FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Matt_B
Staff
Staff
Article Id 363536
Description This article describes why with default configuration, local-out traffic logs are not visible in memory logs.
Scope FortiGate.
Solution

By default, FortiGate does not log local traffic to memory. However, the reason is different depending on whether or not the unit has a disk.

 

memory log.PNG


For units with a disk, this is because memory logging is disabled by default.


config log memory setting

set status disable  <--- default setting for units with a disk.

end

For units without a disk, memory logging is enabled by default, but local-traffic is filtered out.

config log memory filter

set local-traffic disable  <--- default setting for units without a disk.

end

 

To enable local traffic logging to memory, ensure memory logging is enabled, and that local-traffic is enabled in the 'config log memory filter'.

config log memory setting

set status enable

end

 

config log memory filter

set local-traffic enable

end

 

In general, whether FortiGate should log an event follows the following sequence.

Log Generation (Which events should be logged):

FortiGate converts events into logs according to system, security profile, and firewall policy configuration. If the FortiGate is not configured to generate a log, it will not be recorded. By default, local-out traffic is logged.

VAN-EDGE-A # show full log setting | grep local

set local-in-allow disable    <----- By default, FortiGate does not generate a session log for remote connections established to the device. For example, remote ping to the FortiGate interface is not logged.

set local-in-deny-unicast disable

set local-in-deny-broadcast disable

set local-out enable    <----- By default, FortiGate does generate a session log for connections originating from the device.

set local-out-ioc-detection enable

 

Log Sending (Where should logs be sent):

Logging sources are enabled or disabled globally in the 'config log <logging_destination> setting'. By default, FortiGate will send logs to memory.

 

VAN-EDGE-A # show full log memory setting

config log memory setting

    set status enable <-- The default is "disable" for units having a disk.

end

 

Log Filtering (Which logs should be sent):

Logs are sent to any enabled logging sources, filtered by “config log <logging_destination> filter”. The default memory log filter on devices without a disk filters out local traffic logs. Units with a disk, and virtual machines, do log local-traffic to memory by default.

 

VAN-EDGE-A # show full log memory filter

config log memory filter

set severity information   <----- Default severity is 'information', which includes all higher log severities. Severity must be notification, information, or debug to capture local traffic logs.

set forward-traffic enable

set local-traffic disable  <----- The default setting for units without a disk disables all local traffic logs.

set multicast-traffic enable

set sniffer-traffic enable

set ztna-traffic enable

set anomaly enable

set voip enable

set forti-switch enable

end


All three requirements must be met (Log generation, Log sending, and Log filtering) before an event will be logged. After making the required changes, local traffic sessions show in the memory log.

 

memory log 2.PNG

 

Most logs can be sent to any logging destination if the matching filter allows it. One exception is 'Performance statistics logs', which can be sent to memory and remote logging locations such as FortiAnalyzer, but are never logged to the FortiGate disk.

 

Related articles:

Log buffer on FortiGates with an SSD disk 

How to set the maximum age for logs on disk

Implicit deny logs

Contributors