Fortinet black logo

Hyperscale Firewall Guide

Adding hardware logging to a hyperscale firewall policy

Adding hardware logging to a hyperscale firewall policy

Use the following command to enable hardware logging in a hyperscale firewall policy and assign a hardware logging server group to the firewall policy.

config firewall policy

edit <id>

set policy-offload {enable | disable}

set cgn-log-server-grp <group-name>

end

From the GUI:

  1. Go to Policy & Objects > Firewall Policy and create a new or edit a firewall policy.
  2. While configuring the policy, select Log Hyperscale SPU Offload Traffic.
  3. Select a Log Server Group.

Note

When configuring hardware logging, the recommended or required IP addresses of the hardware logging servers that you can use with hyperscale firewall policies are the following:

  • You should only use logging servers that have IPv4 addresses with IPv4 hyperscale firewall policies. Logging servers with IPv6 IP addresses can be used but are not recommended.

  • You should only use logging servers that have IPv6 addresses with IPv6 hyperscale firewall policies. Logging servers with IPv4 IP addresses can be used but are not recommended.

  • You can only use logging servers that have IPv6 addresses with NAT64 hyperscale firewall policies.

  • You can only use logging servers that have IPv4 addresses with NAT46 hyperscale firewall policies.

Adding hardware logging to a hyperscale firewall policy

Use the following command to enable hardware logging in a hyperscale firewall policy and assign a hardware logging server group to the firewall policy.

config firewall policy

edit <id>

set policy-offload {enable | disable}

set cgn-log-server-grp <group-name>

end

From the GUI:

  1. Go to Policy & Objects > Firewall Policy and create a new or edit a firewall policy.
  2. While configuring the policy, select Log Hyperscale SPU Offload Traffic.
  3. Select a Log Server Group.

Note

When configuring hardware logging, the recommended or required IP addresses of the hardware logging servers that you can use with hyperscale firewall policies are the following:

  • You should only use logging servers that have IPv4 addresses with IPv4 hyperscale firewall policies. Logging servers with IPv6 IP addresses can be used but are not recommended.

  • You should only use logging servers that have IPv6 addresses with IPv6 hyperscale firewall policies. Logging servers with IPv4 IP addresses can be used but are not recommended.

  • You can only use logging servers that have IPv6 addresses with NAT64 hyperscale firewall policies.

  • You can only use logging servers that have IPv4 addresses with NAT46 hyperscale firewall policies.