|
In some cases of bandwidth planning over logging by FortiGate to FortiAnalyzer, in particular over an IPSec VPN and a low bandwidth link like Satellite, bandwidth estimation is needed to size the total throughput.
The bandwidth can be approximately derived from the logs per second (log/sec) generated by the FortiGate and the size of each log, using the formula below:
Bandwidth (bps) = Logs/sec × Average log size (in bits)
Since the log rate is usually unknown before the actual deployment, it can be estimated based on the average session setup rate of the FortiGate. Assuming that the logging of all sessions is enabled in all firewall policies, no UTM is used, and all sessions have a duration of under 120 seconds, then the number of logs per second would be generally equal to the number of sessions per second processed by the FortiGate.
The size of one log record depends on many factors, from the configured log settings, which can enable or disable certain log fields, to the length of the names of configuration objects included in the logs, like usernames, host names, interface names, policy names, service names, etc....
A typical traffic log these days is about 700-800 bytes, but can go over 1 KByte with policyuuid logging enabled, and geoip, sdwan, and device detection fields enabled all together.
For example, with 1000 sessions per second on a FortiGate with 'set reliable disable' and a log size of 800 bytes:
Bandwidth = 1000 log/sec × 800 bytes × 8 bits = 6.4 Mbps
When the FortiGate is using a reliable log transmission to FortiAnalyzer (set reliable enable), the logs are sent in an LZ4 compressed binary format at about a 3:1 compression ratio. So, even with the added TCP overhead and some potential retransmissions, the used bandwidth might be significantly lower.
Taking the compression into account:
Bandwidth = 1000 log/sec × (800/3) bytes × 8 bits = 2.13 Mbps
If UTM inspections are enabled (Web Filter, DNS, IPS, Antivirus, Application Control, etc), additional logs are generated by each security profile having logging enabled (i.e., with action 'block'/'deny' or 'monitor').
For example, if the above FortiGate gets 1000 sessions per second, gets also has Application Control, Web Filter, and DNS filter profiles set in every firewall policy, with all categories set to Action=Monitor, this can lead to the generation of 4 logs for each firewall session (traffic+appctl+webfilter+dnsfilter). If assuming, for simplicity, that their size is the same, then:
Bandwidth(TCP) = 1000 log/sec × 4 logtypes × (800/3) bytes × 8 bits = 8.53 Mbps
Bandwidth(UDP) = 1000 log/sec × 4 logtypes × 800 bytes × 8 bits = 25.6 Mbps
In cases with long-lasting sessions, FortiOS generates an interim session log every 120 seconds, on top of the ones mentioned above. So if the above UTM inspection session took 11 minutes to download a large file, it would generate 9 logs:
- 4 Interim traffic logs (new one every 2 minutes).
- 4 UTM logs (1 per each inspection profile).
- 1 Traffic log after session close.
If many sessions handled by the FortiGate have a long duration, this may need to be added to the total log rate.
Note: This is just a rough estimation. As explained above, both log size and the session rate to log rate ratio may vary significantly, depending on the configuration and environmental specifics.
|
