|
The synchronized logging across security fabric feature was implemented in v5.6.0. The purpose of this feature is to log the traffic only once in one security fabric, as this would help with optimizing the logs that are passing through in one security fabric, rather than having this traffic logged as many times as there are FortiGates through which this traffic is passing.
Imagine a situation where traffic is passing through FortiGate A -> FortiGate B -> FortiGate C. Without this feature, the traffic would be sent 3 times to the FortiAnalyzer. However, when the log is flagged with 'csf_syncd_log', this traffic is not logged.
This is an example of traffic that is logged:
session info: proto=17 proto_state=01 duration=1891555 expire=124 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=VPN_AmSpeicher/ vlan_cos=0/255
state=log may_dirty npu f00 app_valid
statistic(bytes/packets/allow_err): org=65550732/580835/1 reply=464478271/580820/1 tuples=2
tx speed(Bps/kbps): 35/0 rx speed(Bps/kbps): 260/2
orgin->sink: org pre->post, reply pre->post dev=43->47/47->43 gwy=192.168.129.6/192.168.247.18
hook=pre dir=org act=noop 192.168.222.83:44778->192.168.129.6:161(0.0.0.0:0)
hook=post dir=reply act=noop 192.168.129.6:161->192.168.222.83:44778(0.0.0.0:0)
src_mac=00:09:0f:09:00:02
misc=0 policy_id=4 auth_info=0 chk_client_info=0 vd=0
serial=00002129 tos=ff/ff app_list=0 app=34797 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=38
npu_state=0x3041008
npu info: flag=0x82/0x81, offload=0/0, ips_offload=0/0, epid=0/0, ipid=79/65, vlan=0x0000/0x000b
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason:
ofld_fail_reason(kernel, drv): none/none, IPSec-enc-SA-not-offloaded(6)/IPsec-dec-SA-not-offloaded(7)
npu_state_err=00/00
Session list when logging is unsuccessful (with csf_syncd_log:(
session info: proto=17 proto_state=01 duration=93 expire=86 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=VPN_AmSpeicher/ vlan_cos=0/255
state=log may_dirty ndr npu csf_syncd_log app_valid ß here csf_syncd_log is present and won’t be logged
statistic(bytes/packets/allow_err): org=456/6/1 reply=708/3/1 tuples=2
tx speed(Bps/kbps): 4/0 rx speed(Bps/kbps): 7/0
orgin->sink: org pre->post, reply pre->post dev=43->47/47->43 gwy=192.168.129.6/192.168.247.18
hook=pre dir=org act=noop 192.168.222.26:32913->192.168.129.6:161(0.0.0.0:0)
hook=post dir=reply act=noop 192.168.129.6:161->192.168.222.26:32913(0.0.0.0:0)
src_mac=00:09:0f:09:00:02
misc=0 policy_id=4 auth_info=0 chk_client_info=0 vd=0
serial=0bd82f2d tos=ff/ff app_list=0 app=34797 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=19
npu_state=0x1003094 ips_offload
npu info: flag=0x82/0x81, offload=0/0, ips_offload=0/0, epid=0/0, ipid=79/65, vlan=0x0000/0x000b
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason:
ofld_fail_reason(kernel, drv): none/none, IPSec-enc-SA-not-offloaded(6)/IPsec-dec-SA-not-offloaded(7)
npu_state_err=00/00
This row should be noted:
state=log may_dirty ndr npu csf_syncd_log app_valid --> Here, csf_syncd_log is present and won’t be logged as it would be a duplicate as per the fabric.
Conclusion: Proof that the traffic is traversing through a FortiGate is the session list log. The lack of this traffic log on FortiGate B and FortiGate C does not mean that there is a software issue with the FortiGates. If on the session list, the state of 'csf_syncd_log' is noticed, this is a sign that the log is optimized to be reported only from the first FortiGate, and the following session lists in the FortiGates will contain 'csf_syncd_log', which means that these FortiGates will not log the traffic multiple times.
|
