Hi.
Before I move on to get an actual new device I have this older fortinet 40c that I've been struggling to set up. All I need for this segment is basic firewall so I created the necessary rules that only allow outgoing traffic to certain networks and ports, with "deny all" rule afterwards. Now, I want instant notifications if anything hits the "deny all" rule with "violating traffic log" enabled so I figured I'd use "config log syslogd" to instantly receive these violating packets(if any). However, fiddling with all the options I've found there in the manual, it still spams me on literally each packet that IS allowed with message "traffic is allowed."
I thought maybe I could update the firmware and see if that helps but fortigate support didn't really want to hear about it(previous customer still owns an account with this serial number).
I looked through web and cli interfaces to no avail. It still spams me and also logs all the allowed packets into the memory log, along with denied ones for which i created a special rule too, before the main "deny all", with violating traffic log OFF, it still logs that too!
Is this how it's supposed to work? This seems wrong, why would it still log everything, including traffic hitting the deny rule with logging disabled? I want it to only fire up syslog message upon encountering any packet that hits the rules with "violating traffic log" enabled so that I can instantly investigate.
Yes I did execute reboot several times after changing "config log setting" settings but nothing particularly helped to narrow the logging events down to those explicitly marked to be logged. Still wants to log everything.
Yes it's also true that "deny" messages have severity of 4(warn) rather than 5(notice) for "traffic allowed" messages but those "allowed" are still useless bloat I'd love to prevent from being logged. I double-checked in CLI that "allow" rules have "set logtraffic* disable". No idea why it's still logged.
Maybe someone would also be kind enough to provide me with a firmware for this particular box?
No comments:
Post a Comment