Fortinet black logo

Hyperscale Firewall Guide

Configuring hardware logging

Configuring hardware logging

Use the following command to add log servers and create log server groups. This configuration is shared by all of the NP7s in your FortiGate. If your FortiGate is configured with multiple VDOMs, this is a global configuration and the log server groups are available to all VDOMs with hyperscale firewall features enabled.

config log npu-server

set log-processor {hardware | host}

set netflow-ver {v9 | v10}

config server-info

edit <index>

set vdom <name>

set ip-family {v4 | v6}

set ipv4-server <ipv4-address>

set ipv6-server <ipv6-address>

set source-port <port-number>

set dest-port <port-number>

set template-tx-timeout <timeout>

end

config server-group

edit <group-name>

set log-mode {per-session | per-nat-mapping | per-session-ending}

set log-format {netflow | syslog}

set server-number <number>

set server-start-id <number>

end

log-processor select whether to use NP7 processors (hardware, the default) or the FortiGate CPUs (host) to generate traffic log messages for hyperscale firewall sessions. This option is not available for all FortiGate models that support hyperscale firewall features. If the option is not available, then NP7 processors are used to generate traffic log messages for hyperscale firewall sessions.

If you set this option to hardware, (and for FortiGate models that don't support selecting host) the following limitations apply:

  • The interface through which your FortiGate communicates with the remote log server must be connected to your FortiGate's NP7 processors. Depending on the FortiGate model, this usually this means you can't use a management or HA interface to connect to the remote log server. See FortiGate NP7 architectures for information about the interfaces that are connected to NP7 processors and the interfaces are not for your FortiGate model.
  • The interface through which your FortiGate communicates with the remote log server can be in any VDOM and does not have to be in the hyperscale VDOM that is processing the traffic being logged.
  • The vd= field in generated traffic log messages includes the VDOM name followed by trailing null characters. If possible, you can configure your syslog server or NetFlow server to remove these trailing null characters.
  • Normally the PID= field in traffic log messages contains the policy ID of the firewall policy that generated the log message. But, if the policy that generated the traffic log message has recently changed, the PID= field can contain extra information used by the NP7 policy engine to track policy changes. You can extract the actual policy ID by converting the decimal number in the PID= field to hexadecimal format and removing all but the last 26 bits. These 26 bits contain the policy ID in hexadecimal format. You can convert this hex number back to decimal format to generate the actual policy ID.

If you set this option to host, all hardware logging functions are supported and the hardware logging configuration is the same with the following limitations:

  • There are no restrictions on the interface through which your FortiGate communicates with the remote log server.
  • Setting log-processor to host can reduce overall FortiGate performance because the FortiGate CPUs handle hardware logging instead of offloading logging to the NP7 processors.
  • Host logging may not provide the NHI, stats, OID, gateway, expiration, and duration information for short-lived sessions.
  • Host logging does not support Netflow v9.

netflow-ver select the version of NetFlow that this log server is compatible with. v10, which is compatible with IP Flow Information Export (IPFIX), is the default.

config server-info use this command to add up to sixteen log servers. Once you have added log servers using this command, you can add the servers to one or more log server groups.

edit <index> create a log server. <index> is the number of the log server. You use this number when you add the log server to a server group. <index> can be 1 to 16. You must specify the number, setting <index> to 0 to select the next available number is not supported.

vdom the virtual domain that contains a FortiGate interface that you want to use to communicate with the log server.

ip-family the IP version of the remote log server. v4 is the default.

ipv4-server the IPv4 address of the remote log server.

ipv6-server the IPv6 address of the remote log server.

source-port the source UDP port number added to the log packets in the range 0 to 65535. The default is 514.

dest-port the destination UDP port number added to the log packets in the range 0 to 65535. The default is 514.

template-tx-timeout the time interval between sending NetFlow template packets. NetFlow template packets communicate the format of the NetFlow messages sent by the FortiGate to the NetFlow server. Since the message format can change if the NetFlow configuration changes, the FortiGate sends template updates at regular intervals to make sure the server can correctly interpret NetFlow messages. The timeout range is from 60 to 86,400 seconds. The default timeout is 600 seconds.

server-group create log server groups. Collect multiple log servers into a group to load balance log messages to the servers in the group. You add log server groups to hyperscale firewall policies.

log-mode select one of the following log modes:

  • per-session (the default) create two log messages per session, one when the session is established and one when the session ends.
  • per-nat-mapping create two log messages per session, one when the session allocates NAT mapping resources and one when NAT mapping resources are freed when the session ends.
  • per-session-ending create a log message only when a session ends.

log-format select the log message format. You can select netflow or syslog. If you select netflow, the NetFlow version (v9 or v10) is set for each log server.

server-number the number of log servers, created using config server-info, in this log server group. The range is 1 to 16 and the default is 0 and must be changed.

server-start-id the ID of one of the log servers in the config server-info list. The range is 1 to 16 and the default is 0 and must be changed.

Use server-number and server-start-id to select the log servers to add to a log server group. For example, if you have used the config server-info command to create five log servers with IDs 1 to 5, you can add the first three of them (IDs 1 to 3) to a log server group by setting server-number to 3 and server-start-id to 1. This adds the log servers with ID 1, 2, and 3 to this log server group. To add the other two servers to a second log server group, set server-number to 2 and server-start-id to 4. This adds log servers 4 and 5 to the second log server group.

You can add a log server to multiple server groups.

From the GUI

  1. Go to Log & Report > Hyperscale SPU Offload Log Settings.

    This is a global setting.

  2. Select the Netflow version.
  3. Under Log Servers, select Create New to create a log server.
  4. Select the Virtual Domain containing the interface that can communicate with the log server.
  5. Select the IP version supported by the log server and enter the log server IP address or IPv6 address.
  6. Enter the Source port and Destination port to be added to the log message packets.
  7. Set the Template transmission timeout, or the time interval between sending NetFlow template packets.
  8. Select OK to save the log server.
  9. Repeat to add more log servers.
  10. Under Log Server Groups select Create New to add a log server group.
  11. Enter a Name for the log server group.
  12. Select the Logging Mode and Log format.
  13. Add one or more Log servers.
  14. Select OK to save the log server group.
  15. Select Apply to apply your hardware logging changes.

Configuring hardware logging

Use the following command to add log servers and create log server groups. This configuration is shared by all of the NP7s in your FortiGate. If your FortiGate is configured with multiple VDOMs, this is a global configuration and the log server groups are available to all VDOMs with hyperscale firewall features enabled.

config log npu-server

set log-processor {hardware | host}

set netflow-ver {v9 | v10}

config server-info

edit <index>

set vdom <name>

set ip-family {v4 | v6}

set ipv4-server <ipv4-address>

set ipv6-server <ipv6-address>

set source-port <port-number>

set dest-port <port-number>

set template-tx-timeout <timeout>

end

config server-group

edit <group-name>

set log-mode {per-session | per-nat-mapping | per-session-ending}

set log-format {netflow | syslog}

set server-number <number>

set server-start-id <number>

end

log-processor select whether to use NP7 processors (hardware, the default) or the FortiGate CPUs (host) to generate traffic log messages for hyperscale firewall sessions. This option is not available for all FortiGate models that support hyperscale firewall features. If the option is not available, then NP7 processors are used to generate traffic log messages for hyperscale firewall sessions.

If you set this option to hardware, (and for FortiGate models that don't support selecting host) the following limitations apply:

  • The interface through which your FortiGate communicates with the remote log server must be connected to your FortiGate's NP7 processors. Depending on the FortiGate model, this usually this means you can't use a management or HA interface to connect to the remote log server. See FortiGate NP7 architectures for information about the interfaces that are connected to NP7 processors and the interfaces are not for your FortiGate model.
  • The interface through which your FortiGate communicates with the remote log server can be in any VDOM and does not have to be in the hyperscale VDOM that is processing the traffic being logged.
  • The vd= field in generated traffic log messages includes the VDOM name followed by trailing null characters. If possible, you can configure your syslog server or NetFlow server to remove these trailing null characters.
  • Normally the PID= field in traffic log messages contains the policy ID of the firewall policy that generated the log message. But, if the policy that generated the traffic log message has recently changed, the PID= field can contain extra information used by the NP7 policy engine to track policy changes. You can extract the actual policy ID by converting the decimal number in the PID= field to hexadecimal format and removing all but the last 26 bits. These 26 bits contain the policy ID in hexadecimal format. You can convert this hex number back to decimal format to generate the actual policy ID.

If you set this option to host, all hardware logging functions are supported and the hardware logging configuration is the same with the following limitations:

  • There are no restrictions on the interface through which your FortiGate communicates with the remote log server.
  • Setting log-processor to host can reduce overall FortiGate performance because the FortiGate CPUs handle hardware logging instead of offloading logging to the NP7 processors.
  • Host logging may not provide the NHI, stats, OID, gateway, expiration, and duration information for short-lived sessions.
  • Host logging does not support Netflow v9.

netflow-ver select the version of NetFlow that this log server is compatible with. v10, which is compatible with IP Flow Information Export (IPFIX), is the default.

config server-info use this command to add up to sixteen log servers. Once you have added log servers using this command, you can add the servers to one or more log server groups.

edit <index> create a log server. <index> is the number of the log server. You use this number when you add the log server to a server group. <index> can be 1 to 16. You must specify the number, setting <index> to 0 to select the next available number is not supported.

vdom the virtual domain that contains a FortiGate interface that you want to use to communicate with the log server.

ip-family the IP version of the remote log server. v4 is the default.

ipv4-server the IPv4 address of the remote log server.

ipv6-server the IPv6 address of the remote log server.

source-port the source UDP port number added to the log packets in the range 0 to 65535. The default is 514.

dest-port the destination UDP port number added to the log packets in the range 0 to 65535. The default is 514.

template-tx-timeout the time interval between sending NetFlow template packets. NetFlow template packets communicate the format of the NetFlow messages sent by the FortiGate to the NetFlow server. Since the message format can change if the NetFlow configuration changes, the FortiGate sends template updates at regular intervals to make sure the server can correctly interpret NetFlow messages. The timeout range is from 60 to 86,400 seconds. The default timeout is 600 seconds.

server-group create log server groups. Collect multiple log servers into a group to load balance log messages to the servers in the group. You add log server groups to hyperscale firewall policies.

log-mode select one of the following log modes:

  • per-session (the default) create two log messages per session, one when the session is established and one when the session ends.
  • per-nat-mapping create two log messages per session, one when the session allocates NAT mapping resources and one when NAT mapping resources are freed when the session ends.
  • per-session-ending create a log message only when a session ends.

log-format select the log message format. You can select netflow or syslog. If you select netflow, the NetFlow version (v9 or v10) is set for each log server.

server-number the number of log servers, created using config server-info, in this log server group. The range is 1 to 16 and the default is 0 and must be changed.

server-start-id the ID of one of the log servers in the config server-info list. The range is 1 to 16 and the default is 0 and must be changed.

Use server-number and server-start-id to select the log servers to add to a log server group. For example, if you have used the config server-info command to create five log servers with IDs 1 to 5, you can add the first three of them (IDs 1 to 3) to a log server group by setting server-number to 3 and server-start-id to 1. This adds the log servers with ID 1, 2, and 3 to this log server group. To add the other two servers to a second log server group, set server-number to 2 and server-start-id to 4. This adds log servers 4 and 5 to the second log server group.

You can add a log server to multiple server groups.

From the GUI

  1. Go to Log & Report > Hyperscale SPU Offload Log Settings.

    This is a global setting.

  2. Select the Netflow version.
  3. Under Log Servers, select Create New to create a log server.
  4. Select the Virtual Domain containing the interface that can communicate with the log server.
  5. Select the IP version supported by the log server and enter the log server IP address or IPv6 address.
  6. Enter the Source port and Destination port to be added to the log message packets.
  7. Set the Template transmission timeout, or the time interval between sending NetFlow template packets.
  8. Select OK to save the log server.
  9. Repeat to add more log servers.
  10. Under Log Server Groups select Create New to add a log server group.
  11. Enter a Name for the log server group.
  12. Select the Logging Mode and Log format.
  13. Add one or more Log servers.
  14. Select OK to save the log server group.
  15. Select Apply to apply your hardware logging changes.