Hot!Threat 131072

Author
fat
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/08/05 23:47:50
  • Status: offline
2020/11/18 13:30:02 (permalink)
0

Threat 131072

Hello,
 
I am doing some labs using Fortigate 201E.
By troubleshooting, I found out that there were many logs in policy 0, deny any any (the bottom line of policy).
Details showed it is "Threat 131072, threat score 30". The concerned protocols were HTTPS, Ping.
 
In order to get more details, I inserted the 1st line "permit any any" so all traffic should match this line, I am sure.
But strangely, there were still some logs in policy 0 saying threat.
 
I am very confused of this behavior because, as far as I understand, all traffic should pass over the first line of policy without going down to the last line policy 0.
 
anyone know the root cause? Your replies are very appreciated.
 
#1
boneyard
Gold Member
  • Total Posts : 364
  • Scores: 16
  • Reward points: 0
  • Joined: 2014/07/30 11:15:18
  • Status: offline
Re: Threat 131072 2020/11/19 09:36:34 (permalink)
0
what are the source and destination interface for the policy you created?
#2
fat
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/08/05 23:47:50
  • Status: offline
Re: Threat 131072 2020/11/20 10:59:00 (permalink)
0
Hello,
 
I found out the issue. Because I used redundant interface as source. Instead I should use vlan inside this interface.
After my correction on the concerned policy rules, traffic passes as I expected. The ping didn't work I don't know why. but most important is wanted traffic goes through.
 
Thank you.
#3
fat
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/08/05 23:47:50
  • Status: offline
Re: Threat 131072 2020/11/21 05:23:03 (permalink)
0
 
Since there were logs in implicit deny, I guess the first rule (permit all/any) doesn't contain all services.
I'd like to know what are the services/ports it contains.
 
Does "ALL" mean only ports tcp/udp 1-65535 and ICMP? anything else?
 
About the ICMP issue, the error showed icmp 0/8. What is this?
#4
boneyard
Gold Member
  • Total Posts : 364
  • Scores: 16
  • Reward points: 0
  • Joined: 2014/07/30 11:15:18
  • Status: offline
Re: Threat 131072 2020/11/21 08:20:32 (permalink)
0
ALL means all, so all protocols and if relevant all ports for that protocol.
 
ICMP 0/8 is one type of ICMP packet, specially Echo Request commonly ping, for more information look at: https://en.wikipedia.org/...ntrol_Message_Protocol
#5
fat
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/08/05 23:47:50
  • Status: offline
Re: Threat 131072 2020/11/21 10:47:42 (permalink)
0
Hi Boneyard,
 
Thank you very much for your quicke replies.
#6
Jump to:
© 2020 APG vNext Commercial Version 5.5