Fortinet white logo
Fortinet white logo

Hyperscale Firewall Guide

Hardware logging servers

Hardware logging servers

You can add up to 16 log servers. The log server configuration includes the information that the FortiGate uses to communicate with a log server. This includes the name of the VDOM through which the FortiGate can communicate with the log server, and the IPv4 or IPv6 IP address of the log server.

Once you have added log servers, you can add them to one or more log server groups.

From the GUI:

  1. Under Log Servers, select Create New to create a log server.
  2. Select the Virtual Domain containing the interface that can communicate with the log server.

    If you are configuring a FortiGate 4800F or 4801F, the Virtual Domain must be a hyperscale virtual domain. For more information, NP7 processor groups and hyperscale hardware logging.

  3. Select the IP version supported by the log server and enter the log server IP address or IPv6 address.
  4. If Log Module is set to Host you can select the Transport protocol (UDP or TCP).
  5. Enter the Source port and Destination port to be added to the log message packets.

    If Transport protocol is set to TCP you only need to select the Destination port.

  6. Set the Template transmission timeout, or the time interval between sending NetFlow template packets.
  7. Select OK to save the log server.
  8. Select Apply to save your changes.
  9. Repeat these steps to add more log servers.

From the CLI:

config log npu-server

config server-info

edit <index>

set vdom <name>

set ip-family {v4 | v6}

set log-transport {tcp | udp}

set ipv4-server <ipv4-address>

set ipv6-server <ipv6-address>

set source-port <port-number>

set dest-port <port-number>

set template-tx-timeout <timeout>

end

Note

You create a log server from the CLI by entering edit <index>. The value of <index> becomes the log server number. You use this number to add the log server to a server group from the CLI. <index> can be 1 to 16. You must specify the number, setting <index> to 0 to select the next available number is not supported.

Virtual Domain (vdom) the virtual domain that contains the FortiGate interface that you want to use to communicate with the log server. If Log Module (log-processor) is set to Hardware Log Module (hardware), the VDOM must include an interface connected to NP7 processors because you must use an interface connected to an NP7 processor for hardware logging. Usually this means you cannot select a management virtual domain. If Log Module (log-processor) is set to Host, you can select any virtual domain.

Note

On a FortiGate 4800F or 4801F, hyperscale hardware logging servers must include a hyperscale firewall virtual domain. This virtual domain must be assigned the same NP7 processor group as the hyperscale firewall virtual domain that is processing the hyperscale traffic being logged. This can be the same hyperscale virtual domain or another hyperscale firewall virtual domain that is assigned the same NP7 processor group.

For more information, see Enabling hyperscale firewall features and NP7 processor groups and hyperscale hardware logging.

IP Version (ip-family {v4 | v6}) the IP version of the remote log server. IPv4 (v4) is the default.

Transport Protocol (log-transport {tcp | udp}) select whether to use UDP (the default) or TCP to send syslog log messages. This option is only available when Log Module (log-processor) is set to Host. Use TCP to make sure syslog log messages are not lost when sent from the FortiGate to the log servers. You do not need to specify a source port when Transport Protocol (log-transport) is set to TCP.

IP Address (ipv4-server) the IPv4 address of the remote log server.

IPv6 Address (ipv6-server) the IPv6 address of the remote log server.

Source Port (source-port) the source UDP port number added to the log packets in the range 0 to 65535. The default is 514. You do not need to specify a Source Port (source-port) when Transport Protocol (log-transport) is set to TCP

Destination Port (dest-port) the destination port number added to the log packets in the range 0 to 65535. The default is 514.

Template transmission timeout (template-tx-timeout) the time interval between sending NetFlow template packets. NetFlow template packets communicate the format of the NetFlow messages sent by the FortiGate to the NetFlow server. Since the message format can change if the NetFlow configuration changes, the FortiGate sends template updates at regular intervals to make sure the server can correctly interpret NetFlow messages. The timeout range is from 60 to 86,400 seconds. The default timeout is 600 seconds.

Hardware logging servers

Hardware logging servers

You can add up to 16 log servers. The log server configuration includes the information that the FortiGate uses to communicate with a log server. This includes the name of the VDOM through which the FortiGate can communicate with the log server, and the IPv4 or IPv6 IP address of the log server.

Once you have added log servers, you can add them to one or more log server groups.

From the GUI:

  1. Under Log Servers, select Create New to create a log server.
  2. Select the Virtual Domain containing the interface that can communicate with the log server.

    If you are configuring a FortiGate 4800F or 4801F, the Virtual Domain must be a hyperscale virtual domain. For more information, NP7 processor groups and hyperscale hardware logging.

  3. Select the IP version supported by the log server and enter the log server IP address or IPv6 address.
  4. If Log Module is set to Host you can select the Transport protocol (UDP or TCP).
  5. Enter the Source port and Destination port to be added to the log message packets.

    If Transport protocol is set to TCP you only need to select the Destination port.

  6. Set the Template transmission timeout, or the time interval between sending NetFlow template packets.
  7. Select OK to save the log server.
  8. Select Apply to save your changes.
  9. Repeat these steps to add more log servers.

From the CLI:

config log npu-server

config server-info

edit <index>

set vdom <name>

set ip-family {v4 | v6}

set log-transport {tcp | udp}

set ipv4-server <ipv4-address>

set ipv6-server <ipv6-address>

set source-port <port-number>

set dest-port <port-number>

set template-tx-timeout <timeout>

end

Note

You create a log server from the CLI by entering edit <index>. The value of <index> becomes the log server number. You use this number to add the log server to a server group from the CLI. <index> can be 1 to 16. You must specify the number, setting <index> to 0 to select the next available number is not supported.

Virtual Domain (vdom) the virtual domain that contains the FortiGate interface that you want to use to communicate with the log server. If Log Module (log-processor) is set to Hardware Log Module (hardware), the VDOM must include an interface connected to NP7 processors because you must use an interface connected to an NP7 processor for hardware logging. Usually this means you cannot select a management virtual domain. If Log Module (log-processor) is set to Host, you can select any virtual domain.

Note

On a FortiGate 4800F or 4801F, hyperscale hardware logging servers must include a hyperscale firewall virtual domain. This virtual domain must be assigned the same NP7 processor group as the hyperscale firewall virtual domain that is processing the hyperscale traffic being logged. This can be the same hyperscale virtual domain or another hyperscale firewall virtual domain that is assigned the same NP7 processor group.

For more information, see Enabling hyperscale firewall features and NP7 processor groups and hyperscale hardware logging.

IP Version (ip-family {v4 | v6}) the IP version of the remote log server. IPv4 (v4) is the default.

Transport Protocol (log-transport {tcp | udp}) select whether to use UDP (the default) or TCP to send syslog log messages. This option is only available when Log Module (log-processor) is set to Host. Use TCP to make sure syslog log messages are not lost when sent from the FortiGate to the log servers. You do not need to specify a source port when Transport Protocol (log-transport) is set to TCP.

IP Address (ipv4-server) the IPv4 address of the remote log server.

IPv6 Address (ipv6-server) the IPv6 address of the remote log server.

Source Port (source-port) the source UDP port number added to the log packets in the range 0 to 65535. The default is 514. You do not need to specify a Source Port (source-port) when Transport Protocol (log-transport) is set to TCP

Destination Port (dest-port) the destination port number added to the log packets in the range 0 to 65535. The default is 514.

Template transmission timeout (template-tx-timeout) the time interval between sending NetFlow template packets. NetFlow template packets communicate the format of the NetFlow messages sent by the FortiGate to the NetFlow server. Since the message format can change if the NetFlow configuration changes, the FortiGate sends template updates at regular intervals to make sure the server can correctly interpret NetFlow messages. The timeout range is from 60 to 86,400 seconds. The default timeout is 600 seconds.