Fortinet white logo
Fortinet white logo

Hyperscale Firewall Guide

Hardware logging

Hardware logging

You can configure NP7 processors to create traffic or NAT mapping log messages for hyperscale firewall sessions and send them to remote NetFlow or Syslog servers. Hardware logging is supported for IPv4, IPv6, NAT64, and NAT46 hyperscale firewall policies. Full NetFlow is supported through the information maintained in the firewall session.

Hardware logging also handles hyperscale VDOM software session logs (that is hyperscale VDOM sessions handled by the kernel/CPU). As part of the hardware logging configuration, you can configure software session logging to log TCP and UDP software sessions or all software sessions. You can also disable software session logging. Software session logging uses per-session logging, which creates two log messages per session, one when the session is established and one when the session ends. Software session logging supports NetFlow v9, NetFlow v10, and syslog log message formats.

Hardware logging features include:

  • On some FortiGate models with NP7 processors you can configure hardware logging to either use the NP7 processors to create and send log messages or you can configure hardware logging to use FortiGate CPU resources to create and send hardware log messages. Using the NP7 processors to create and send log messages improves performance. Using the FortiGate CPU for hardware logging is called host logging. Each option has some limitations, see Global hardware logging settings.
  • Per session logging creates two log messages per session; one when the session is established and one when the session ends.
  • Per session ending logging creates one log message when the session ends. This log message includes the session duration, allowing you to calculate the session start time. Per session ending logging may be preferable to per session logging because fewer log message are created, but the same information is available.
  • Per NAT mapping logging, creates two log messages per session, one when the session allocates NAT mapping resources and one when NAT mapping resources are freed when the session ends.
  • By default, log messages are sent in NetFlow v10 format over UDP. NetFlow v10 is compatible with IP Flow Information Export (IPFIX).
  • NetFlow v9 logging over UDP is also supported. NetFlow v9 uses a binary format and reduces logging traffic.
  • Syslog logging over UDP is supported.
  • Host logging supports syslog logging over TCP or UDP.
  • To configure hardware logging, you create multiple log server groups to support different log message formats and different log servers.
  • Round-robin load balancing distributes log messages among the log servers in a log server group to reduce the load on individual log servers. A log server group can contain up to 16 log servers. All messages generated by a given session are sent to the same log server.
  • You can also configure multicast-mode hardware logging to simultaneously send all log messages to multiple log servers.
  • Hardware logging log messages are similar to most FortiGate log messages but there are differences that are specific to hardware logging messages. For example, the dur (duration) field in hardware logging messages is in milliseconds (ms) and not in seconds.
  • Hardware logging is supported for protocols that use session helpers or application layer gateways (ALGs). If hyperscale firewall polices accept session helper or ALG traffic, for example, ICMP traffic, hardware log messages for these sessions are created and sent according to the hardware logging configuration for the policy. For more information, see ALG/Session Helper Support.

Hardware logging

Hardware logging

You can configure NP7 processors to create traffic or NAT mapping log messages for hyperscale firewall sessions and send them to remote NetFlow or Syslog servers. Hardware logging is supported for IPv4, IPv6, NAT64, and NAT46 hyperscale firewall policies. Full NetFlow is supported through the information maintained in the firewall session.

Hardware logging also handles hyperscale VDOM software session logs (that is hyperscale VDOM sessions handled by the kernel/CPU). As part of the hardware logging configuration, you can configure software session logging to log TCP and UDP software sessions or all software sessions. You can also disable software session logging. Software session logging uses per-session logging, which creates two log messages per session, one when the session is established and one when the session ends. Software session logging supports NetFlow v9, NetFlow v10, and syslog log message formats.

Hardware logging features include:

  • On some FortiGate models with NP7 processors you can configure hardware logging to either use the NP7 processors to create and send log messages or you can configure hardware logging to use FortiGate CPU resources to create and send hardware log messages. Using the NP7 processors to create and send log messages improves performance. Using the FortiGate CPU for hardware logging is called host logging. Each option has some limitations, see Global hardware logging settings.
  • Per session logging creates two log messages per session; one when the session is established and one when the session ends.
  • Per session ending logging creates one log message when the session ends. This log message includes the session duration, allowing you to calculate the session start time. Per session ending logging may be preferable to per session logging because fewer log message are created, but the same information is available.
  • Per NAT mapping logging, creates two log messages per session, one when the session allocates NAT mapping resources and one when NAT mapping resources are freed when the session ends.
  • By default, log messages are sent in NetFlow v10 format over UDP. NetFlow v10 is compatible with IP Flow Information Export (IPFIX).
  • NetFlow v9 logging over UDP is also supported. NetFlow v9 uses a binary format and reduces logging traffic.
  • Syslog logging over UDP is supported.
  • Host logging supports syslog logging over TCP or UDP.
  • To configure hardware logging, you create multiple log server groups to support different log message formats and different log servers.
  • Round-robin load balancing distributes log messages among the log servers in a log server group to reduce the load on individual log servers. A log server group can contain up to 16 log servers. All messages generated by a given session are sent to the same log server.
  • You can also configure multicast-mode hardware logging to simultaneously send all log messages to multiple log servers.
  • Hardware logging log messages are similar to most FortiGate log messages but there are differences that are specific to hardware logging messages. For example, the dur (duration) field in hardware logging messages is in milliseconds (ms) and not in seconds.
  • Hardware logging is supported for protocols that use session helpers or application layer gateways (ALGs). If hyperscale firewall polices accept session helper or ALG traffic, for example, ICMP traffic, hardware log messages for these sessions are created and sent according to the hardware logging configuration for the policy. For more information, see ALG/Session Helper Support.