FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 220357

This article describes how to enable Security Event logging when Security Fabric is enabled.

It applies to both Fabric root and subordinate FortiGates.


When the FortiGates are a part of a security Fabric, then logging is by default set to 'All Session' logging.

Users cannot directly change the logging to the Security Events as the option is greyed out.

In some networks, it might be required to log only Security Events to avoid generating too many logs as a result of All sessions.


As shown below, the security fabric is enabled and local FortiGate is the Fabric root -

  MicrosoftTeams-image (53).png


As seen below, in the policy the option to select Security Event logging is greyed out -


MicrosoftTeams-image (54).png


Although the CLI will give us an option to select the logtraffic to 'UTM', it would never change it in the GUI and will continue to log all traffic.

MicrosoftTeams-image (55).png


MicrosoftTeams-image (56).png

 MicrosoftTeams-image (57).png


Scope FortiGate.

To resolve this, set the configuration-sync to use 'local' instead of the 'default'. This can be achieved as shown below -


MicrosoftTeams-image (58).png


After making the change, set the logging to Security Events from the GUI-


MicrosoftTeams-image (59).png


Note: There are 2 options that configuration-sync can be set to, which are


Default - Synchronize configuration for FortiAnalyzer, FortiSandbox, and Central Management to root node.


Local- Do not synchronize configuration with the root node.


As mentioned, setting it to local will prevent the device to synchronize the configuration with the root node.