Solved

Fortigate Firewall Deny Log False Positive

Posted on 2014-11-30
2
283 Views
Last Modified: 2014-12-06
Our company use a Fortigate Firewall. We have recently extract the Deny Firewall Log and find out that there are many false Alarm Deny Log. For example we found the deny log Entries

Source IP             Source Port                   Destination IP     Destination Port   Action
10.106.53.78             67890                          172.17.15.9                    443            Deny

But I could actually telnet the 443 port from 10.106.53.79 to 172.17.15.9 without any problem and connected during the time the log entries produced.

I found many incidents on the firewall log similar case and wonder if any know the root cause or any misconfiguration on the device.

Thank you for your insight in advance.

Patrick
0
Comment
Question by:patricktam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40473424
Telnet is one of FW Predefined services (Firewall Objects > Service > Predefined) using TCP 23. May want to check policy on the service configurations. You can reference this simple example in http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31014&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=66105316&stateId=0%200%2066103683

You can also check out the PDF on the section for "How to verify if traffic is hitting the basic security policy" to see the active sessions, bytes or packets or use diag debug flow commands to show traffic is
hitting the security policy. There is also session information display in Policy > Monitor > Session Monitor.

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=fortigate-firewall-40-mr3pdf&sliceId=&docTypeID=DT_PRODUCTDOCUMENTATION_1_1&dialogID=66105316&stateId=0%200%2066103683
0
 

Author Closing Comment

by:patricktam
ID: 40485194
Thanks for the comment.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question