Configure in-Memory logging on Low-end Fortigate without hardisk

Hello ! in this post I will explain how to configure correctly your low-end Fortigate unit to be able to see correctly your log in memory. I decided to write this post after encountering problem with FortiWifi 60E running FortiOS 5.4.x. 

The problem

Currently, the new “line” of Fortigate is named “E”. My first experience with this new serie was a FortiWifi 60E. This model uses the new SOC3 ASIC and does not have a hardisk. Without hardisk, the only way to configure the log is to store them directly into memory. With the previous 60D model, this work correctly but when I ran for the first time the 60E, the behavior of the logging was different and I saw only some “deny” log. The following picture is an example. 

I spent a lot of time to try to understand this and I finally opened a ticket to the Fortinet support. After 2 weeks of tests, I found the reason and the solution…

On these new model without hardisk, some new parameters are presents

FWF60E-labo # config log memory filter

FWF60E-labo (filter) # get
severity : warning
forward-traffic : enable 
local-traffic : disable 
multicast-traffic : enable 
sniffer-traffic : enable 
anomaly : enable 
voip : enable 
filter : 
filter-type : include

The parameter “severity” is set to “warning” that mean that only logs that have a “warning” level are stored in the memory ! It is the reason why the other logs are not displayed even if you have selected “Log All Traffic” on your policies for example. The strange behaviour is that this parameter is set to “warning” on older 60D too but the logging work correctly. I don’t know why for the moment… I asked Fortinet and I’m waiting on their answer.

Fortinet answer:

Hello Cyrill,
It seems that the 60D (and older models/versions) was NOT supposed to print “Forward” normal traffic when it is only set to “warning/alert”. The 60E is now behaving correctly, printing only alert messages (DNS Deny and IP-Conn errors) when it is set to “warning/alert”, and printing the “full” forward logs only when it is set to “Information” level, which is the most-detailed level).

The solution

As you probably understood, the solution is simple. Just set the parameter “severity” to the desired level. In my case, I set it to “information”. But be careful ! After asked Fortinet about this, they said me that this behaviour is desired to limit the consumption of memory on model without hardisk.

FWF60E-labo # config log memory filter

FWF60E-labo (filter) # set severity information
FWF60E-labo (filter) # end


Fortinet strongly recommend to use an external Syslog server for monitoring the traffic, instead of using the device’s memory for that. But when you use an external syslog server, you cannot display the logs stored in this syslog from the Fortigate GUI directly… The other options is to use Forticoud or FortiAnalyzer if you have one… 

Personally, for my next clients, I will strongly recommend to buy the 61E instead of 60E. The 61E includes a 128 GB SSD and the configuration of the logs will be really more easy without compromise about the memory…

Bookmark the permalink.


  1. Hi!

    Did you increase the amount of memory that can be used?
    I tried your setup on a FG 200E. Everything is working fine, but the system does just keep 140 “log-lines”.

    I added:
    config log memory global-setting
    set max-size 2236949

    This solved the issue, but I am afraid of filling my memory up with logs…

    How do you handle this?


    • Hello Phil and thank you for your question. I personally never tried to increase it like this. But in your case, you just increase the amount of memory available to store the logs in RAM. The conserve mode threshold is still the same. By doing this, you will even reach faster this threshold…
      Personally, I no longer buy any firewalls without a hard drive. I suggest you to buy 201E instead of 200E. I had the same problem with a lot of customers that buy 60E instead of 61E. Now, if I install a firewall without disk, I store the log in Forticloud or FortiAnalyzer if we have one. The RAM should not be used to store log.

  2. Thanks a lot dear. Its solved my issue.

  3. Hi Cyrill Gremaud,

    Thank you so much for this post is very much appreciated.
    I’m still new to Fortinet Fortigate so any information people detail on their experiences is very helpful to prevent me from the same mistakes.



    • Hi Mark and thank you for your comment. I am happy to know that my article was useful for you. I will try to write more and more article about Fortigate, so keep my site in your favorite 🙂

  4. @Phil
    I’m unable to execute your command on my 50E (5.6.5)
    can you please check and provide it again -or maybe FG patched this…:^S

    • Cyrill Gremaud

      hello. It’s strange because I just tested now on my 30E running 5.6.5 and both command worked. Please can you tell me which command fails and past here the error message if you have one. Please if you like my blog, subscribe to receive an e-mail when I post a new article 🙂

  5. Hy Cryill,

    really great post, nice explanation, it helped me a lot. Appreciate your sharing man 😉

    • Cyrill Gremaud

      Hello Robin and thank you for your comment ! If you like these articles, feel free to share them and to subscribe to my blog.

  6. Thanks.. It works and helped me too 🙂

  7. Rondinelle Peixoto

    Tks Cyrill

    Your article help me to understood better this message log.


  8. nguyen thanh luan

    many tahnks !

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.