?
Solved

Fortigate Firewall Deny Log False Positive

Posted on 2014-11-30
2
Medium Priority
?
287 Views
Last Modified: 2014-12-06
Our company use a Fortigate Firewall. We have recently extract the Deny Firewall Log and find out that there are many false Alarm Deny Log. For example we found the deny log Entries

Source IP             Source Port                   Destination IP     Destination Port   Action
10.106.53.78             67890                          172.17.15.9                    443            Deny

But I could actually telnet the 443 port from 10.106.53.79 to 172.17.15.9 without any problem and connected during the time the log entries produced.

I found many incidents on the firewall log similar case and wonder if any know the root cause or any misconfiguration on the device.

Thank you for your insight in advance.

Patrick
0
Comment
Question by:patricktam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 1500 total points
ID: 40473424
Telnet is one of FW Predefined services (Firewall Objects > Service > Predefined) using TCP 23. May want to check policy on the service configurations. You can reference this simple example in http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31014&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=66105316&stateId=0%200%2066103683

You can also check out the PDF on the section for "How to verify if traffic is hitting the basic security policy" to see the active sessions, bytes or packets or use diag debug flow commands to show traffic is
hitting the security policy. There is also session information display in Policy > Monitor > Session Monitor.

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=fortigate-firewall-40-mr3pdf&sliceId=&docTypeID=DT_PRODUCTDOCUMENTATION_1_1&dialogID=66105316&stateId=0%200%2066103683
0
 

Author Closing Comment

by:patricktam
ID: 40485194
Thanks for the comment.
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question