Question Fortigate not showing Deny logs

[Sozo]

Howdy all,

(Posted on Spiceworks as well)

I am trying to view Deny traffic logs on a Fortigate 30E
(FortiGate 30Ev6.2.15 build1378 (GA)
and they are not showing up.
Via the CLI - log severity level set to Warning
Local logging

Here is the details:
CMB-FL01 # show full-configuration log memory filter
config log memory filter
set severity warning
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set filter ‘’
set filter-type include

The Fortigate is getting hammered, with alerts coming in thusly: (Sanitized)

Message meets Alert condition
date=2024-11-14 time=15:04:05 devname=CMB-FL01 devid=FGT30E5777885133 logid=“0000000013” type=“traffic” subtype=“forward” level=“notice” vd=“root” eventtime=1731621845329636171 tz=“-0700” srcip=194.264.22.254 srcport=56676 srcintf=“wan” srcintfrole=“wan” dstip=93.22.3.19 dstport=10443 dstintf=“lan” dstintfrole=“lan” sessionid=3808968 proto=6 action=“deny” policyid=0 policytype=“policy” service=“tcp/10443” dstcountry=“Canada” srccountry=“Canada” trandisp=“dnat” tranip=195.137.0.254 tranport=443 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat=“unscanned” crscore=30 craction=131072 crlevel=“high”

Implicit Deny policy in place - set to log violation Traffic:


Firewall11209×756 28 KB


However I can find no deny logs:


Firewall21898×879 30.2 KB


Nor can I see the Implicit Deny object when trying to search logs by Policy:


firewall5509×648 86.5 KB





Firewall41914×841 40.3 KB


I don’t know if I am missing something obvious, or have configured something incorrectly.
If anyone has any advice it would be appreciated!
Thanks to any takers.
Sozo

 

[Ralston18]

No answer per se (full disclosure).

However, I am wondering about the posted Edit Policy window:

Exactly what is meant by "Accept" and "Deny"?

Deny is "green" but also has a crossed circle icon meaning that deny is not invoked but the green checked ACCEPT is.... ??? And the requirement is to view Denied traffic - correct?

Also why are there no entries for Incoming Interface, Outgoing Interface, and Source?

I see "any" and "all" but no check boxes and those configuration options appear "greyed out" - may be just the window or image?

What are the "drop down" choices that would be seen by clicking the downward pointing triangles?

When choices were made, if they were, is it certain that those choices were accepted and saved via the green OK button?

Very far out of my comfort zones, etc. but no harm in wondering and asking.

 

[Sozo]

Hi Ralston18,
The 'Accept' and 'Deny' are the options in the policy, to decide whether to allow or deny the traffic access, as it is the 'Deny' policy, Deny is selected.
The checkmark vs crossed circle icons are static, signifying the action taken by the word before it. I know, a little misleading/superfluous if you don't have that tidbit
As for the entries, they are greyed out as I was viewing, not editing the policy, if editing you can choose or create the entry as needed.
The policy is old, saved long ago

In the end it seems the appliance is malfunctioning, it should be collecting the logs it just isn't lol. It's End of life anyway.