Description
This article describes the case when forward traffic logs are not displayed when logging is enabled in the policy.
Scope
FortiGate.
Solution
Firewall memory logging severity is set to warning to reduce the amount of logs written to memory by default. Because of that, the traffic logs will not be displayed in the 'Forward logs'.
The severity needs to be set to 'Information' to view traffic logs from memory.
To view the current settings.
config log memory filter
(filter) # show full-configuration
config log memory filter
set severity warning <-----
set forward-traffic enable
set local-traffic disable
set multicast-traffic enable
set sniffer-traffic enable
set anomaly enable
set voip enable
set dns enable
set ssh enable
set ssl enable
set cifs enable
set filter ''
set filter-type include
end
Modify the severity to information.
config log memory filter
set severity information
end
Once modified, Traffic logs should be displayed in the 'Forward Traffic' under memory logs.
Starting from v6.4.0, the default severity is set to 'information'.
So, traffic logs are displayed by default from FortiOS v6.4.0.
If the issue persists, follow these steps.
Check if logging is enabled in firewall policies by running the command:
config firewall policy
edit <policy ID>
show
Ensure that logging is enabled for the policies expected to see traffic logs:
config firewall policy
edit <policy ID>
set logtraffic all
end
From the GUI:
The Switch Log allowed traffic to all sessions.
Make sure that the necessary log settings are configured correctly. Verify the log settings by running:
config log setting
show
Make sure the log memory setting is enabled:
config log memory setting
show
set status enable
end
There is a scenario in which forward traffic logs do not appear even when logging is enabled both in the firewall policy and in the system log settings. This occurs when interfaces are assigned to a zone, and traffic is exchanged between internal hosts within that same zone. Packet captures will confirm that the traffic enters and exits through the same interface.
This behavior is expected for local intra-zone traffic when the allow-traffic-redirect option is enabled in the global system settings. In this mode, traffic is redirected internally rather than being processed through firewall policies, and therefore, no forward traffic log is generated. This option is enabled by default but can be modified in the global configuration. Disable the setting for the logs to appear.
config system global
set allow-traffic-redirect enable
end
Note:
As of FortiOS v7.6.4, log entries can include source and destination zone fields to improve log analysis. Enabling these fields eliminates the need to filter logs based on individual interfaces within a zone. For more details, refer to FortiOS 7.6.0 New Features: Include zone information fields in logs.
Related articles:
