Fortinet black logo

Hyperscale Firewall Guide

Home FortiGate / FortiOS 7.4.3 Hyperscale Firewall Guide
7.4.3
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.6
6.2.9
6.2.7
6.2.6

Hardware logging server groups

Hardware logging server groups

Configure hardware logging server groups to group the hardware logging servers that receive logs from traffic accepted by a hyperscale firewall policy. To add hardware logging for hyperscale firewall traffic, you add a log server group to a hyperscale firewall policy.

You also use the log server group to configure the number of log messages sent for each session, the log format (NetFlow or syslog), how software sessions are logged, whether log messages are distributed to the log servers in the server group or simultaneously sent to all log servers in the server group, and to select the log servers added to the log server group.

From the GUI:

  1. Under Log Server Groups select Create New to add a log server group.
  2. Enter a Name for the log server group.
  3. Select the Logging Mode and Log format.
  4. Add one or more Log servers.
  5. Select OK to save the log server group.
  6. Repeat these steps to add more logging server groups.
  7. Select Apply to save your changes.

From the CLI:

config log npu-server

config server-group

edit <group-name>

set log-mode {per-session | per-nat-mapping | per-session-ending}

set log-format {netflow | syslog}

set log-tx-mode {roundrobin | multicast}

set sw-log-flags {tcp-udp-only | enable-all-log | disable-all-log}

set log-user-info {disable | enable}

set log-gen-event {disable | enable}

set server-number <number>

set server-start-id <number>

end

Logging Mode (log-mode) select a log mode:

  • Per Session (per-session) (the default) create two log messages per session, one when the session is established and one when the session ends. If Log Module (log-processor) is set to Hardware Log Module (hardware), NP7 processors may incorrectly create multiple session start messages due to a hardware limitation.
  • Per Mapping (per-nat-mapping) create two log messages per session, one when the session allocates NAT mapping resources and one when NAT mapping resources are freed when the session ends.
  • Per-Session ending (per-session-ending) create one log message when a session ends. This log message includes the session duration, allowing you to calculate the session start time. Per-Session ending logging may be preferable to per session logging because fewer log messages are created, but the same information is available.

Log Format (log-format {netflow | syslog}) set the log message format to NetFlow (netflow) (the default) or Syslog (syslog). If you select NetFlow, the global hardware logging NetFlow version setting determines the NetFlow version (v9 or v10) of the log messages.

Log servers, select one or more hardware log servers to add to this log server group. From the CLI you use the server-number and server-start-id to select the servers to add to the log server group.

CLI-only logging server group options

log-tx-mode {roundrobin | multicast} select roundrobin (the default) to load balance log messages to the log servers in the server group. Select multicast to enable multicast logging. Multicast logging simultaneously sends log messages to all of the log servers in the server group.

sw-log-flags {tcp-udp-only | enable-all-log | disable-all-log} configure how software session logs are handled by the log server group. Software session logging uses per-session logging, which creates two log messages per session, one when the session is established and one when the session ends. Software session logging supports NetFlow v9, NetFlow v10, and syslog log message formats.

  • tcp-udp-only log only TCP and UDP software sessions (the default).

  • enable-all-log log all software sessions.

  • disable-all-log disable software session logging for this log server group.

log-user-info enable to include user information in log messages. This option is only available if log-format is set to syslog.

log-gen-event enable to add event logs to hardware logging. This option is only available if log-format is set to syslog and log-mode is set to per-nat-mapping to reduce the number of log messages generated.

server-number the number of log servers to add to this server group. The range is 1 to 16. The default is 0 and must be changed.

server-start-id the ID of one of the log servers in the config server-info list. The range is 1 to 16 and the default is 0 and must be changed.

Use server-number and server-start-id to select the log servers to add to a log server group. You can add the same log server to multiple log server groups.

For example, if you have created five log servers with IDs 1 to 5:

config server-info

edit 1

set vdom Test-hw12

set ipv4-server 10.10.10.20

end

edit 2

set vdom Test-hw12

set ipv4-server 10.10.10.21

end

edit 3

set vdom Test-hw12

set ipv4-server 10.10.10.22

end

edit 4

set vdom Test-hw12

set ipv4-server 10.10.10.23

end

edit 5

set vdom Test-hw12

set ipv4-server 10.10.10.24

end

You can add the first three log servers (IDs 1 to 3) to a log server group by setting server-number to 3 and server-start-id to 1. This adds the log servers with ID 1, 2, and 3 to this log server group.

config server-group

edit test-log-11

set server-number 3

set server-start-id 1

end

To add the other two servers to a second log server group, set server-number to 2 and server-start-id to 4. This adds log servers 4 and 5 to this log server group.

config server-group

edit test-log-12

set server-number 2

set server-start-id 4

end

To add all of the log servers to a third log server group, set server-number to 5 and server-start-id to 1. This adds log servers 1 to 5 to the this log server group.

config server-group

edit test-log-13

set server-number 5

set server-start-id 1

end

Previous
Next

Hardware logging server groups

Configure hardware logging server groups to group the hardware logging servers that receive logs from traffic accepted by a hyperscale firewall policy. To add hardware logging for hyperscale firewall traffic, you add a log server group to a hyperscale firewall policy.

You also use the log server group to configure the number of log messages sent for each session, the log format (NetFlow or syslog), how software sessions are logged, whether log messages are distributed to the log servers in the server group or simultaneously sent to all log servers in the server group, and to select the log servers added to the log server group.

From the GUI:

  1. Under Log Server Groups select Create New to add a log server group.
  2. Enter a Name for the log server group.
  3. Select the Logging Mode and Log format.
  4. Add one or more Log servers.
  5. Select OK to save the log server group.
  6. Repeat these steps to add more logging server groups.
  7. Select Apply to save your changes.

From the CLI:

config log npu-server

config server-group

edit <group-name>

set log-mode {per-session | per-nat-mapping | per-session-ending}

set log-format {netflow | syslog}

set log-tx-mode {roundrobin | multicast}

set sw-log-flags {tcp-udp-only | enable-all-log | disable-all-log}

set log-user-info {disable | enable}

set log-gen-event {disable | enable}

set server-number <number>

set server-start-id <number>

end

Logging Mode (log-mode) select a log mode:

  • Per Session (per-session) (the default) create two log messages per session, one when the session is established and one when the session ends. If Log Module (log-processor) is set to Hardware Log Module (hardware), NP7 processors may incorrectly create multiple session start messages due to a hardware limitation.
  • Per Mapping (per-nat-mapping) create two log messages per session, one when the session allocates NAT mapping resources and one when NAT mapping resources are freed when the session ends.
  • Per-Session ending (per-session-ending) create one log message when a session ends. This log message includes the session duration, allowing you to calculate the session start time. Per-Session ending logging may be preferable to per session logging because fewer log messages are created, but the same information is available.

Log Format (log-format {netflow | syslog}) set the log message format to NetFlow (netflow) (the default) or Syslog (syslog). If you select NetFlow, the global hardware logging NetFlow version setting determines the NetFlow version (v9 or v10) of the log messages.

Log servers, select one or more hardware log servers to add to this log server group. From the CLI you use the server-number and server-start-id to select the servers to add to the log server group.

CLI-only logging server group options

log-tx-mode {roundrobin | multicast} select roundrobin (the default) to load balance log messages to the log servers in the server group. Select multicast to enable multicast logging. Multicast logging simultaneously sends log messages to all of the log servers in the server group.

sw-log-flags {tcp-udp-only | enable-all-log | disable-all-log} configure how software session logs are handled by the log server group. Software session logging uses per-session logging, which creates two log messages per session, one when the session is established and one when the session ends. Software session logging supports NetFlow v9, NetFlow v10, and syslog log message formats.

  • tcp-udp-only log only TCP and UDP software sessions (the default).

  • enable-all-log log all software sessions.

  • disable-all-log disable software session logging for this log server group.

log-user-info enable to include user information in log messages. This option is only available if log-format is set to syslog.

log-gen-event enable to add event logs to hardware logging. This option is only available if log-format is set to syslog and log-mode is set to per-nat-mapping to reduce the number of log messages generated.

server-number the number of log servers to add to this server group. The range is 1 to 16. The default is 0 and must be changed.

server-start-id the ID of one of the log servers in the config server-info list. The range is 1 to 16 and the default is 0 and must be changed.

Use server-number and server-start-id to select the log servers to add to a log server group. You can add the same log server to multiple log server groups.

For example, if you have created five log servers with IDs 1 to 5:

config server-info

edit 1

set vdom Test-hw12

set ipv4-server 10.10.10.20

end

edit 2

set vdom Test-hw12

set ipv4-server 10.10.10.21

end

edit 3

set vdom Test-hw12

set ipv4-server 10.10.10.22

end

edit 4

set vdom Test-hw12

set ipv4-server 10.10.10.23

end

edit 5

set vdom Test-hw12

set ipv4-server 10.10.10.24

end

You can add the first three log servers (IDs 1 to 3) to a log server group by setting server-number to 3 and server-start-id to 1. This adds the log servers with ID 1, 2, and 3 to this log server group.

config server-group

edit test-log-11

set server-number 3

set server-start-id 1

end

To add the other two servers to a second log server group, set server-number to 2 and server-start-id to 4. This adds log servers 4 and 5 to this log server group.

config server-group

edit test-log-12

set server-number 2

set server-start-id 4

end

To add all of the log servers to a third log server group, set server-number to 5 and server-start-id to 1. This adds log servers 1 to 5 to the this log server group.

config server-group

edit test-log-13

set server-number 5

set server-start-id 1

end

Previous
Next