Description | This article describes why with default configuration, local-out traffic logs are not visible in memory logs. |
Scope | FortiGate. |
Solution |
By default, FortiGate does not log local traffic to memory. However, the reason is different depending on whether or not the unit has a disk.
set status disable <--- default setting for units with a disk. end For units without a disk, memory logging is enabled by default, but local-traffic is filtered out. config log memory filter set local-traffic disable <--- default setting for units without a disk. end
To enable local traffic logging to memory, ensure memory logging is enabled, and that local-traffic is enabled in the 'config log memory filter'. config log memory setting set status enable end
config log memory filter set local-traffic enable end
In general, whether FortiGate should log an event follows the following sequence. FortiGate converts events into logs according to system, security profile, and firewall policy configuration. If the FortiGate is not configured to generate a log, it will not be recorded. By default, local-out traffic is logged. VAN-EDGE-A # show full log setting | grep local set local-in-allow disable <----- By default, FortiGate does not generate a session log for remote connections established to the device. For example, remote ping to the FortiGate interface is not logged. set local-in-deny-unicast disable set local-in-deny-broadcast disable set local-out enable <----- By default, FortiGate does generate a session log for connections originating from the device. set local-out-ioc-detection enable
Log Sending (Where should logs be sent): Logging sources are enabled or disabled globally in the 'config log <logging_destination> setting'. By default, FortiGate will send logs to memory.
VAN-EDGE-A # show full log memory setting config log memory setting set status enable <-- The default is "disable" for units having a disk. end
Log Filtering (Which logs should be sent): Logs are sent to any enabled logging sources, filtered by “config log <logging_destination> filter”. The default memory log filter on devices without a disk filters out local traffic logs. Units with a disk, and virtual machines, do log local-traffic to memory by default.
VAN-EDGE-A # show full log memory filter config log memory filter set severity information <----- Default severity is 'information', which includes all higher log severities. Severity must be notification, information, or debug to capture local traffic logs. set forward-traffic enable set local-traffic disable <----- The default setting for units without a disk disables all local traffic logs. set multicast-traffic enable set sniffer-traffic enable set ztna-traffic enable set anomaly enable set voip enable set forti-switch enable end
Most logs can be sent to any logging destination if the matching filter allows it. One exception is 'Performance statistics logs', which can be sent to memory and remote logging locations such as FortiAnalyzer, but are never logged to the FortiGate disk.
Related articles: Log buffer on FortiGates with an SSD disk |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.