Fortigate Logging: Prevent Ping to Firewall Interface While Logging Implicitly Denied Traffic

firewallfortigatefortinetlogging

Is there a way to configure a fortinet firewall (e.g, fortigate600 running FortiOS 5 or FortiOS 4) so it do not generate log entries for pings that are directed to the firewall's own interfaces but still do generate log entries for implicitly denied traffic?

In both cases, the log entries specifies the policy with id '0' as the policy generating the log message.

In the case of successful pings, 'status' is set to 'accept' in the log and the VDOM name is set as the 'dstintf'.

I have tried to create firewall rules that match the ping traffic directed to local firewall interfaces, with the intent to explicitly disable logging, but I failed to come up with a rule that manage to match the traffic. Also, there is the option to disable the logging for implicit rule 0 (the implicit 'deny' rule at the bottom of the policy) but that also disables the logging of denied traffic, which is not what I want.

Pinging firewall interfaces (for determining that the firewall interface is available) is relied upon in certain situations and can not always be designed away. (E.g is some setups using load balancers). Also, being able to configure network equipment to avoid unwanted logging messages from being generated is always desirable, to keep down the amount of "noise" that is sent to external logging servers (Splunk etc), and in our case, logs about those 'heartbeat pings' is just considered noise.

Best Answer

For Fortigate firewalls running FortiOS 5.0 or newer, it is possible to use the CLI to specifically disable logs for accepted traffic directed to the firewall itself:

Log on to firewall using SSH, then run the following commands (assuming the firewall has a VDOM named 'root')

config vdom
edit root
config log settings
set local-in-allow disable

This has to be done on a per VDOM basis.

Once this is done, the firewall keeps logging all denied traffic, without logging accepted pings, SNMP monitoring queries etc.

Fortinet has more informationg here: http://docs-legacy.fortinet.com/fgt/handbook/cli_html/index.html#page/FortiOS%25205.0%2520CLI/config_log.17.13.html

For Fortigate firewalls running FortiOS older than 5.0, I suppose the best advice is to upgrade to 5.0 or newer and then apply the setting suggested above. It seems like the feature 'set local-in-allow disable' is not available before FortiOS 5.0.

Related Solutions

How to log out of state sessions on Juniper SRX platform

Packets should be classified regardless of the TCP handshake being watched or not. If there isn't a session defined for that flow (fast path) a new one should be created (first path).

Do you have any screen configured?? Maybe it's the screen that's dropping the traffic.

More details on Troubleshooting Traffic Flows and Session Establishment

Maybe you can configure a log file with traceoptions:

security {
  flow {
        traceoptions {
            file trace_file;
            flag basic-datapath;
            packet-filter Match {
                protocol tcp;
                source-prefix <source-ip>;
                destination-prefix <dest-ip>;
                destination-port <tcp-port>;
            }
        }
    }
}

Beware of these traces, since it can cause high CPU load on the SRX if it's carrying a lot of traffic. Limit the filter as much as possible and run it during a maintenance window.

Cisco – Finding transparent firewall packet loss

Interface Internal-Data0/0 "", is up, line protocol is up
     2749335943 input errors, 0 CRC, 0 frame, 2749335943 overrun, 0 ignored, 0 abort
                                              ^^^^^^^^^^^^^^^^^^
         0 output errors, 0 collisions, 0 interface resets

You show overruns on the InternalData interfaces, so you are dropping traffic through the ASA. With that many drops, it's not hard to imagine that this is contributing to problem. Overruns happen when the internal Rx FIFO queues overflow (normally because of some problem with load).

EDIT to respond to a question in the comments:

I don't understand why the firewall is overloaded, it is not close to using 10Gbps. Can you explain why we are seeing overruns even when the CPU and bandwidth are low? The CPU is about 5% and the bandwidth either direction never goes much higher than 1.4Gbps.

I have seen this happen over and over when a link is seeing traffic microbursts, which exceed either the bandwidth, connection-per-second, or packet-per-second horsepower of the device. So many people quote 1 or 5 minute statistics as if the traffic is relatively constant across that timeframe.

I would take a look at your firewall by running these commands every two or three seconds (run term pager 0 to avoid paging issues)...

show clock
show traffic detail | i ^[a-zA-Z]|overrun|packets dropped
show asp drop

Now graph out how much traffic you're seeing every few seconds vs drops; if you see massive spikes in policy drops or overruns when your traffic spikes, then you're closer to finding the culprit.

Don't forget that you can sniff directly on the ASA with this if you need help identifying what's killing the ASA... you have to be quick to catch this sometimes.

capture FOO circular-buffer buffer <buffer-size> interface <intf-name>

Netflow on your upstream switches could help as well.

Best Answer

Related Solutions

How to log out of state sessions on Juniper SRX platform

Cisco – Finding transparent firewall packet loss

Related Topic