FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Ahmed_M
Staff
Staff
Article Id 283691
Description This article discusses solutions for connectivity loss, including simultaneous logging to multiple FortiAnalyzers and a Log buffer feature, with Fortinet's new geo-redundant FortiAnalyzer feature ensuring uninterrupted logging.
Scope FortiGate v7.4.1, v7.2.7 and above.
Solution

Background:

FortiAnalyzer stands out as a robust logging tool crucial for addressing diverse challenges in network security management and the complexities of securing an expanding network. While recognizing FortiAnalyzer's value, it is essential to understand that a comprehensive network security approach involves a blend of tools, practices, and a well-defined security strategy.

Organizations must customize their security solutions to their unique needs, consistently evaluating and updating their security posture in response to evolving threats and technological landscapes.

For more insights into simplifying operations with Fortinet Security Fabric and FortiAnalyzer, as well as FortiAnalyzer's role in delivering centralized logging, analytics, and automation for the Fortinet Security Fabric, refer to the following articles:

Simplifying Security Operations with FortiAnalyzer

FortiAnalyzer Overview

 

The primary adversary for any logging system is connectivity loss, risking the loss of valuable log records and compromising the logging process. This gap in connectivity can hinder comprehensive analysis and impact the effectiveness of security measures. To tackle this challenge, FortiGate supports logging into up to three FortiAnalyzers simultaneously.

 

Learn more about this feature in the article:

Sending Logs from FortiGate to Multiple FortiAnalyzers

 

Additionally, FortiGate models with SSDs allow configuring a Log buffer. This buffer stores logs in case of connectivity loss with FortiAnalyzer, sending queued logs once connectivity is restored.

 

Explore the detailed explanation of the Log buffer feature in this article:

Log buffer with an SSD disk

 

Enabling multiple logging types with low severity levels could overwhelm network bandwidth. To give an idea, a med-end FortiGate model in a very busy network with extensive logging enabled could generate log traffic to range from a few hundred megabytes to several gigabytes per hour.

This is a broad estimate, and the actual size will depend on factors such as the logging levels, types, network activity, and other configuration settings. If combined with multiple simultaneous FortiAnalyzer logging receivers, it will consume a lot of bandwidth.

 

Solution:

Fortinet addressed this with a new feature in FortiOS versions 7.2.7 and 7.4.1, supporting geo-redundant FortiAnalyzer deployment. This allows logging to switch to an alternate FortiAnalyzer if the main one is unavailable, ensuring continuous logging, Then when the connectivity is restored, FortiGate will fall back to the primary FortiAnalyzer.

 

For detailed information about the new feature, refer to:

Switching to an Alternate FortiAnalyzer

 

Related articles:

Cybersecurity and the Big Data Problem

FortiAnalyzer Operational Technology White Paper

FortiAnalyzer eBook

FortiGuard Indicators of Compromise Service

Contributors