Skip to main content
x_member
x_member
New Member
July 8, 2015
Solved

Logged data shown in FortiCloud, not shown in GUI

  • July 8, 2015
  • 9 replies
  • 26580 views

On a freshly configured FG60D using the free FortiCloud subscription limit of 1GB and running 5.2.3 all my Traffic,  Event and System Logs show as empty. Logging is configured to use FortiCloud and the FortiCloud website shows up to date log entries for this firewall as expected, but they cannot be viewed from the local Fortigate UI itself (regardless of browser used). The system resources readout through FortiCloud is non functional, reading a static 0% CPU and 58% RAM.

 

This is the second Fortigate unit on the account that I'm setting up for our test network. The primary unit's logging is configured in the same manner and works correctly in both the local UI and Forticloud.

 

Any ideas on how to resolve this issue?

    Best answer by Christopher_McMullan

    Long story short: suspected bug.

     

    Try this workaround in the meantime:

    config system global

    set gui-lines-per-page 20 //--the default is 50

    end

     

    Then go back and refresh the log view.

    9 replies

    vmartin_FTNT
    Staff
    vmartin_FTNT
    Staff
    July 8, 2015

    Have you configured you Log Settings (found at Log & Report > Log Config > Log Settings) to display logs from FortiCloud in the GUI?

    x_member
    x_memberAuthor
    New Member
    July 8, 2015

    Thanks for responding.

    vmartin wrote:

    Have you configured you Log Settings (found at Log & Report > Log Config > Log Settings) to display logs from FortiCloud in the GUI?

    Yes I have done this - each log section shows as "log location: Forticloud" with [Total -1] pages.

     

    *EDIT*

    Also worth noting that the Logging Volume Monitor shows 459 traffic log records recorded to Forticloud (default) for today so far.

    x_member
    x_memberAuthor
    New Member
    July 9, 2015

    After leaving the configuration untouched overnight it seems to have sorted itself out. All logs now match the Forticloud records and are displayed correctly in the browser UI.

     

    vmartin_FTNT
    Staff
    vmartin_FTNT
    Staff
    July 9, 2015

    I'm glad it's working, even if the reasons are unknown!

    x_member
    x_memberAuthor
    New Member
    July 10, 2015

    And interestingly enough I now have the same issue with our live firewall - no entries shown in the logs through the local (browser) UI but plenty of records in the Forticloud interface.

     

    Seems that this is not a problem at our end - there have been no configuration changes to the live firewall in several days that could cause this.

    gschmitt
    gschmitt
    New Member
    July 13, 2015

    [strike]Please go to Log&Report > Log Config > Log Settings and make sure Display Logs From is set to FortiCloud[/strike]

    Just saw that you already done that... Nevermind 

    x_member
    x_memberAuthor
    New Member
    July 13, 2015

    I've raised a ticket with support as I can't see how this can be a configuration issue.

     

    Currently we've got two FG60Ds setup and in operation (1 protecting a test network and the other protecting our live LAN).

    Both are configured for logging via FortiCloud (using the same FortiCloud account and the free subscription), and the live FG60D has been in operation without any system configuration changes since May.

     

    Since Wednesday (shortly after the Test Firewall was brought up) either one / both have consistently shown no entries in any of their logs through the local UI whilst still showing data at the FortiCloud end. There seems to be no issue sending data to FortiCloud but an intermittent issue receiving it. The logs appear and disappear at the local end without any changes to configuration or status on either box. It makes continuing to configure the test network (and monitor live) an incredibly frustrating exercise as the Forticloud traffic logs view is not as fully featured.

    Christopher_McMullan
    Staff
    Christopher_McMullanAnswer
    Staff
    July 13, 2015

    Long story short: suspected bug.

     

    Try this workaround in the meantime:

    config system global

    set gui-lines-per-page 20 //--the default is 50

    end

     

    Then go back and refresh the log view.

    x_member
    x_memberAuthor
    New Member
    July 14, 2015

    Christopher McMullan_FTNT wrote:

    Long story short: suspected bug.

     

    Try this workaround in the meantime:

    config system global

    set gui-lines-per-page 20 //--the default is 50

    end

     

    Then go back and refresh the log view.

    That worked a treat - thank you.

     

    Support had me remove the backup firewall from the FortiCloud account and set it to store logs in memory - this still left me with no logs on this device.

     

    However this morning I changed the lines per page as above on both devices. This resolved the problem immediately for the main firewall (still attached to FortiCloud) but not the backup firewall with the logging set to memory. On reconnecting the backup firewall to FortiCloud logs were immediately displayed. 

     

    I also tried values of 30 and 40 (for science!) but it seems that 20 is the magic number.

     

    I'll feed this back under my ticket.

    x_member
    x_memberAuthor
    New Member
    July 15, 2015

    Support tell me that this is not a bug and have recategorised my ticket as Question / Misconfiguration

    I'm rather unimpressed with that tbh so I'm disputing it.

    At least I can see the traffic logs I suppose.

    markbkk88
    markbkk88
    New Member
    July 22, 2015

    Dear Codemonkey..just to back you up.

     

    I have just installed a new Fortwifi 60D configured to use Forticloud and my log files show empty too.

     

    I implemented the fix suggested by Chris and this resolves the issue displaying the 20 lines...Thanks Chris!

    It would be nice to see more lines but as you said 30,40,50 don't work with this fix.

     

    I guess I also have this "misconfiguration" on my device......

     

    cheers Mark

    x_member
    x_memberAuthor
    New Member
    July 23, 2015

    I'm curious - does anyone who has this issue also have (what I believe to be) a related issue with logging?

     

    Since this issue occurred I've noticed that when viewing an entry in the traffic log which has an associated security event (e.g. IPS) the security event tab is displayed but has no detail in it.

     

     

    Xtreme
    Xtreme
    New Member
    August 26, 2015

    for this

    config system global set gui-lines-per-page 20 //--the default is 50 end

    can't solve my issue

    log section shows as "log location: FortiAnalyzer" with [Total -1] pages.

    For my GUI Preferences --> Display Logs From  --> FortiAnalyzer

     

    how to resolve this issue?

    Thank.

    x_member
    x_memberAuthor
    New Member
    November 10, 2015

    CodeMonkey wrote:

    CodeMonkey wrote:

     

    Since this issue occurred I've noticed that when viewing an entry in the traffic log which has an associated security event (e.g. IPS) the security event tab is displayed but has no detail in it.

    Ok that's been replicated by support and will be dealt with by them.

     

     

    Ah - my optimism of three months ago..

     

    Not to resurrect a dead thread, but after 3 months of no response from engineering I've finally been relayed the following regarding IPS events no longer being linked in the traffic log.

    Escalation was rejected, fix of this problem has negative side effects on other traffic. It is limitation on NP4 ASIC and won’t be fixed. This is final statement from engineering.  Only workaround for this is to route fragmented traffic to device in front of FortiGate that would do fragmentation. 

     

    Very unimpressed with the delay and the response tbh but c'est la vie.

    AndreaSoliva
    AndreaSoliva
    New Member
    November 11, 2015

    Hi

     

    some comments on my site regarding following command:

     

    config system global set gui-lines-per-page 20 //--the default is 50 end

     

    It is actually not important what kind of device you are using for logging meaning memory, fortiguard (cloud) or FAZ/FMG. Logging on a FortiGate is not filebased which means if a log is produced for what function ever it is written to the buffer. This buffer is defined with "gui-lines-per-page". Now if you have limits on memory, high cpu usage or slow connection to the remote logging device the buffer is overrunning meaning no space anymore FOR buffer etc. This means also if a log is showed in the gui it is actually in the buffer. If there is a resource problem and a specific size like 50 lines can not be used anymore FGT does not shown anything in the log. This is the reason it can be defined a smaller buffer which does not impact resource problems and logs are showed up again. This should happen only for small device with limited memory etc. but as said it can be also on bigger device if resources on FGT is short. After the logs are in buffer or shown in the gui they will be written to local db if local logging or to remote log location etc. All customer which I modified the "gui-lines-per-page" had resource problems on the device which means coming to there limits from CPU, Memory or remote log location (to many logs to remote location because of slow connection and FGT was not able to queque the logs locally).

     

    This is my view I see the "gui-lines-per-page" or why from one day to the other a FGT does not show the logs locally on the gui but on the remote log etc.

     

    hope this helps

     

    have fun

     

    Andrea

    Terms & ConditionsAccessibility statement