Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kyoneda1
Staff
Staff

Created on ‎11-07-2025 12:32 AM Edited on ‎11-07-2025 12:33 AM By Community Manager

Article Id 418113

Technical Tip: Disabling 'long-live' session logs output as Traffic Logs and its impact

Description

This article describes how to disable 'long-live' session logging and the potential impact of this change.
Scope

FortiAnalyzer v7.4.2 and later.
Solution

'long-live' session logs were output by default. Although it was previously possible to filter out these logs when sending them to FortiAnalyzer or other syslog servers, it was not possible to stop the log output itself.

 

 Starting from 7.4.2, it is now possible to disable this feature.

 

This functionality can now be configured via the CLI as follows.

 

CLI:

 

config log setting
    set long-live-session-stat enable         <----- Default is 'enable'.
end

 

Note: 

When changing the setting to 'disable', the following message will be displayed:

 

Disabling long-live-session-stat logging will affect FortiView reporting.

Do you want to continue? (y/n)

 

 

Log ID 13 is generated when a session ends, while Log ID 20 is generated every two minutes for 'long-live' sessions.

As shown below, by setting the configuration to 'disable', 'long-live' session logs will no longer be output, resulting in a reduction in overall log volume.

 

1107_01.png

 

As indicated in the note above, this change also affects reporting.

The impact on reporting will be examined by actually creating an SSH long-duration session while the 'long-live' session logging feature is disabled, as outlined below.

 

Session creation can be confirmed via: Dashboard -> FortiView Sessions.

 

1107_02.png

 

It can then be confirmed that no traffic logs related to the 'long-live' session have been generated for the session: Log & Report -> Forward Traffic.

 

Without terminating the session, a report can be generated that includes the time period during which the session was created: Log & Report -> Report -> Local -> Generate now.

 

Since report generation follows an hourly cycle rather than a minute-by-minute basis, it is necessary to execute the process after the clock has passed the top of the hour (e.g., 13:00) to ensure that the session creation time is included in the report.

  

1107_03.png

 

The report does not contain information related to TCP/22 SSH.

 

1107_04.png

 

When 'long-live' session logging is disabled, information regarding ongoing sessions may not be included in reports. This should be taken into consideration when applying this configuration.

 

Related documents:

Technical Tip: Filter traffic statistic syslogs 

Introduce new log fields for long-live sessions  
Labels:
69
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.