Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Hyperscale Firewall Guide

Download PDF
Copy Link

Hardware logging

You can configure NP7 processors to create traffic or NAT mapping log messages for hyperscale firewall sessions and send them to remote NetFlow or Syslog servers. Hardware logging is supported for IPv4, IPv6, NAT64, and NAT46 hyperscale firewall policies. Full NetFlow is supported through the information maintained in the firewall session.

Hardware logging features include:

  • Per session logging, creates either two log messages per session (one when the session is established and one when the session ends) or one log message per session, created when the session ends.
  • On some FortiGate models with NP7 processors you can configure hardware logging to either use the NP7 processors to create and send log messages or you can configure hardware logging to use FortiGate CPU resources to create and send hardware log messages. Using the NP7 processors to create and send log messages improves performance. Using the FortiGate CPU for hardware logging is called host logging. Each option has some limitations, see Configuring hardware logging.
  • Per NAT mapping logging, creates two log messages per session, one when the session allocates NAT mapping resources and one when NAT mapping resources are freed when the session ends.
  • By default, log messages are sent in NetFlow v10 format over UDP. NetFlow v10 is compatible with IP Flow Information Export (IPFIX).
  • NetFlow v9 logging over UDP is also supported. NetFlow v9 uses a binary format and reduces logging traffic.
  • Syslog logging over UDP is also supported.
  • You can create multiple log server groups to support different log message formats and different log servers.
  • Hash-based load balancing distributes log messages among the log servers in a log server group to reduce the load on individual log servers. A log server group can contain up to 16 log servers. Hash values are computed from session information. All messages generated by a given session are sent to the same log server.
  • You can also configure multicast hardware logging to send all log messages to multiple log servers.
  • Some FortiGates include Aux interfaces intended to be used for hardware logging. Connect these interfaces to the networks that connect to your remote log servers. See Optimizing hardware logging performance using AUX interfaces.
  • Hardware logging log messages are similar to most FortiGate log messages but there are differences that are specific to hardware logging messages.  For example, the dur (duration) field in hardware logging messages is in milliseconds (ms) and not in seconds.
  • Hardware logging is supported for protocols that use session helpers or application layer gateways (ALGs). If hyperscale firewall polices accept session helper or ALG traffic, for example, ICMP traffic, hardware log messages for these sessions are created and sent according to the hardware logging configuration for the policy.

Hardware logging

You can configure NP7 processors to create traffic or NAT mapping log messages for hyperscale firewall sessions and send them to remote NetFlow or Syslog servers. Hardware logging is supported for IPv4, IPv6, NAT64, and NAT46 hyperscale firewall policies. Full NetFlow is supported through the information maintained in the firewall session.

Hardware logging features include:

  • Per session logging, creates either two log messages per session (one when the session is established and one when the session ends) or one log message per session, created when the session ends.
  • On some FortiGate models with NP7 processors you can configure hardware logging to either use the NP7 processors to create and send log messages or you can configure hardware logging to use FortiGate CPU resources to create and send hardware log messages. Using the NP7 processors to create and send log messages improves performance. Using the FortiGate CPU for hardware logging is called host logging. Each option has some limitations, see Configuring hardware logging.
  • Per NAT mapping logging, creates two log messages per session, one when the session allocates NAT mapping resources and one when NAT mapping resources are freed when the session ends.
  • By default, log messages are sent in NetFlow v10 format over UDP. NetFlow v10 is compatible with IP Flow Information Export (IPFIX).
  • NetFlow v9 logging over UDP is also supported. NetFlow v9 uses a binary format and reduces logging traffic.
  • Syslog logging over UDP is also supported.
  • You can create multiple log server groups to support different log message formats and different log servers.
  • Hash-based load balancing distributes log messages among the log servers in a log server group to reduce the load on individual log servers. A log server group can contain up to 16 log servers. Hash values are computed from session information. All messages generated by a given session are sent to the same log server.
  • You can also configure multicast hardware logging to send all log messages to multiple log servers.
  • Some FortiGates include Aux interfaces intended to be used for hardware logging. Connect these interfaces to the networks that connect to your remote log servers. See Optimizing hardware logging performance using AUX interfaces.
  • Hardware logging log messages are similar to most FortiGate log messages but there are differences that are specific to hardware logging messages.  For example, the dur (duration) field in hardware logging messages is in milliseconds (ms) and not in seconds.
  • Hardware logging is supported for protocols that use session helpers or application layer gateways (ALGs). If hyperscale firewall polices accept session helper or ALG traffic, for example, ICMP traffic, hardware log messages for these sessions are created and sent according to the hardware logging configuration for the policy.