Configure in-Memory logging on Low-end Fortigate without hardisk

Hello ! in this post I will explain how to configure correctly your low-end Fortigate unit to be able to see correctly your log in memory. I decided to write this post after encountering problem with FortiWifi 60E running FortiOS 5.4.x. 

The problem

Currently, the new “line” of Fortigate is named “E”. My first experience with this new serie was a FortiWifi 60E. This model uses the new SOC3 ASIC and does not have a hardisk. Without hardisk, the only way to configure the log is to store them directly into memory. With the previous 60D model, this work correctly but when I ran for the first time the 60E, the behavior of the logging was different and I saw only some “deny” log. The following picture is an example. deny-ip-connection-error

I spent a lot of time to try to understand this and I finally opened a ticket to the Fortinet support. After 2 weeks of tests, I found the reason and the solution…

On these new model without hardisk, some new parameters are presents

The parameter “severity” is set to “warning” that mean that only logs that have a “warning” level are stored in the memory ! It is the reason why the other logs are not displayed even if you have selected “Log All Traffic” on your policies for example. The strange behaviour is that this parameter is set to “warning” on older 60D too but the logging work correctly. I don’t know why for the moment… I asked Fortinet and I’m waiting on their answer.

Fortinet answer:

Hello Cyrill,
It seems that the 60D (and older models/versions) was NOT supposed to print “Forward” normal traffic when it is only set to “warning/alert”. The 60E is now behaving correctly, printing only alert messages (DNS Deny and IP-Conn errors) when it is set to “warning/alert”, and printing the “full” forward logs only when it is set to “Information” level, which is the most-detailed level).

The solution

As you probably understood, the solution is simple. Just set the parameter “severity” to the desired level. In my case, I set it to “information”. But be careful ! After asked Fortinet about this, they said me that this behaviour is desired to limit the consumption of memory on model without hardisk.

Recommendations

Fortinet strongly recommend to use an external Syslog server for monitoring the traffic, instead of using the device’s memory for that. But when you use an external syslog server, you cannot display the logs stored in this syslog from the Fortigate GUI directly… The other options is to use Forticoud or FortiAnalyzer if you have one… 

Personally, for my next clients, I will strongly recommend to buy the 61E instead of 60E. The 61E includes a 128 GB SSD and the configuration of the logs will be really more easy without compromise about the memory…

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInShare on RedditShare on StumbleUponShare on TumblrPin on PinterestFlattr the authorDigg thisBuffer this pagePrint this page

5 comments

  1. Hi!

    Did you increase the amount of memory that can be used?
    I tried your setup on a FG 200E. Everything is working fine, but the system does just keep 140 “log-lines”.

    I added:
    config log memory global-setting
    set max-size 2236949
    end

    This solved the issue, but I am afraid of filling my memory up with logs…

    How do you handle this?

    Regards,
    Phil

    1. Hello Phil and thank you for your question. I personally never tried to increase it like this. But in your case, you just increase the amount of memory available to store the logs in RAM. The conserve mode threshold is still the same. By doing this, you will even reach faster this threshold…
      Personally, I no longer buy any firewalls without a hard drive. I suggest you to buy 201E instead of 200E. I had the same problem with a lot of customers that buy 60E instead of 61E. Now, if I install a firewall without disk, I store the log in Forticloud or FortiAnalyzer if we have one. The RAM should not be used to store log.

  2. Hi Cyrill Gremaud,

    Thank you so much for this post is very much appreciated.
    I’m still new to Fortinet Fortigate so any information people detail on their experiences is very helpful to prevent me from the same mistakes.

    Regards,

    Mark

    1. Hi Mark and thank you for your comment. I am happy to know that my article was useful for you. I will try to write more and more article about Fortigate, so keep my site in your favorite 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *