Technical Tip: IPS archive logging is not working after upgrading to FortiOS firmware v7.6.6

Description

This article describes how the IPS archive logging stopped working after upgrading to FortiOS firmware v7.6.6.

Scope

FortiOS v7.6.6.

Solution

After upgrading to FortiOS v7.6.6, IPS archive logging did not work anymore. Indeed, the Archive column is empty in the IPS events log: 

The sample setup involves a one-arm sniffer in a system interface. For example:

config system interface
  edit "port9"
        set vdom "root"
        set ips-sniffer-mode enable
        set type physical
        set monitor-bandwidth enable
        set snmp-index 11
    next
end

config ips sensor
  edit "sniffer-profile"
        set comment "Monitor IPS attacks."
        config entries
            edit 1
                set severity medium high critical
                set status enable
                set log-packet enable
                set action pass
            next
        end
end

config firewall sniffer
    edit 1
        set uuid ...
        set non-ip enable
        set interface "port9"
        set ips-sensor-status enable
        set ips-sensor "sniffer-profile"
end

The root-cause is the changes in folders' permissions.

• The workaround is to format the log disk.

• The solution is to upgrade FortiOS firmware to v7.6.7 or v8.0.1.