Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.0.0
    6.0.0

    Logging and reporting for large networks

    Logging and reporting for large networks

    This section explains how to configure the FortiGate unit for logging and reporting in a larger network, such as an enterprise network. To set up this type of network, you are modifying the default log settings, and you are also modifying the default report.

    The following procedures are examples and can be used to help you when configuring your own network’s log topology.

    Since some of these settings must be modified or enabled or disabled in the CLI, it is recommended to review the FortiGate CLI Reference for any additional information about the commands used herein, as well as any that you would need to use in your own newtork’s log topology.

    Modifying default log device settings

    The default log device settings must be modified so that system performance is not compromised. The FortiGate unit, by default, has all logging of FortiGate features enabled and well as logging to either the FortiGate unit’s system memory or hard disk, depending on the model.

    Modifying multiple FortiGate units’ system memory default settings

    When the FortiGate unit’s default log device is its system memory, you can modify it to fit your log network topology. In this topic, the following is an example of how you can modify these default settings.

    To modify the default system memory settings
    1. Log in to the CLI.

    2. Enter the following command syntax to modify the logging settings:

      config log memory setting

      set status enable

      end

    3. Enter the following command syntax to modify the FortiGate features that are enabled for logging:

      config log memory filter

      set forward-traffic enable

      set local-traffic enable

      set sniffer-traffic enable

      set anomaly enable

      set voip enable

      set multicast-traffic enable

      set dns enable

      end

    4. Repeat steps 2 and 3 for the other FortiGate units.
    5. Test the modified settings using the procedure below.

    Modifying multiple FortiGate units’ hard disk default log settings

    You will have to modify each FortiGate unit’s hard disk default log settings. The following is an example of how to modify these default settings.

    To modify the default hard disk settings
    1. Log in to the CLI.

    2. Enter the following command syntax to modify the logging settings:

      config log disk setting

      set ips-archive disable

      set status enable

      set max-log-file-size 1000

      set storage Internal

      set log-quota 100

      set report-quota 100

      end

    3. In the CLI, enter the following to disable certain event log messages that you do not want logged:

      config log eventfilter

      set event enable

      set system enable

      set vpn enable

      set user enable

      set router disable

      set wan-opt disable

      end

    4. Repeat the steps 2 to 4 for the other FortiGate units.
    5. Test the modified settings using the procedure below.

    Testing the modified log settings

    After modifying both the settings and the FortiGate features for logging, you can test that the modified settings are working properly. This test is done in the CLI.

    To test sending logs to the log device
    1. In the CLI, enter the following command syntax: diag log test

    2. When you enter the command, the following appears:

      generating a system event message with level - warning

      generating an infected virus message with level - warning

      generating a blocked virus message with level - warning

      generating a URL block message with level - warning

      generating a DLP message with level - warning

      generating an IPS log message

      generating an anomaly log message

      generating an application control IM message with level - information

      generating an IPv6 application control IM message with level - information

      generating deep application control logs with level - information

      generating an antispam message with level - notification

      generating an allowed traffic message with level - notice

      generating a multicast traffic message with level - notice

      generating a ipv6 traffic message with level - notice

      generating a wanopt traffic log message with level - notification

      generating a HA event message with level - warning

      generating netscan log messages with level - notice

      generating a VOIP event message with level - information

      generating a DNS event message with level - information

      generating authentication event messages

      generating a Forticlient message with level - information

      generating a URL block message with level - warning

    3. In the GUI, go to Log & Report > System Events, and view the logs to see some of the recently generated test log messages. You will be able to tell the test log messages from real log messages because they do not have “real” information; for example, the test log messages for the vulnerability scan contain the destination IP address of 1.1.1.1 or 2.2.2.2.

    Configuring the backup solution

    Even though you are logging to multiple FortiAnalyzer units, this is more of a redundancy solution rather than a complete backup solution in this example.

    The multiple FortiAnalyzer units act similar to a HA cluster, since if one FortiAnalyzer unit fails, the others continue storing the logs they receive. In a backup solution, the logs are backed up to another secure location if something happens to the log device.

    A good alternate or redundant option is the FortiCloud service, which can provide secure online logging and management for multiple devices.

    Configuring logging to multiple FortiAnalyzer units

    The following example shows how to configure logging to multiple FortiAnalyzer units. Configuring multiple FortiAnalyzer units is quick and easy; however, you can only configure up to three FortiAnalyzer units per FortiGate unit.

    To configure multiple FortiAnalyzer units

    1. In the CLI, enter the following command syntax to configure the first FortiAnalyzer unit:

      config log fortianalyzer setting

      set status enable

      set server 172.20.120.22

      set max-buffer-size 1000

      set buffer-max-send 2000

      set address-mode static

      set conn-timeout 100

      set monitor-keepalive-period 120

      set monitor-failure-retry-period 2000

      end

    2. Disable the features that you do not want logged, using the following example command syntax:

      config log fortianalyzer filter

      set forward-traffic disable

      ...

      end

    3. Enter the following commands for the second FortiAnalyzer unit:

      config log fortianalyzer2 setting

      set status enable

      set server 172.20.120.23

      set max-buffer-size 1000

      set buffer-max-send 2000

      set address-mode static

      set conn-timeout 100

      set monitor-keepalive-period 120

      set monitor-failure-retry-period 2000

      end

    4. Disable the features that you do not want logged, using the following example command syntax:

      config log fortianalyzer2 filter

      set event disable

      ...

      end

    5. Enter the following commands for the last FortiAnalyzer unit:

      config log fortianalyzer3 setting

      set status enable

      set server 172.20.120.23

      set max-buffer-size 1000

      set buffer-max-send 2000

      set address-mode static

      set conn-timeout 100

      set monitor-keepalive-period 120

      set monitor-failure-retry-period 2000

      end

    6. Disable the features that you do not want logged, using the following example command syntax:

      config log fortianalyzer3 filter

      set voip disable

      ...

      end

    7. Test the configuration by using the procedure, “Testing the modified log settings”.
    8. On the other FortiGate units, configure steps 1 through 6, ensuring that logs are being sent to the FortiAnalyzer units.

    Configuring logging to the FortiCloud server

    The FortiCloud server can be used as a redundant backup, or your primary logging solution. The following assumes that this service has already been registered, and a subscription has been purchased for expanded space. The following is an example of how to these settings are configured for a network’s log configuration. You need to have access to both the CLI and the GUI when configuring uploading of logs. The upload time and interval settings can be configured in the GUI.

    To configure logging to the FortiCloud server
    1. Go to Dashboard and click Login next to FortiCloud in the License Information widget.
    2. Enter your username and password, and click OK. (Or register, if you have not yet done so.)
    3. Logs will automatically be uploaded to FortiCloud as long as your FortiGate is linked to your FortiCloud account.
    4. To configure the upload time and interval, go to Log & Report > Log Settings.
    5. Under the Remote Logging and Archiving header, you can select your desired upload time.
    6. With FortiCloud you can easily store and access FortiGate logs that can give you valuable insight into the health and security of your network.
    Previous
    Next

    Logging and reporting for large networks

    Logging and reporting for large networks

    This section explains how to configure the FortiGate unit for logging and reporting in a larger network, such as an enterprise network. To set up this type of network, you are modifying the default log settings, and you are also modifying the default report.

    The following procedures are examples and can be used to help you when configuring your own network’s log topology.

    Since some of these settings must be modified or enabled or disabled in the CLI, it is recommended to review the FortiGate CLI Reference for any additional information about the commands used herein, as well as any that you would need to use in your own newtork’s log topology.

    Modifying default log device settings

    The default log device settings must be modified so that system performance is not compromised. The FortiGate unit, by default, has all logging of FortiGate features enabled and well as logging to either the FortiGate unit’s system memory or hard disk, depending on the model.

    Modifying multiple FortiGate units’ system memory default settings

    When the FortiGate unit’s default log device is its system memory, you can modify it to fit your log network topology. In this topic, the following is an example of how you can modify these default settings.

    To modify the default system memory settings
    1. Log in to the CLI.

    2. Enter the following command syntax to modify the logging settings:

      config log memory setting

      set status enable

      end

    3. Enter the following command syntax to modify the FortiGate features that are enabled for logging:

      config log memory filter

      set forward-traffic enable

      set local-traffic enable

      set sniffer-traffic enable

      set anomaly enable

      set voip enable

      set multicast-traffic enable

      set dns enable

      end

    4. Repeat steps 2 and 3 for the other FortiGate units.
    5. Test the modified settings using the procedure below.

    Modifying multiple FortiGate units’ hard disk default log settings

    You will have to modify each FortiGate unit’s hard disk default log settings. The following is an example of how to modify these default settings.

    To modify the default hard disk settings
    1. Log in to the CLI.

    2. Enter the following command syntax to modify the logging settings:

      config log disk setting

      set ips-archive disable

      set status enable

      set max-log-file-size 1000

      set storage Internal

      set log-quota 100

      set report-quota 100

      end

    3. In the CLI, enter the following to disable certain event log messages that you do not want logged:

      config log eventfilter

      set event enable

      set system enable

      set vpn enable

      set user enable

      set router disable

      set wan-opt disable

      end

    4. Repeat the steps 2 to 4 for the other FortiGate units.
    5. Test the modified settings using the procedure below.

    Testing the modified log settings

    After modifying both the settings and the FortiGate features for logging, you can test that the modified settings are working properly. This test is done in the CLI.

    To test sending logs to the log device
    1. In the CLI, enter the following command syntax: diag log test

    2. When you enter the command, the following appears:

      generating a system event message with level - warning

      generating an infected virus message with level - warning

      generating a blocked virus message with level - warning

      generating a URL block message with level - warning

      generating a DLP message with level - warning

      generating an IPS log message

      generating an anomaly log message

      generating an application control IM message with level - information

      generating an IPv6 application control IM message with level - information

      generating deep application control logs with level - information

      generating an antispam message with level - notification

      generating an allowed traffic message with level - notice

      generating a multicast traffic message with level - notice

      generating a ipv6 traffic message with level - notice

      generating a wanopt traffic log message with level - notification

      generating a HA event message with level - warning

      generating netscan log messages with level - notice

      generating a VOIP event message with level - information

      generating a DNS event message with level - information

      generating authentication event messages

      generating a Forticlient message with level - information

      generating a URL block message with level - warning

    3. In the GUI, go to Log & Report > System Events, and view the logs to see some of the recently generated test log messages. You will be able to tell the test log messages from real log messages because they do not have “real” information; for example, the test log messages for the vulnerability scan contain the destination IP address of 1.1.1.1 or 2.2.2.2.

    Configuring the backup solution

    Even though you are logging to multiple FortiAnalyzer units, this is more of a redundancy solution rather than a complete backup solution in this example.

    The multiple FortiAnalyzer units act similar to a HA cluster, since if one FortiAnalyzer unit fails, the others continue storing the logs they receive. In a backup solution, the logs are backed up to another secure location if something happens to the log device.

    A good alternate or redundant option is the FortiCloud service, which can provide secure online logging and management for multiple devices.

    Configuring logging to multiple FortiAnalyzer units

    The following example shows how to configure logging to multiple FortiAnalyzer units. Configuring multiple FortiAnalyzer units is quick and easy; however, you can only configure up to three FortiAnalyzer units per FortiGate unit.

    To configure multiple FortiAnalyzer units

    1. In the CLI, enter the following command syntax to configure the first FortiAnalyzer unit:

      config log fortianalyzer setting

      set status enable

      set server 172.20.120.22

      set max-buffer-size 1000

      set buffer-max-send 2000

      set address-mode static

      set conn-timeout 100

      set monitor-keepalive-period 120

      set monitor-failure-retry-period 2000

      end

    2. Disable the features that you do not want logged, using the following example command syntax:

      config log fortianalyzer filter

      set forward-traffic disable

      ...

      end

    3. Enter the following commands for the second FortiAnalyzer unit:

      config log fortianalyzer2 setting

      set status enable

      set server 172.20.120.23

      set max-buffer-size 1000

      set buffer-max-send 2000

      set address-mode static

      set conn-timeout 100

      set monitor-keepalive-period 120

      set monitor-failure-retry-period 2000

      end

    4. Disable the features that you do not want logged, using the following example command syntax:

      config log fortianalyzer2 filter

      set event disable

      ...

      end

    5. Enter the following commands for the last FortiAnalyzer unit:

      config log fortianalyzer3 setting

      set status enable

      set server 172.20.120.23

      set max-buffer-size 1000

      set buffer-max-send 2000

      set address-mode static

      set conn-timeout 100

      set monitor-keepalive-period 120

      set monitor-failure-retry-period 2000

      end

    6. Disable the features that you do not want logged, using the following example command syntax:

      config log fortianalyzer3 filter

      set voip disable

      ...

      end

    7. Test the configuration by using the procedure, “Testing the modified log settings”.
    8. On the other FortiGate units, configure steps 1 through 6, ensuring that logs are being sent to the FortiAnalyzer units.

    Configuring logging to the FortiCloud server

    The FortiCloud server can be used as a redundant backup, or your primary logging solution. The following assumes that this service has already been registered, and a subscription has been purchased for expanded space. The following is an example of how to these settings are configured for a network’s log configuration. You need to have access to both the CLI and the GUI when configuring uploading of logs. The upload time and interval settings can be configured in the GUI.

    To configure logging to the FortiCloud server
    1. Go to Dashboard and click Login next to FortiCloud in the License Information widget.
    2. Enter your username and password, and click OK. (Or register, if you have not yet done so.)
    3. Logs will automatically be uploaded to FortiCloud as long as your FortiGate is linked to your FortiCloud account.
    4. To configure the upload time and interval, go to Log & Report > Log Settings.
    5. Under the Remote Logging and Archiving header, you can select your desired upload time.
    6. With FortiCloud you can easily store and access FortiGate logs that can give you valuable insight into the health and security of your network.
    Previous
    Next