Skip to main content
fl0at0xff
fl0at0xff
New Member
October 18, 2017
Solved

What are your recommandations / best practices for logging configuration ?

  • October 18, 2017
  • 1 reply
  • 11512 views

Hi guys !

 

I asked mysef about best practices and recommandation about the basic configuration of logging on low end fortigate (30E -> 100E. for example).

 

I bought a lot of Fortigate with an hard disk to be able to save logs on disk instead of RAM. But What do you recommand about configuration of logging inside the policies ?

 

2 years ago, when I started with Fortigate, one of my colleague teach me to ALWAYS enable "Log All Sessions" for each policy... Now, with a little more experience, I think it is not the best choice. Indeed, I often have high memory consumption (and my fortigate is often in conserve mode) with low-end model and I'm sure that is related to "Log All Sessions".

 

What are your opinion about this subject ?

 

Currently, by default in my policies, I log only "Security Event" and I enable only "All Session" parameters on the policies that allow traffic from WAN to LAN.

 

What do you do with the implicit deny policy ?

 

Thank you for your answer.

 

    Best answer by FatalHalt

    So, it really depends on your organization, the policies and regulations you have to comply with, and what works best.

     

    For me, I do absolutely no disk logging. I log all firewalls back to 2x3000F Fortianalyzers. On probably 95% of my policies, I have Log All Sessions enabled, because my customers expect to be able to know what traffic happened and where it went. I also log the implicit deny policy. 

     

    The simple answer is that this is one of those things that has a single best practice. I have the luxury of having lots of disk space, so my mentality is (generally) log everything, as then I'm never missing anything if I need it. 

    1 reply

    FatalHalt
    FatalHaltAnswer
    New Member
    October 18, 2017

    So, it really depends on your organization, the policies and regulations you have to comply with, and what works best.

     

    For me, I do absolutely no disk logging. I log all firewalls back to 2x3000F Fortianalyzers. On probably 95% of my policies, I have Log All Sessions enabled, because my customers expect to be able to know what traffic happened and where it went. I also log the implicit deny policy. 

     

    The simple answer is that this is one of those things that has a single best practice. I have the luxury of having lots of disk space, so my mentality is (generally) log everything, as then I'm never missing anything if I need it. 

    fl0at0xff
    fl0at0xffAuthor
    New Member
    October 27, 2017

    Hello @FatalHalt and thank you for your answer. I understand that depends of the needs of the client but a lot of time, my small client does not have these regulations to meet. But my mentality tends to log everything but because I does not have FortiAnalyzer, I log all on the disk. 

    volkovski
    volkovski
    New Member
    October 27, 2017

    A note regarding logging. Even if you are logging all session, the actual log record shows just the initial packet of a session in case the session is accelerated by NPx/CPx Lite processor. So that practically means that you dont have important information.

    The full logging is supported on the NP6.

    Terms & ConditionsAccessibility statement