firewall and being blocked.

IPv4 Policy

If you are running FortiOS 6.0.X, you can now see if this policy has recently had any traffic. Over on the right side of the ‘Edit Policy’ page, you can now see when this policy was last used, the hit count, currently active sessions, total bytes, and current bandwidth specific to this Policy (ID=0). This is valuable in providing a quick snapshot to determine if you need to dig deeper into the traffic that is hitting this policy.

Things to keep in mind

It is worth noting that we have seen this checkbox get disabled when upgrading the firmware on some FortiGate devices from FortiOS 5.6.X to FortiOS 6.0.X. This has been somewhat inconsistent, but it is always good to validate that this traffic is logged each time you upgrade the firmware on your firewall.

Once you are able to see any denied traffic, you can then determine if the traffic is valid and needs to be allowed through the firewall, or if it is potentially malicious traffic that should remain blocked. Oftentimes this is a good way to find custom ports or protocols that may have been overlooked as a part of the implementation process and could have been causing your users heartache.

That is all there is to it. Enabling logging on the Implicit Deny firewall policy is a simple but effective way to add visibility into your firewall and into your network as a whole.