Hello ! in this post I will explain how to configure correctly your low-end Fortigate unit to be able to see correctly your log in memory. I decided to write this post after encountering problem with FortiWifi 60E running FortiOS 5.4.x.
Currently, the new “line” of Fortigate is named “E”. My first experience with this new serie was a FortiWifi 60E. This model uses the new SOC3 ASIC and does not have a hardisk. Without hardisk, the only way to configure the log is to store them directly into memory. With the previous 60D model, this work correctly but when I ran for the first time the 60E, the behavior of the logging was different and I saw only some “deny” log. The following picture is an example.
I spent a lot of time to try to understand this and I finally opened a ticket to the Fortinet support. After 2 weeks of tests, I found the reason and the solution…
On these new model without hardisk, some new parameters are presents
FWF60E-labo # config log memory filter FWF60E-labo (filter) # get severity : warning forward-traffic : enable local-traffic : disable multicast-traffic : enable sniffer-traffic : enable anomaly : enable voip : enable filter : filter-type : include
The parameter “severity” is set to “warning” that mean that only logs that have a “warning” level are stored in the memory ! It is the reason why the other logs are not displayed even if you have selected “Log All Traffic” on your policies for example. The strange behaviour is that this parameter is set to “warning” on older 60D too but the logging work correctly.
I don’t know why for the moment… I asked Fortinet and I’m waiting on their answer.
It seems that the 60D (and older models/versions) was NOT supposed to print “Forward” normal traffic when it is only set to “warning/alert”. The 60E is now behaving correctly, printing only alert messages (DNS Deny and IP-Conn errors) when it is set to “warning/alert”, and printing the “full” forward logs only when it is set to “Information” level, which is the most-detailed level).
As you probably understood, the solution is simple. Just set the parameter “severity” to the desired level. In my case, I set it to “information”. But be careful ! After asked Fortinet about this, they said me that this behaviour is desired to limit the consumption of memory on model without hardisk.
FWF60E-labo # config log memory filter FWF60E-labo (filter) # set severity information FWF60E-labo (filter) # end
Fortinet strongly recommend to use an external Syslog server for monitoring the traffic, instead of using the device’s memory for that. But when you use an external syslog server, you cannot display the logs stored in this syslog from the Fortigate GUI directly… The other options is to use Forticoud or FortiAnalyzer if you have one…
Personally, for my next clients, I will strongly recommend to buy the 61E instead of 60E. The 61E includes a 128 GB SSD and the configuration of the logs will be really more easy without compromise about the memory…