Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.3 Administration Guide
    7.2.3
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Log settings and targets

    Log settings and targets

    Log settings determine what information is recorded in logs, where the logs are stored, and how often storage occurs. Log settings can be configured in the GUI and CLI. In the GUI, Log & Report > Log Settings provides the settings for local and remote logging.

    Local Log
    Disk

    Define local log storage on the FortiGate:

    • Enable: Logs will be stored on a local disk. Local disk logging is not available in the GUI if the Security Fabric is enabled. When the Security Fabric is enabled, disk logging can still be configured on the root FortiGate in the CLI but is not available for downstream FortiGates.

    • Disable: Logs will be stored remotely to FortiAnalyzer/FortiManager or to a Cloud logging device.
    Enable Local Reports

    Define log reporting on the FortiGate:

    • Enable: Local reports will be available on the FortiGate. Reports can be reviewed in Log & Report > Local Reports. If the Security Fabric is enabled, Local Reports can be enabled in System > Feature Visibility.

    • Disable: Local reports will not be available on the FortiGate.

    Enable Historical FortiView

    Define the presentation of log information on FortiView:

    • Enable: Historical log data will be available on a FortiView monitor. By default, logs older than seven days are deleted. Disk logging must be enabled.

    • Disable: Historical log data will not be available on FortiView.
    Remote Logging and Archiving
    Send logs to FortiAnalyzer/FortiManager

    Define the status of remote logging to FortiAnalyzer and FortiManager:

    • Enable: Logs are sent to FortiAnalyzer or FortiManager for remote logging. HTTP transaction logs are also sent to a FortiAnalyzer unit to generate additional details in reports.

    • Disable: Logs are stored to system memory, a local disk, or a Cloud logging device.
    Server Set the server IP address for the FortiAnalyzer or FortiManager. Use Test Connectivity to test the connection status to the server.
    Connection status

    Displays authorization status on FortiAnalyzer:

    • Successful: The FortiGate is connected to the FortiAnalyzer. Remote logging to the FortiAnalyzer can be configured.

    • Unauthorized: The FortiGate is not connected to the FortiAnalyzer. Click Authorize to review the approval status on FortiAnalyzer or see Configuring FortiAnalyzer for more information.

    Storage usage

    Presents the storage used and the total storage available on the remote logging device.

    Analytics usage

    Presents the analytics space used and the total analytics space available on the remote logging device.

    Archives usage

    Presents the archive space used and the total archive space available on the remote logging device.

    Upload option

    Select the frequency of log uploads to the remote device:

    • Real Time: Logs are sent to the remote device in real time.

    • Every Minute: Logs are sent to the remote device once every minute. This option is unavailable if the Security Fabric Connections is enabled.

    • Every 5 Minutes: Logs are sent to the remote device once every five minutes. This is the default option. This option is unavailable if the Security Fabric Connection is enabled.

    • store-and-upload: Store logs to a local disk before uploading to FortiAnalyzer or FortiManager at a scheduled time. This option is only available for CLI configuration.

    Allow access to FortiGate REST API

    Define access to FortiGate REST API:

    • Enable: The REST API accesses the FortiGate topology and shares data and results.

    • Disable: The REST API foes not share data and results.

    Verify FortiAnalyzer certificate

    Define the FortiAnalyzer certificate verification process:

    • Enable: The FortiGate will verify the FortiAnalyzer serial number against the FortiAnalyzer certificate. When verified, the serial number is stored in the FortiGate configuration.

    • Disable: The FortiGate will not verify the FortiAnalyzer certificate against the serial number.

    Cloud Logging Settings

    Type

    Specify remote logging to the FortiGate Cloud or FortiAnalyzer Cloud device. If multiple devices are enabled, the default preference is FortiAnalyzer Cloud.

    Connection status

    Displays the current connection status to the selected Type. Use Test Connectivity to test the connection status to the Cloud logging device.

    Upload option

    Select the frequency of log uploads to the Cloud device:

    • Real Time: Logs are sent to the Cloud device in real time.

    • Every Minute: Logs are sent to the Cloud device once every minute. This option is unavailable if the Security Fabric Connection is enabled.

    • Every 5 Minutes: Logs are sent to the Cloud device once every five minutes. This is the default option. This option is unavailable if the Security Fabric Connection is enabled.

    Allow access to FortiGate REST API

    Define access to FortiGate REST API:

    • Enable: The REST API accesses the FortiGate topology and shares data and results.

    • Disable: The REST API foes not share data and results.

    Verify FortiAnalyzer Cloud certificate

    Define the FortiAnalyzer Cloud certificate verification process:

    • Enable: The FortiGate will verify the FortiAnalyzer serial number against the FortiAnalyzer certificate. When verified, the serial number is stored in the FortiGate configuration.

    • Disable: The FortiGate will not verify the FortiAnalyzer certificate against the serial number.

    UUIDs in Traffic Log

    Policy

    Define the use of policy UUIDs in traffic logs:

    • Enable: Policy UUIDs are stored in traffic logs. UUIDs can be matched for each source and destination that match a policy in the traffic log. See Source and destination UUID logging for more information.

    • Disable: Policy UUIDs are excluded from the traffic logs.

    Address

    Define the use of address UUIDs in traffic logs:

    • Enable: Address UUIDs are stored in traffic logs. When viewing Forward Traffic logs, a filter is automatically set based on UUID.

    • Disable: Address UUIDs are excluded from traffic logs.

    Log Settings

    Event Logging

    Define the allowed set of event logs to be recorded:

    • All: All event logs will be recorded.

    • Customize: Select specific event log types to be recorded. Deselect all options to disable event logging.

    Local Traffic Log

    Define the allowed set of traffic logs to be recorded:

    • All: All traffic logs to and from the FortiGate will be recorded.

    • Customize: Select specific traffic logs to be recorded. Deselect all options to disable traffic logging. Local traffic logging is disabled by default due to the high volume of logs generated.

    GUI Preferences

    Resolve Hostnames

    Define the translation of IP addresses to host names:

    • Enable: IP addresses are translated to host names using reverse DNS lookup. If the DNS server is not available or is slow to reply, requests may time out.

    • Disable: IP addresses are not translated to host names.

    Resolve Unknown Applications

    Define the resolution of unknown applications:

    • Enable: Unknown applications are resolved using the Internet Service Database.

    • Disable: Unknown applications are not resolved.

    Configuring logs in the CLI

    The FortiGate can store logs locally to its system memory or a local disk. Logs can also be stored externally on a storage device, such as FortiAnalyzer, FortiAnalyzer Cloud, FortiGate Cloud, or a syslog server.

    Disk logging

    Disk logging must be enabled for logs to be stored locally on the FortiGate. By default, logs older than seven days are deleted from the disk. Log age can be configured in the CLI. Approximately 75% of disk space is available for log storage. Log storage space can be determined using the diagnose sys logdisk usage command.

    To configure local disk logging:
    config log disk setting
    set status enable
    set maximum-log-age <integer>
    set max-log-file-size <integer>
end

    Remote logging

    The process to configure FortiGate to send logs to FortiAnalyzer or FortiManager is identical. Remote logging to FortiAnalyzer and FortiManager can be configured using both the GUI and CLI. When using the CLI, use the config log fortianalyzer setting command for both FortiAnalyzer and FortiManager.

    If VDOMs are configured on the FortiGate, multiple FortiAnalyzers and syslog servers can be added globally. SeeConfiguring multiple FortiAnalyzers (or syslog servers) per VDOM and Configuring multiple FortiAnalyzers on a FortiGate in multi-VDOM mode for more information.

    To configure remote logging to FortiAnalyzer:
    config log fortianalyzer setting
    set status enable
    set server <server_IP>
    set upload option {store-and-upload | realtime | 1-minute | 5-minute}
end

    Remote logging can also be configured to FortiCloud, FortiSIEM, and syslog servers. Up to four syslog servers or FortiSIEM devices can be configured using the config log syslogd command and can send logs to syslog in CSV and CEF formats.

    To configure remote logging to FortiCloud:
    config log fortiguard setting
    set status enable
    set source-ip <source IP used to connect FortiCloud>
end
    To configure remote logging to a syslog server:
    config log syslogd setting
    set status enable
    set server <syslog_IP>
    set format {default | cev | cef}
end

    Log filters

    Log filter settings can be configured to determine which logs are recorded to the FortiAnalyzer, FortiManager, and syslog servers. This allows certain logging levels and types of logs to be directed to specific log devices.

    To configure log filters for FortiAnalyzer:
    config log fortianalyzer filter
    set severity <level>
    set forward-traffic {enable | disable}
    set local-traffic {enable | disable}
    set multicast-traffic {enable | disable}
    set sniffer-traffic {enable | disable}
end
    To configure log filters for a syslog server:
    config log syslogd filter
    set severity <level>
    set forward-traffic {enable | disable}
    set local-traffic {enable | disable}
    set multicast-traffic {enable | disable}
    set sniffer-traffic {enable | disable}
end

    Email alerts

    FortiGate events can be monitored at all times using email alerts. Email alerts send notifications to up to three recipients and can be triggered based on log event and severity level. Email alerts will be sent every five minutes by default but this can be configured in the CLI.

    To configure email alerts:
    config alertemail setting
    set username <name>
    set mailto1 <email>
    set filter-mode {category | threshold}
    set email-interval <integer>
    set IPS-logs {enable | disable}
    set HA-logs {enable | disable}
    set antivirus-logs {enable | disable}
    set webfilter-logs {enable | disable}
    set log-disk-usage-warning {enable | disable}
end
    Previous
    Next

    Log settings and targets

    Log settings and targets

    Log settings determine what information is recorded in logs, where the logs are stored, and how often storage occurs. Log settings can be configured in the GUI and CLI. In the GUI, Log & Report > Log Settings provides the settings for local and remote logging.

    Local Log
    Disk

    Define local log storage on the FortiGate:

    • Enable: Logs will be stored on a local disk. Local disk logging is not available in the GUI if the Security Fabric is enabled. When the Security Fabric is enabled, disk logging can still be configured on the root FortiGate in the CLI but is not available for downstream FortiGates.

    • Disable: Logs will be stored remotely to FortiAnalyzer/FortiManager or to a Cloud logging device.
    Enable Local Reports

    Define log reporting on the FortiGate:

    • Enable: Local reports will be available on the FortiGate. Reports can be reviewed in Log & Report > Local Reports. If the Security Fabric is enabled, Local Reports can be enabled in System > Feature Visibility.

    • Disable: Local reports will not be available on the FortiGate.

    Enable Historical FortiView

    Define the presentation of log information on FortiView:

    • Enable: Historical log data will be available on a FortiView monitor. By default, logs older than seven days are deleted. Disk logging must be enabled.

    • Disable: Historical log data will not be available on FortiView.
    Remote Logging and Archiving
    Send logs to FortiAnalyzer/FortiManager

    Define the status of remote logging to FortiAnalyzer and FortiManager:

    • Enable: Logs are sent to FortiAnalyzer or FortiManager for remote logging. HTTP transaction logs are also sent to a FortiAnalyzer unit to generate additional details in reports.

    • Disable: Logs are stored to system memory, a local disk, or a Cloud logging device.
    Server Set the server IP address for the FortiAnalyzer or FortiManager. Use Test Connectivity to test the connection status to the server.
    Connection status

    Displays authorization status on FortiAnalyzer:

    • Successful: The FortiGate is connected to the FortiAnalyzer. Remote logging to the FortiAnalyzer can be configured.

    • Unauthorized: The FortiGate is not connected to the FortiAnalyzer. Click Authorize to review the approval status on FortiAnalyzer or see Configuring FortiAnalyzer for more information.

    Storage usage

    Presents the storage used and the total storage available on the remote logging device.

    Analytics usage

    Presents the analytics space used and the total analytics space available on the remote logging device.

    Archives usage

    Presents the archive space used and the total archive space available on the remote logging device.

    Upload option

    Select the frequency of log uploads to the remote device:

    • Real Time: Logs are sent to the remote device in real time.

    • Every Minute: Logs are sent to the remote device once every minute. This option is unavailable if the Security Fabric Connections is enabled.

    • Every 5 Minutes: Logs are sent to the remote device once every five minutes. This is the default option. This option is unavailable if the Security Fabric Connection is enabled.

    • store-and-upload: Store logs to a local disk before uploading to FortiAnalyzer or FortiManager at a scheduled time. This option is only available for CLI configuration.

    Allow access to FortiGate REST API

    Define access to FortiGate REST API:

    • Enable: The REST API accesses the FortiGate topology and shares data and results.

    • Disable: The REST API foes not share data and results.

    Verify FortiAnalyzer certificate

    Define the FortiAnalyzer certificate verification process:

    • Enable: The FortiGate will verify the FortiAnalyzer serial number against the FortiAnalyzer certificate. When verified, the serial number is stored in the FortiGate configuration.

    • Disable: The FortiGate will not verify the FortiAnalyzer certificate against the serial number.

    Cloud Logging Settings

    Type

    Specify remote logging to the FortiGate Cloud or FortiAnalyzer Cloud device. If multiple devices are enabled, the default preference is FortiAnalyzer Cloud.

    Connection status

    Displays the current connection status to the selected Type. Use Test Connectivity to test the connection status to the Cloud logging device.

    Upload option

    Select the frequency of log uploads to the Cloud device:

    • Real Time: Logs are sent to the Cloud device in real time.

    • Every Minute: Logs are sent to the Cloud device once every minute. This option is unavailable if the Security Fabric Connection is enabled.

    • Every 5 Minutes: Logs are sent to the Cloud device once every five minutes. This is the default option. This option is unavailable if the Security Fabric Connection is enabled.

    Allow access to FortiGate REST API

    Define access to FortiGate REST API:

    • Enable: The REST API accesses the FortiGate topology and shares data and results.

    • Disable: The REST API foes not share data and results.

    Verify FortiAnalyzer Cloud certificate

    Define the FortiAnalyzer Cloud certificate verification process:

    • Enable: The FortiGate will verify the FortiAnalyzer serial number against the FortiAnalyzer certificate. When verified, the serial number is stored in the FortiGate configuration.

    • Disable: The FortiGate will not verify the FortiAnalyzer certificate against the serial number.

    UUIDs in Traffic Log

    Policy

    Define the use of policy UUIDs in traffic logs:

    • Enable: Policy UUIDs are stored in traffic logs. UUIDs can be matched for each source and destination that match a policy in the traffic log. See Source and destination UUID logging for more information.

    • Disable: Policy UUIDs are excluded from the traffic logs.

    Address

    Define the use of address UUIDs in traffic logs:

    • Enable: Address UUIDs are stored in traffic logs. When viewing Forward Traffic logs, a filter is automatically set based on UUID.

    • Disable: Address UUIDs are excluded from traffic logs.

    Log Settings

    Event Logging

    Define the allowed set of event logs to be recorded:

    • All: All event logs will be recorded.

    • Customize: Select specific event log types to be recorded. Deselect all options to disable event logging.

    Local Traffic Log

    Define the allowed set of traffic logs to be recorded:

    • All: All traffic logs to and from the FortiGate will be recorded.

    • Customize: Select specific traffic logs to be recorded. Deselect all options to disable traffic logging. Local traffic logging is disabled by default due to the high volume of logs generated.

    GUI Preferences

    Resolve Hostnames

    Define the translation of IP addresses to host names:

    • Enable: IP addresses are translated to host names using reverse DNS lookup. If the DNS server is not available or is slow to reply, requests may time out.

    • Disable: IP addresses are not translated to host names.

    Resolve Unknown Applications

    Define the resolution of unknown applications:

    • Enable: Unknown applications are resolved using the Internet Service Database.

    • Disable: Unknown applications are not resolved.

    Configuring logs in the CLI

    The FortiGate can store logs locally to its system memory or a local disk. Logs can also be stored externally on a storage device, such as FortiAnalyzer, FortiAnalyzer Cloud, FortiGate Cloud, or a syslog server.

    Disk logging

    Disk logging must be enabled for logs to be stored locally on the FortiGate. By default, logs older than seven days are deleted from the disk. Log age can be configured in the CLI. Approximately 75% of disk space is available for log storage. Log storage space can be determined using the diagnose sys logdisk usage command.

    To configure local disk logging:
    config log disk setting
    set status enable
    set maximum-log-age <integer>
    set max-log-file-size <integer>
end

    Remote logging

    The process to configure FortiGate to send logs to FortiAnalyzer or FortiManager is identical. Remote logging to FortiAnalyzer and FortiManager can be configured using both the GUI and CLI. When using the CLI, use the config log fortianalyzer setting command for both FortiAnalyzer and FortiManager.

    If VDOMs are configured on the FortiGate, multiple FortiAnalyzers and syslog servers can be added globally. SeeConfiguring multiple FortiAnalyzers (or syslog servers) per VDOM and Configuring multiple FortiAnalyzers on a FortiGate in multi-VDOM mode for more information.

    To configure remote logging to FortiAnalyzer:
    config log fortianalyzer setting
    set status enable
    set server <server_IP>
    set upload option {store-and-upload | realtime | 1-minute | 5-minute}
end

    Remote logging can also be configured to FortiCloud, FortiSIEM, and syslog servers. Up to four syslog servers or FortiSIEM devices can be configured using the config log syslogd command and can send logs to syslog in CSV and CEF formats.

    To configure remote logging to FortiCloud:
    config log fortiguard setting
    set status enable
    set source-ip <source IP used to connect FortiCloud>
end
    To configure remote logging to a syslog server:
    config log syslogd setting
    set status enable
    set server <syslog_IP>
    set format {default | cev | cef}
end

    Log filters

    Log filter settings can be configured to determine which logs are recorded to the FortiAnalyzer, FortiManager, and syslog servers. This allows certain logging levels and types of logs to be directed to specific log devices.

    To configure log filters for FortiAnalyzer:
    config log fortianalyzer filter
    set severity <level>
    set forward-traffic {enable | disable}
    set local-traffic {enable | disable}
    set multicast-traffic {enable | disable}
    set sniffer-traffic {enable | disable}
end
    To configure log filters for a syslog server:
    config log syslogd filter
    set severity <level>
    set forward-traffic {enable | disable}
    set local-traffic {enable | disable}
    set multicast-traffic {enable | disable}
    set sniffer-traffic {enable | disable}
end

    Email alerts

    FortiGate events can be monitored at all times using email alerts. Email alerts send notifications to up to three recipients and can be triggered based on log event and severity level. Email alerts will be sent every five minutes by default but this can be configured in the CLI.

    To configure email alerts:
    config alertemail setting
    set username <name>
    set mailto1 <email>
    set filter-mode {category | threshold}
    set email-interval <integer>
    set IPS-logs {enable | disable}
    set HA-logs {enable | disable}
    set antivirus-logs {enable | disable}
    set webfilter-logs {enable | disable}
    set log-disk-usage-warning {enable | disable}
end
    Previous
    Next