Fortinet black logo

Hyperscale Firewall Guide

Home FortiGate / FortiOS 7.0.14 Hyperscale Firewall Guide
7.0.14
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.6
6.2.9
6.2.7
6.2.6

Configuring hardware logging

Configuring hardware logging

Use the global config log npu-server command to configure global hardware logging settings, add hardware log servers, and create log server groups. The hardware logging configuration is a global configuration that is shared by all of the NP7s and is available to all hyperscale firewall VDOMs.

config log npu-server

set log-processor {hardware | host}

set log-processing {may-drop | no-drop}

set netflow-ver {v9 | v10}

set syslog-facility <facility>

set syslog-severity <severity>

config server-info

edit <index>

set vdom <name>

set ip-family {v4 | v6}

set ipv4-server <ipv4-address>

set ipv6-server <ipv6-address>

set source-port <port-number>

set dest-port <port-number>

set template-tx-timeout <timeout>

end

config server-group

edit <group-name>

set log-mode {per-session | per-nat-mapping | per-session-ending}

set log-format {netflow | syslog}

set log-tx-mode {roundrobin | multicast}

set sw-log-flags {tcp-udp-only | enable-all-log | disable-all-log}

set log-user-info {disable | enable}

set log-gen-event {disable | enable}

set server-number <number>

set server-start-id <number>

end

Global hardware logging settings

Global hardware logging settings control how hardware logs are handled (by NP7 processors or by the CPU) and control global log settings such as the NetFlow version.

config log npu-server

set log-processor {hardware | host}

set log-processing {may-drop | no-drop}

set netflow-ver {v9 | v10}

set syslog-facility <facility>

set syslog-severity <severity>

end

log-processor select whether to use NP7 processors (hardware, the default) or the FortiGate CPUs (host) (called host logging) to generate traffic log messages for hyperscale firewall sessions. This option is not available for all FortiGate models that support hyperscale firewall features. If the option is not available, then NP7 processors are used to generate traffic log messages for hyperscale firewall sessions. Both log processor options also support software session logging.

If you set this option to hardware, (and for FortiGate models that don't support selecting host) the following limitations apply:

  • The interface through which your FortiGate communicates with the remote log server must be connected to your FortiGate's NP7 processors. Depending on the FortiGate model, this usually this means you can't use a management or HA interface to connect to the remote log server. See FortiGate NP7 architectures for information about the interfaces that are connected to NP7 processors and the interfaces are not for your FortiGate model.
  • The interface through which your FortiGate communicates with the remote log server can be in any VDOM and does not have to be in the hyperscale VDOM that is processing the traffic being logged.
  • The interface through which a FortiGate 4800F or 4801F communicates with the remote log server must be in a hyperscale firewall VDOM. This can be the VDOM that is processing the traffic being logged, or another VDOM assigned to the same NP7 processor group, see NP7 processor groups and hyperscale hardware logging.
  • The vd= field in generated traffic log messages includes the VDOM name followed by trailing null characters. If possible, you can configure your syslog server or NetFlow server to remove these trailing null characters.
  • Normally the PID= field in traffic log messages contains the policy ID of the firewall policy that generated the log message. But, if the policy that generated the traffic log message has recently changed, the PID= field can contain extra information used by the NP7 policy engine to track policy changes. You can extract the actual policy ID by converting the decimal number in the PID= field to hexadecimal format and removing all but the last 26 bits. These 26 bits contain the policy ID in hexadecimal format. You can convert this hex number back to decimal format to generate the actual policy ID.

  • If log-mode is set to per-session, NP7 hardware logging may send multiple session start log messages, each with a different start time. Creating multiple session start log messages is a limitation of NP7 processor hardware logging, caused by the NP7 processor creating extra session start messages if session updates occur. You can work around this issue by using host logging or by setting log-mode to per-session-ending. This setting creates a single log message when the session ends. This log message records the time the session ended as well as the duration of the session. This information can be used to calculate the session start time.

If you set this option to host, all hardware logging functions are supported. There are no restrictions on the interface through which your FortiGate communicates with the remote log server. Host logging has the following limitations:

  • Setting log-processor to host can reduce overall FortiGate performance because the FortiGate CPUs handle hardware logging instead of offloading logging to the NP7 processors.
  • Host logging may not provide the NHI, stats, OID, gateway, expiration, and duration information for short-lived sessions.
  • Host logging does not support Netflow v9.

log-processing {may-drop | no-drop} change how the FortiGate queues CPU or host logging packets to allow or prevent dropped packets. This option is only available if log-processor is set to host. In some cases, hyperscale firewall CPU or host logging packets can be dropped, resulting in lost log messages and incorrect traffic statistics.

  • may-drop the default CPU or host log queuing method is used. Log message packet loss can occur if the FortiGate is very busy.

  • no-drop use an alternate queuing method that prevents packet loss.

netflow-ver {v9 | v10) select the version of NetFlow that this log server is compatible with. v10, which is compatible with IP Flow Information Export (IPFIX), is the default. host hardware logging does not support NetFlow v9.

syslog-facility set the syslog facility number added to hardware log messages. The range is 0 to 255. The default is 23 which corresponds to the local7 syslog facility.

syslog-severity set the syslog severity level added to hardware log messages. The range is 0 to 255. The default is 5, which corresponds to the notice syslog severity.

Hardware logging servers

You can use the config server-info command to add up to 16 log servers. The log server configuration includes the information that the FortiGate uses to communicate with a log server. This includes the name of the VDOM through which the FortiGate can communicate with the log server, and the IPv4 or IPv6 IP addresof the log server. Once you have added log servers, you can add them to one or more log server groups.

config log npu-server

config server-info

edit <index>

set vdom <name>

set ip-family {v4 | v6}

set ipv4-server <ipv4-address>

set ipv6-server <ipv6-address>

set source-port <port-number>

set dest-port <port-number>

set template-tx-timeout <timeout>

end

edit <index> create a log server. <index> is the number of the log server. You use this number when you add the log server to a server group. <index> can be 1 to 16. You must specify the number, setting <index> to 0 to select the next available number is not supported.

vdom the virtual domain that contains the FortiGate interface that you want to use to communicate with the log server. If log-processor is set to hardware, the VDOM must include an interface connected to NP7 processors, you must use an interface connected to an NP7 processor for hardware logging. Usually this means you cannot select a management VDOM. If log-processor is set to host, you can select any VDOM.

Note

On a FortiGate 4800F or 4801F, hyperscale hardware logging servers must include a hyperscale firewall VDOM. This VDOM must be assigned the same NP7 processor group as the hyperscale firewall VDOM that is processing the hyperscale traffic being logged. This can be the same hyperscale VDOM or another hyperscale firewall VDOM that is assigned the same NP7 processor group.

For more information, see Enabling hyperscale firewall features and NP7 processor groups and hyperscale hardware logging.

ip-family the IP version of the remote log server. v4 is the default.

ipv4-server the IPv4 address of the remote log server.

ipv6-server the IPv6 address of the remote log server.

source-port the source UDP port number added to the log packets in the range 0 to 65535. The default is 514.

dest-port the destination UDP port number added to the log packets in the range 0 to 65535. The default is 514.

template-tx-timeout the time interval between sending NetFlow template packets. NetFlow template packets communicate the format of the NetFlow messages sent by the FortiGate to the NetFlow server. Since the message format can change if the NetFlow configuration changes, the FortiGate sends template updates at regular intervals to make sure the server can correctly interpret NetFlow messages. The timeout range is from 60 to 86,400 seconds. The default timeout is 600 seconds.

Hardware logging server groups

Configure hardware logging server groups to group the hardware logging servers that receive logs from traffic accepted by a hyperscale firewall policy. To add hardware logging for hyperscale firewall traffic, you add a log server group to a hyperscale firewall policy.

You also use the log server group to configure the number of log messages sent for each session, the log format (NetFlow or syslog), how software sessions are logged, whether log messages are distributed to the log servers in the server group or simultaneously sent to all log servers in the server group, and to select the log servers added to the log server group.

config log npu-server

config server-group

edit <group-name>

set log-mode {per-session | per-nat-mapping | per-session-ending}

set log-format {netflow | syslog}

set log-tx-mode {roundrobin | multicast}

set sw-log-flags {tcp-udp-only | enable-all-log | disable-all-log}

set log-user-info {disable | enable}

set log-gen-event {disable | enable}

set server-number <number>

set server-start-id <number>

end

log-mode select a log mode:

  • per-session (the default) create two log messages per session, one when the session is established and one when the session ends. If log-processor is set to hardware, NP7 processors may incorrectly create multiple session start messages due to a hardware limitation.
  • per-nat-mapping create two log messages per session, one when the session allocates NAT mapping resources and one when NAT mapping resources are freed when the session ends.
  • per-session-ending create one log message when a session ends. This log message includes the session duration, allowing you to calculate the session start time. per-session-ending logging may be preferable to per-session logging because fewer log message are created, but the same information is available.

log-format {netflow | syslog} select the log message format. You can select netflow or syslog. If you select netflow, the global hardware log netflow-ver setting determines the NetFlow version (v9 or v10) of the log messages.

log-tx-mode {roundrobin | multicast} select roundrobin (the default) to load balance log messages to the log servers in the server group. Select multicast to enable multicast logging. Multicast logging simultaneously sends log messages to all of the log servers in the server group.

sw-log-flags {tcp-udp-only | enable-all-log | disable-all-log} configure how software session logs are handled by the log server group. Software session logging uses per-session logging, which creates two log messages per session, one when the session is established and one when the session ends. Software session logging supports NetFlow v10 and syslog log message formats.

  • tcp-udp-only log only TCP and UDP software sessions (the default).

  • enable-all-log log all software sessions.

  • disable-all-log disable software session logging for this log server group.

log-user-info enable to include user information in log messages. This option is only available if log-format is set to syslog.

log-gen-event enable to add event logs to hardware logging. This option is only available if log-format is set to syslog and log-mode is set to per-nat-mapping to reduce the number of log messages generated.

server-number the number of log servers, created using config server-info, in this log server group. The range is 1 to 16 and the default is 0 and must be changed.

server-start-id the ID of one of the log servers in the config server-info list. The range is 1 to 16 and the default is 0 and must be changed.

Use server-number and server-start-id to select the log servers to add to a log server group. You can add the same log server to multiple log server groups.

For example, if you have created five log servers with IDs 1 to 5:

config server-info

edit 1

set vdom Test-hw12

set ipv4-server 10.10.10.20

end

edit 2

set vdom Test-hw12

set ipv4-server 10.10.10.21

end

edit 3

set vdom Test-hw12

set ipv4-server 10.10.10.22

end

edit 4

set vdom Test-hw12

set ipv4-server 10.10.10.23

end

edit 5

set vdom Test-hw12

set ipv4-server 10.10.10.24

end

You can add the first three log servers (IDs 1 to 3) to a log server group by setting server-number to 3 and server-start-id to 1. This adds the log servers with ID 1, 2, and 3 to this log server group.

config server-group

edit test-log-11

set server-number 3

set server-start-id 1

end

To add the other two servers to a second log server group, set server-number to 2 and server-start-id to 4. This adds log servers 4 and 5 to this log server group.

config server-group

edit test-log-12

set server-number 2

set server-start-id 4

end

To add all of the log servers to a thrid log server group, set server-number to 5 and server-start-id to 1. This adds log servers 1 to 5 to the this log server group.

config server-group

edit test-log-13

set server-number 5

set server-start-id 1

end

From the GUI

You can configure hardware logging from the Global GUI.

  1. Go to Log & Report > Hyperscale SPU Offload Log Settings.

  2. If log-processor is set to hardware you can select the Netflow version.
  3. Under Log Servers, select Create New to create a log server.
  4. Select the Virtual Domain containing the interface that can communicate with the log server.
  5. Select the IP version supported by the log server and enter the log server IP address or IPv6 address.
  6. Enter the Source port and Destination port to be added to the log message packets.
  7. Set the Template transmission timeout, or the time interval between sending NetFlow template packets.
  8. Select OK to save the log server.
  9. Repeat to add more log servers.
  10. Under Log Server Groups select Create New to add a log server group.
  11. Enter a Name for the log server group.
  12. Select the Logging Mode and Log format.
  13. Add one or more Log servers.
  14. Select OK to save the log server group.
  15. Select Apply to apply your hardware logging changes.

Previous
Next

Configuring hardware logging

Use the global config log npu-server command to configure global hardware logging settings, add hardware log servers, and create log server groups. The hardware logging configuration is a global configuration that is shared by all of the NP7s and is available to all hyperscale firewall VDOMs.

config log npu-server

set log-processor {hardware | host}

set log-processing {may-drop | no-drop}

set netflow-ver {v9 | v10}

set syslog-facility <facility>

set syslog-severity <severity>

config server-info

edit <index>

set vdom <name>

set ip-family {v4 | v6}

set ipv4-server <ipv4-address>

set ipv6-server <ipv6-address>

set source-port <port-number>

set dest-port <port-number>

set template-tx-timeout <timeout>

end

config server-group

edit <group-name>

set log-mode {per-session | per-nat-mapping | per-session-ending}

set log-format {netflow | syslog}

set log-tx-mode {roundrobin | multicast}

set sw-log-flags {tcp-udp-only | enable-all-log | disable-all-log}

set log-user-info {disable | enable}

set log-gen-event {disable | enable}

set server-number <number>

set server-start-id <number>

end

Global hardware logging settings

Global hardware logging settings control how hardware logs are handled (by NP7 processors or by the CPU) and control global log settings such as the NetFlow version.

config log npu-server

set log-processor {hardware | host}

set log-processing {may-drop | no-drop}

set netflow-ver {v9 | v10}

set syslog-facility <facility>

set syslog-severity <severity>

end

log-processor select whether to use NP7 processors (hardware, the default) or the FortiGate CPUs (host) (called host logging) to generate traffic log messages for hyperscale firewall sessions. This option is not available for all FortiGate models that support hyperscale firewall features. If the option is not available, then NP7 processors are used to generate traffic log messages for hyperscale firewall sessions. Both log processor options also support software session logging.

If you set this option to hardware, (and for FortiGate models that don't support selecting host) the following limitations apply:

  • The interface through which your FortiGate communicates with the remote log server must be connected to your FortiGate's NP7 processors. Depending on the FortiGate model, this usually this means you can't use a management or HA interface to connect to the remote log server. See FortiGate NP7 architectures for information about the interfaces that are connected to NP7 processors and the interfaces are not for your FortiGate model.
  • The interface through which your FortiGate communicates with the remote log server can be in any VDOM and does not have to be in the hyperscale VDOM that is processing the traffic being logged.
  • The interface through which a FortiGate 4800F or 4801F communicates with the remote log server must be in a hyperscale firewall VDOM. This can be the VDOM that is processing the traffic being logged, or another VDOM assigned to the same NP7 processor group, see NP7 processor groups and hyperscale hardware logging.
  • The vd= field in generated traffic log messages includes the VDOM name followed by trailing null characters. If possible, you can configure your syslog server or NetFlow server to remove these trailing null characters.
  • Normally the PID= field in traffic log messages contains the policy ID of the firewall policy that generated the log message. But, if the policy that generated the traffic log message has recently changed, the PID= field can contain extra information used by the NP7 policy engine to track policy changes. You can extract the actual policy ID by converting the decimal number in the PID= field to hexadecimal format and removing all but the last 26 bits. These 26 bits contain the policy ID in hexadecimal format. You can convert this hex number back to decimal format to generate the actual policy ID.

  • If log-mode is set to per-session, NP7 hardware logging may send multiple session start log messages, each with a different start time. Creating multiple session start log messages is a limitation of NP7 processor hardware logging, caused by the NP7 processor creating extra session start messages if session updates occur. You can work around this issue by using host logging or by setting log-mode to per-session-ending. This setting creates a single log message when the session ends. This log message records the time the session ended as well as the duration of the session. This information can be used to calculate the session start time.

If you set this option to host, all hardware logging functions are supported. There are no restrictions on the interface through which your FortiGate communicates with the remote log server. Host logging has the following limitations:

  • Setting log-processor to host can reduce overall FortiGate performance because the FortiGate CPUs handle hardware logging instead of offloading logging to the NP7 processors.
  • Host logging may not provide the NHI, stats, OID, gateway, expiration, and duration information for short-lived sessions.
  • Host logging does not support Netflow v9.

log-processing {may-drop | no-drop} change how the FortiGate queues CPU or host logging packets to allow or prevent dropped packets. This option is only available if log-processor is set to host. In some cases, hyperscale firewall CPU or host logging packets can be dropped, resulting in lost log messages and incorrect traffic statistics.

  • may-drop the default CPU or host log queuing method is used. Log message packet loss can occur if the FortiGate is very busy.

  • no-drop use an alternate queuing method that prevents packet loss.

netflow-ver {v9 | v10) select the version of NetFlow that this log server is compatible with. v10, which is compatible with IP Flow Information Export (IPFIX), is the default. host hardware logging does not support NetFlow v9.

syslog-facility set the syslog facility number added to hardware log messages. The range is 0 to 255. The default is 23 which corresponds to the local7 syslog facility.

syslog-severity set the syslog severity level added to hardware log messages. The range is 0 to 255. The default is 5, which corresponds to the notice syslog severity.

Hardware logging servers

You can use the config server-info command to add up to 16 log servers. The log server configuration includes the information that the FortiGate uses to communicate with a log server. This includes the name of the VDOM through which the FortiGate can communicate with the log server, and the IPv4 or IPv6 IP addresof the log server. Once you have added log servers, you can add them to one or more log server groups.

config log npu-server

config server-info

edit <index>

set vdom <name>

set ip-family {v4 | v6}

set ipv4-server <ipv4-address>

set ipv6-server <ipv6-address>

set source-port <port-number>

set dest-port <port-number>

set template-tx-timeout <timeout>

end

edit <index> create a log server. <index> is the number of the log server. You use this number when you add the log server to a server group. <index> can be 1 to 16. You must specify the number, setting <index> to 0 to select the next available number is not supported.

vdom the virtual domain that contains the FortiGate interface that you want to use to communicate with the log server. If log-processor is set to hardware, the VDOM must include an interface connected to NP7 processors, you must use an interface connected to an NP7 processor for hardware logging. Usually this means you cannot select a management VDOM. If log-processor is set to host, you can select any VDOM.

Note

On a FortiGate 4800F or 4801F, hyperscale hardware logging servers must include a hyperscale firewall VDOM. This VDOM must be assigned the same NP7 processor group as the hyperscale firewall VDOM that is processing the hyperscale traffic being logged. This can be the same hyperscale VDOM or another hyperscale firewall VDOM that is assigned the same NP7 processor group.

For more information, see Enabling hyperscale firewall features and NP7 processor groups and hyperscale hardware logging.

ip-family the IP version of the remote log server. v4 is the default.

ipv4-server the IPv4 address of the remote log server.

ipv6-server the IPv6 address of the remote log server.

source-port the source UDP port number added to the log packets in the range 0 to 65535. The default is 514.

dest-port the destination UDP port number added to the log packets in the range 0 to 65535. The default is 514.

template-tx-timeout the time interval between sending NetFlow template packets. NetFlow template packets communicate the format of the NetFlow messages sent by the FortiGate to the NetFlow server. Since the message format can change if the NetFlow configuration changes, the FortiGate sends template updates at regular intervals to make sure the server can correctly interpret NetFlow messages. The timeout range is from 60 to 86,400 seconds. The default timeout is 600 seconds.

Hardware logging server groups

Configure hardware logging server groups to group the hardware logging servers that receive logs from traffic accepted by a hyperscale firewall policy. To add hardware logging for hyperscale firewall traffic, you add a log server group to a hyperscale firewall policy.

You also use the log server group to configure the number of log messages sent for each session, the log format (NetFlow or syslog), how software sessions are logged, whether log messages are distributed to the log servers in the server group or simultaneously sent to all log servers in the server group, and to select the log servers added to the log server group.

config log npu-server

config server-group

edit <group-name>

set log-mode {per-session | per-nat-mapping | per-session-ending}

set log-format {netflow | syslog}

set log-tx-mode {roundrobin | multicast}

set sw-log-flags {tcp-udp-only | enable-all-log | disable-all-log}

set log-user-info {disable | enable}

set log-gen-event {disable | enable}

set server-number <number>

set server-start-id <number>

end

log-mode select a log mode:

  • per-session (the default) create two log messages per session, one when the session is established and one when the session ends. If log-processor is set to hardware, NP7 processors may incorrectly create multiple session start messages due to a hardware limitation.
  • per-nat-mapping create two log messages per session, one when the session allocates NAT mapping resources and one when NAT mapping resources are freed when the session ends.
  • per-session-ending create one log message when a session ends. This log message includes the session duration, allowing you to calculate the session start time. per-session-ending logging may be preferable to per-session logging because fewer log message are created, but the same information is available.

log-format {netflow | syslog} select the log message format. You can select netflow or syslog. If you select netflow, the global hardware log netflow-ver setting determines the NetFlow version (v9 or v10) of the log messages.

log-tx-mode {roundrobin | multicast} select roundrobin (the default) to load balance log messages to the log servers in the server group. Select multicast to enable multicast logging. Multicast logging simultaneously sends log messages to all of the log servers in the server group.

sw-log-flags {tcp-udp-only | enable-all-log | disable-all-log} configure how software session logs are handled by the log server group. Software session logging uses per-session logging, which creates two log messages per session, one when the session is established and one when the session ends. Software session logging supports NetFlow v10 and syslog log message formats.

  • tcp-udp-only log only TCP and UDP software sessions (the default).

  • enable-all-log log all software sessions.

  • disable-all-log disable software session logging for this log server group.

log-user-info enable to include user information in log messages. This option is only available if log-format is set to syslog.

log-gen-event enable to add event logs to hardware logging. This option is only available if log-format is set to syslog and log-mode is set to per-nat-mapping to reduce the number of log messages generated.

server-number the number of log servers, created using config server-info, in this log server group. The range is 1 to 16 and the default is 0 and must be changed.

server-start-id the ID of one of the log servers in the config server-info list. The range is 1 to 16 and the default is 0 and must be changed.

Use server-number and server-start-id to select the log servers to add to a log server group. You can add the same log server to multiple log server groups.

For example, if you have created five log servers with IDs 1 to 5:

config server-info

edit 1

set vdom Test-hw12

set ipv4-server 10.10.10.20

end

edit 2

set vdom Test-hw12

set ipv4-server 10.10.10.21

end

edit 3

set vdom Test-hw12

set ipv4-server 10.10.10.22

end

edit 4

set vdom Test-hw12

set ipv4-server 10.10.10.23

end

edit 5

set vdom Test-hw12

set ipv4-server 10.10.10.24

end

You can add the first three log servers (IDs 1 to 3) to a log server group by setting server-number to 3 and server-start-id to 1. This adds the log servers with ID 1, 2, and 3 to this log server group.

config server-group

edit test-log-11

set server-number 3

set server-start-id 1

end

To add the other two servers to a second log server group, set server-number to 2 and server-start-id to 4. This adds log servers 4 and 5 to this log server group.

config server-group

edit test-log-12

set server-number 2

set server-start-id 4

end

To add all of the log servers to a thrid log server group, set server-number to 5 and server-start-id to 1. This adds log servers 1 to 5 to the this log server group.

config server-group

edit test-log-13

set server-number 5

set server-start-id 1

end

From the GUI

You can configure hardware logging from the Global GUI.

  1. Go to Log & Report > Hyperscale SPU Offload Log Settings.

  2. If log-processor is set to hardware you can select the Netflow version.
  3. Under Log Servers, select Create New to create a log server.
  4. Select the Virtual Domain containing the interface that can communicate with the log server.
  5. Select the IP version supported by the log server and enter the log server IP address or IPv6 address.
  6. Enter the Source port and Destination port to be added to the log message packets.
  7. Set the Template transmission timeout, or the time interval between sending NetFlow template packets.
  8. Select OK to save the log server.
  9. Repeat to add more log servers.
  10. Under Log Server Groups select Create New to add a log server group.
  11. Enter a Name for the log server group.
  12. Select the Logging Mode and Log format.
  13. Add one or more Log servers.
  14. Select OK to save the log server group.
  15. Select Apply to apply your hardware logging changes.

Previous
Next