Description |
This article explains how to work around log uploads from FortiGate to FortiGate Cloud being blocked. |
Scope | FortiGates uploading logs to FortiGate Cloud. |
Solution |
When log uploads are blocked, a warning appears next to the FortiGate within FortiGate Cloud that states 'This device has been blocked by its home server since it exceeded the daily upload limit of 1TB. You may contact our support team to unblock it'.
This blocking behavior, as the warning suggests, is caused by the device uploading more than 1TB worth of logs to FortiGate cloud within 24 hours. The block will not be removed on its own as it is necessary to first determine why such a large number of logs are being uploaded.
Note that the device may be blocked even though it appears that less than 1TB of logs has been uploaded. This is because the log limit is measured by uncompressed file size.
The most common cause of this behavior is logging being enabled on the implicit deny policy. To avoid this, it is recommended to ensure that logging is disabled on the implicit deny when sending logs to FortiGate Cloud:
If logging on the implicit deny was already set to disabled, the next recommended step would be to check other firewall policies with logging of all sessions enabled, as forward traffic logs are often where the largest number of logs are generated.
If there is a need to be saving such high volumes of logs generated in a short time period, FortiAnalyzer would be a good solution to consider.
Once the cause of the excess logs has been identified and resolved, open a ticket with Fortinet support for assistance with having the device unblocked. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.