Skip to main content
zsigmondrichard
zsigmondrichard
New Member
February 22, 2022
Question

FortiGate generates high amount of logs

  • February 22, 2022
  • 1 reply
  • 3751 views

Dear Community!

 

We are having a problem with the amount of logs generated by an FGT 1800F cluster working in NGFW - Policy-based mode.

We are using 6.4.6 and there is about 60-80k session on average.

 

The firewall generates about 50-60GB of logs daily (40-45GB of traffic logs, 10-15GB of Application Control logs).

We are using basic Application Control (on the policies because of the NGFW Policy-based mode), Web Filter, and IPS profiles.

 

In order to decrease the logging volume, we tried to change the logging action from All to UTM for the most used policies but did not help at all.

 

As a comparison, at another firewall cluster (around the same size network with 1800F as well) where the NGFW is set to Profile-based mode, the amount of generated logs per day is around 5-6 GB.

 

What can be the reason that using the cluster in NGFW Policy-based mode generates about 10 times more logs than a cluster that is in NGFW Profile-based mode? Is it possible to decrease this logging volume somehow when the gateway is in NGFW Policy-based mode?

 

Best Regards,

Richard

 

1 reply

Vando_Pereira
Staff
Vando_Pereira
Staff
February 22, 2022

Hello Richard,

 

I will try to help you out, but have some questions to help me understand the problem:

  • So you mention two similar clusters, are they logging to local disk or remote storage ?, if it is local, is the maximum-log-age , the same ?
  • In the policies do you have the logging options "Log Allowed Traffic" enabled to all sessions ? 

 

Best Regards,

Vando Pereira

 

zsigmondrichard
zsigmondrichardAuthor
New Member
March 17, 2022

Dear Vando,

 

Apologize for the delay. 

 

These clusters are logging to FortiAnalyzer.

 

Yes, in most of the policies we have the logging option set to "Log Allowed Traffic - All sessions".

However, we tried to change this from "All sessions" to "UTM" at some policies with a high hit count but did not help at all. 

 

As we know from the TAC support, something has changed in the logging process when the gateway is in policy-based NGFW mode.  Also, we are using Central NAT, and according to the TAC, it also generates logs by default.

 

So it looks like, that in NGFW policy-based mode, the logging process/logging method is changed, and for some reason, it is generating way more logs than usual.

 

And yeah, 50 GB/day of logs in NGFW policy-based mode is way more than 5 GB/day of logs in NGFW profile-based mode. It shouldn't generate this many logs per day...

 

Best Regards,

Richard

 

 

Terms & ConditionsAccessibility statement