Logging and Reporting – FortiOS 5.2 Best Practices

Logging and reporting

The default log device settings must be modified so that system performance is not compromised. The FortiGate unit, by default, has all logging of FortiGate features enabled, except for traffic logging. The default logging location will be either the FortiGate unit’s system memory or hard disk, depending on the model. Units with a flash disk are not recommended for disk logging.

Log management

When the FortiGate unit records FortiGate activity, valuable information is collected that provides insight into how to better protect network traffic against attacks, including misuse and abuse. There is a lot to consider before enabling logging on a FortiGate unit, such as what FortiGate activities to enable and which log device is best suited for your network’s logging needs. A plan can help you in deciding the FortiGate activities to log, a log device, as well as a backup solution in the event the log device fails.

This plan should provide you with an outline, similar to the following:

  • What FortiGate activities you want and/or need logged (for example, security features).
  • The logging device best suited for your network structure.
  • If you want or require archiving of log files.
  • Ensuring logs are not lost in the event a failure occurs.

After the plan is implemented, you need to manage the logs and be prepared to expand on your log setup when the current logging requirements are outgrown. Good log management practices help you with these tasks.

Log management practices help you to improve and manage logging requirements. Logging is an ever-expanding tool that can seem to be a daunting task to manage. The following management practices will help you when issues arise, or your logging setup needs to be expanded.

  • Revisit your plan on a yearly basis to verify that your logging needs are being met by your current log setup. For example, your company or organization may require archival logging, but not at the beginning of your network’s lifespan. Archival logs are stored on a FortiGate unit’s local hard drive, a FortiAnalyzer unit, or a FortiCloud server, in increasing order of size.
  • Configure an alert message that will notify you of activities that are important to be aware about. For example: if a branch office does not have a FortiGate administrator, you will need to know at all times that the IPsec VPN tunnel is still up and running. An alert email notification message can be configured to send only if IPsec tunnel errors occur.
  • If your organization or company uses peer-to-peer programs such as Skype or other instant messaging software, use the IM usage dashboard widget or the Executive Summary’s report widget (Top 10 Application Bandwidth Usage Per Hour Summary) to help you monitor the usage of these types of instant messaging software. These widgets can help you in determining how these applications are being used, including if there is any misuse and abuse. Their information is taken from application log messages; however, application log messages should be viewed as well since they contain the most detailed information.
  • Ensure that your backup solution is up-to-date. If you have recently expanded your log setup, you should also review your backup solution. The backup solution provides a way to ensure that all logs are not lost in the event that the log device fails or issues arise with the log device itself.
  • When downloading log messages and viewing them on a computer, the log file will be downloaded like any other file. Log file names contain their log type and date in the name, so it is recommended to create a folder in which to archive your log messages, as they can be sorted easily.

System memory and hard disks

If the FortiGate unit has a hard disk, it is enabled by default to store logs. This also means that you do not have to enable this and configure the settings for logging to the hard disk, but modify these settings so that it is configured for your network logging requirements.

If the FortiGate unit has only flash memory, disk logging is disabled by default, as it is not recommended. Constant rewrites to flash drives can reduce the lifetime and efficiency of the memory. It must be enabled in the CLI under config log disk setting.

For some low-end models, disk logging is unavailable. Check a product’s Feature Matrix for more information. In either case, Fortinet recommends using either a FortiAnalyzer unit or the FortiCloud service.

This entry was posted in FortiOS, FortiOS 5.2 Best Practices on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

13 thoughts on “Logging and Reporting – FortiOS 5.2 Best Practices

  1. Matt

    Looking for recomendations on logging best practices with FortiGate 600D and FortiAnalyzer.

    Do you recomend logging be disabled on the FG and everything sent to the FA and the FG read the FA logs when looking through such things as forward traffic / fortiview on the FG?

    Much appreciated.
    Matt

    Reply
    1. Mike Post author

      Matt,

      We recommend disabling local logging. Send all logs to your FAZ and then do all log analysis and research from the FAZ itself. Fortinet actually advises against logging to the local FortiGate disk if possible (IE, If you have Splunk, FortiAnalyzer, ArcSight etc deployed)

      Reply
  2. Dan

    I’ve been struggling with something for a while now and I’m wondering if you can point me in the right direction. I have a FortiGate 60D being managed by a FortiManager with FortiAnalyzer features turned on. The last piece of my puzzle is to get a daily and weekly report of config changes (Interfaces, Addresses, Policies, etc.). I’ve been going round and round with Fortinet support and they told me that I need to use custom Datasets, Charts, and Reports and that they don’t support custom Datasets.

    I would prefer to get a list of the config changes that were made each day and each week.

    Reply
      1. Dan

        I went through that forum and ended up getting no data results. Fortinet tech support ended up sending me what they had which included a .dat file of a custom report, dataset, and chart. That seems to have done the trick. If you would like that .dat file let me know how you would like it shared. Thanks!

        Reply
  3. Patrick

    Hi,
    I have a challenge setting up my fortiAp-24D for deployment/management from either fortigate (50E) or forticloud.
    I looked up for guides on how to go about this, but all I’m getting are setups for higher models of FortiAp and fortigate. Is this possible and which is the best setup to deploying and managing a FortiAp-24D ?

    Regards,
    patrick

    Reply
    1. Mike Post author

      Depends on your environment. The Cloud is making things easier and easier and doesn’t rely on the 50E’s internet connection which would be nice (so if that location fails you still have administrative access to the device). You can configure the FortiAP 24D to work with cloud or FortiGate. Whichever you prefer.

      Reply
      1. Patrick

        Thanks Mike, for your advise.
        Please assist with links to guides that are specific for configuration of FortiAP-24D via cloud and/or Fortigate 50E. All I’m finding on fortinet documentation are guides for higher models of APs and Fortigates. So, I’m missing quite a number of required configs for proper setup.

        Reply
  4. Patrick

    A cloud setup would work perfect for now, looking at it from a (remote) management perspective…. all i’ll need is a reliable internet connection and no need for a VPN connection to the fortigate appliance.
    Thanks once again.

    Reply
      1. Patrick

        Hi Mike,
        I managed to get it up and running after a couple of trials with the setup Guide for fortigate deployment/management. Just noted that it takes a while to syn settings…. calls for a bit of patience. Thanks for your guidance.

        Reply
        1. Mike Post author

          Awesome to hear! Yeah, waiting on things to synchronize or “get right” can be a pain. That is me, everytime I am waiting on a Gate to detect an AP or a switch haha!

          Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.