Skip to main content
johnlloyd_13
johnlloyd_13
Explorer III
November 15, 2024
Solved

Consensus for Firewall Policy Logging

  • November 15, 2024
  • 4 replies
  • 1447 views

hi,

we have FG-xx "F" in our environment

my question is, since these FG have internal HDD

1. is it "safe" to enable log "all sessions"?

2. haven't seen much FG docs regarding syslog, is logging buffer "circular" in a FG, i.e. overwritten by newer logs?

3. is there a default threshold or buffer size in the HDD by these "F" models?

 

is there also a "preferred" FW policy sequence based on its specific purpose/criteria? this is to prevent an overlap or "shadow" FW policy. refer sample below

1. DNAT using VIP

2. SNAT using IP pool

3. SNAT using Egress interface

 

Best answer by dingjerry_FTNT

Hi @johnlloyd_13 ,

 

1. is it "safe" to enable log "all sessions"?

A:  It depends on what your FGT model is.  If it is low-end model, such as, FGT 81F, and you have a lot of traffic passing through the FGT, no, enabling "Log all sessions" is not recommended.

 

2. haven't seen much FG docs regarding syslog, is logging buffer "circular" in a FG, i.e. overwritten by newer logs?

 

A: I am not sure about the logging buffer for syslog. If there is such buffer stuff, I am pretty sure that the default behavior will be Overwrite.

 

3. is there a default threshold or buffer size in the HDD by these "F" models?

 

A:  Please check this KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-the-maximum-age-for-logs-on-disk/ta-p/193116#:~:text=FortiGate.&text=By%20default%2C%20the%20maximum%20age,on%20disk%20is%207%20days.

 

The default settings for disk logging:

 

## config log disk setting

 # get
status : enable
ips-archive : enable
max-policy-packet-capture-size: 100
log-quota : 0
dlp-archive-quota : 0
report-quota : 0
maximum-log-age : 7
upload : disable
full-first-warning-threshold: 75
full-second-warning-threshold: 90
full-final-warning-threshold: 95
max-log-file-size : 20
roll-schedule : daily
roll-time : 00:00
diskfull : overwrite

4 replies

Anthony_E
Staff
Anthony_E
Staff
November 18, 2024

Hello John,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
    Anthony_E
    Staff
    Anthony_E
    Staff
    November 20, 2024

    Hello,

     

    We are still looking for someone to help you.

    We will come back to you ASAP.


    Regards,

    Best Regards
    ezhupa
    Staff
    ezhupa
    Staff
    November 20, 2024

    Hello,

    Depending on the FGT that you have and resources available you should be able to enable logging on the device. That being said, if the device is a low end device, it is recommended to log only security events (if security profiles are enabled on the policy) and when trying to troubleshoot specific issues enable logging to all sessions so to have a better understanding of the issue. 
    The max amount of time logs can be kept on the FGT if they are not overwritten is 7 days if not mistaken. 

    Policy checks on the FGT are done from TOP to BOTTOM, meaning first rule gets checked and so forth. If it matches a specific rule, other rules behind it are not checked anymore. 

     

    Hope this helps!

      dingjerry_FTNT
      Staff
      dingjerry_FTNTAnswer
      Staff
      November 20, 2024

      Hi @johnlloyd_13 ,

       

      1. is it "safe" to enable log "all sessions"?

      A:  It depends on what your FGT model is.  If it is low-end model, such as, FGT 81F, and you have a lot of traffic passing through the FGT, no, enabling "Log all sessions" is not recommended.

       

      2. haven't seen much FG docs regarding syslog, is logging buffer "circular" in a FG, i.e. overwritten by newer logs?

       

      A: I am not sure about the logging buffer for syslog. If there is such buffer stuff, I am pretty sure that the default behavior will be Overwrite.

       

      3. is there a default threshold or buffer size in the HDD by these "F" models?

       

      A:  Please check this KB:

      https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-the-maximum-age-for-logs-on-disk/ta-p/193116#:~:text=FortiGate.&text=By%20default%2C%20the%20maximum%20age,on%20disk%20is%207%20days.

       

      The default settings for disk logging:

       

      ## config log disk setting

       # get
      status : enable
      ips-archive : enable
      max-policy-packet-capture-size: 100
      log-quota : 0
      dlp-archive-quota : 0
      report-quota : 0
      maximum-log-age : 7
      upload : disable
      full-first-warning-threshold: 75
      full-second-warning-threshold: 90
      full-final-warning-threshold: 95
      max-log-file-size : 20
      roll-schedule : daily
      roll-time : 00:00
      diskfull : overwrite

        Terms & ConditionsAccessibility statement