Description | This article discusses solutions for connectivity loss, including simultaneous logging to multiple FortiAnalyzers and a Log buffer feature, with Fortinet's new geo-redundant FortiAnalyzer feature ensuring uninterrupted logging. |
Scope | FortiGate v7.4.1, v7.2.7 and above. |
Solution |
Background: FortiAnalyzer stands out as a robust logging tool crucial for addressing diverse challenges in network security management and the complexities of securing an expanding network. While recognizing FortiAnalyzer's value, it is essential to understand that a comprehensive network security approach involves a blend of tools, practices, and a well-defined security strategy. Organizations must customize their security solutions to their unique needs, consistently evaluating and updating their security posture in response to evolving threats and technological landscapes. For more insights into simplifying operations with Fortinet Security Fabric and FortiAnalyzer, as well as FortiAnalyzer's role in delivering centralized logging, analytics, and automation for the Fortinet Security Fabric, refer to the following articles: Simplifying Security Operations with FortiAnalyzer
The primary adversary for any logging system is connectivity loss, risking the loss of valuable log records and compromising the logging process. This gap in connectivity can hinder comprehensive analysis and impact the effectiveness of security measures. To tackle this challenge, FortiGate supports logging into up to three FortiAnalyzers simultaneously.
Learn more about this feature in the article: Sending Logs from FortiGate to Multiple FortiAnalyzers
Additionally, FortiGate models with SSDs allow configuring a Log buffer. This buffer stores logs in case of connectivity loss with FortiAnalyzer, sending queued logs once connectivity is restored.
Explore the detailed explanation of the Log buffer feature in this article:
Enabling multiple logging types with low severity levels could overwhelm network bandwidth. To give an idea, a med-end FortiGate model in a very busy network with extensive logging enabled could generate log traffic to range from a few hundred megabytes to several gigabytes per hour. This is a broad estimate, and the actual size will depend on factors such as the logging levels, types, network activity, and other configuration settings. If combined with multiple simultaneous FortiAnalyzer logging receivers, it will consume a lot of bandwidth.
Solution: Fortinet addressed this with a new feature in FortiOS versions 7.2.7 and 7.4.1, supporting geo-redundant FortiAnalyzer deployment. This allows logging to switch to an alternate FortiAnalyzer if the main one is unavailable, ensuring continuous logging, Then when the connectivity is restored, FortiGate will fall back to the primary FortiAnalyzer.
For detailed information about the new feature, refer to: Switching to an Alternate FortiAnalyzer
Related articles: Cybersecurity and the Big Data Problem |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.