Solution | Before beginning, take note of the following regarding disk logging on the FortiGate: Generally speaking, FortiGate/FortiWiFi models ending in 1 or 2 will have onboard logging disks (such as the FortiGate-52E, 61F, 101F, 1801F and 4201F), whereas models ending in 0 will not (FortiGate-50E, 60F, 100F, etc.)n In some cases it is possible for models ending in 0 to support disk logging, and at the same time some low-end FortiGate models may not support disk logging due to the impacts that disk writes have on the lifespan of flash storage. Check the model's product datasheet to confirm if the FortiGate model includes a dedicated log disk and/or internal storage.
The default disk logging setting will depend on the model of FortiGate:n 1U and desktop-tier FortiGates will have disk logging enabled by default. This generally includes models below the 1xxx-series, ranging from desktop units like the FortiGate-51G to rackmount units such as the FortiGate-901G. 2U and larger-sized FortiGates will have disk logging disabled by default. This generally includes models at or beyond the 1xxx-series, such as 1001F, 1801F, 4201F, etc.
 If the FortiGate has a log disk, it can be enabled/disabled via the GUI or the CLI, based on the administrator's logging requirements:  Enable disk logging via the Web GUI: Log into FortiGate.
Navigate to Log & Report -> Log Settings, then select the Local Log tab. Set the Disk logging toggle to Enable. Select Apply to commit the change.
   Enable Disk logging via the CLI:  config log disk setting
set status enable
end
 It is also possible to configure additional filters for disk logging within the CLI:
FGT (root) # config log disk filter
FGT (filter) # show full
config log disk filter
  set severity information
  set forward-traffic enable
  set local-traffic enable
  set multicast-traffic enable
  set sniffer-traffic enable
  set ztna-traffic enable
  set anomaly enable
  set voip enable
  set dlp-archive enable
end
Or:
FGT # show full log disk filter
config log disk filter
  set severity information
  set forward-traffic enable
  set local-traffic enable
  set multicast-traffic enable
  set sniffer-traffic enable
  set ztna-traffic enable
  set anomaly enable
  set voip enable
  set dlp-archive enable
end
 The default severity is 'information'. When a specific severity is configured, it will include it and each severity above it. For example, the severity 'information' includes all logs with severity 'information' and other logs with severity: 'notification', 'warning', 'error', 'critical', 'alert' and 'emergency' which are above it.  Note:
If a log disk is unavailable on the FortiGate then the option to configure the log disk setting will not be present. To check if the log disk is available or not, run the following command and check the output of 'Log hard disk' (status will say 'Available' or 'Not available'):Â
FGT-60F # get system status | grep Log
Log hard disk: Not available
FGT-61F # get system status | grep Log
Log hard disk: Available
 If the device model is expected to have a disk, but shows 'Not Available', follow this KB article: Troubleshooting Tip: 'Log hard disk: Not available' message when hard disk is present in the unit.
On the FortiGate-30G model, although a log disk is available, it is restricted to 'event' logs only, and logging forward traffic to the disk is not possible. For more information, refer to Technical Tip: Limitations of Disk Logging on FortiGate-30G Firewalls.
If the device is a part of the security fabric, it is not possible to change the disk log settings: Troubleshooting Tip: Disk logging cannot be enabled nor disabled. |
