FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
auppal
Staff
Staff
Description

This article describes how to enable Security Event logging when Security Fabric is enabled.

It applies to both Fabric root and subordinate FortiGates.

 

When the FortiGates are a part of a security Fabric, then logging is by default set to 'All Session' logging.

Users cannot directly change the logging to the Security Events as the option is greyed out.

In some networks, it might be required to log only Security Events to avoid generating too many logs as a result of All sessions.

 

As shown below, the security fabric is enabled and local FortiGate is the Fabric root -

  MicrosoftTeams-image (53).png

 

As seen below, in the policy the option to select Security Event logging is greyed out -

 

MicrosoftTeams-image (54).png

 

Although the CLI will give us an option to select the logtraffic to 'UTM', it would never change it in the GUI and will continue to log all traffic.

MicrosoftTeams-image (55).png

 

MicrosoftTeams-image (56).png

 MicrosoftTeams-image (57).png

 

Scope FortiGate.
Solution

To resolve this, set the configuration-sync to use 'local' instead of the 'default'. This can be achieved as shown below -

 

MicrosoftTeams-image (58).png

 

After making the change, set the logging to Security Events from the GUI-

 

MicrosoftTeams-image (59).png

 

Note: There are 2 options that configuration-sync can be set to, which are

 

Default - Synchronize configuration for FortiAnalyzer, FortiSandbox, and Central Management to root node.

 

Local- Do not synchronize configuration with the root node.

 

As mentioned, setting it to local will prevent the device to synchronize the configuration with the root node.

Contributors