FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff
Article Id 195390

Description

 

This article explains how to use the COMLog feature, which records console CLI output onto a 4 megabyte (MB) log file on flash memory, physically independent from the main drives of a FortiGate.

Scope
 

FortiGate, FortiSwitch, FortiController, FortiProxy.

 

The following models are known to support this functionality (the list may be incomplete):

FortiGate.

(Note: xxx1 is the same model as xxx0, with an additional HDD, and does not change the comlog availability) .

 

B Series, Models: 5001B Gen 2.

C Series, Models: 1000, 3240, 5001C, 5101C.

D Series, Models: 300, 400, 500, 600, 800, 900, 1000, 1200, 1500, 3000, 3100, 3200, 3700, 3800, 3810, 3815, 3960, 3980, 5001.

E Series, Models: 300,500,1100,2000,2200,2500,3300,3400,3600,3960,3980,5001.

F Series, Models: 400, 600, 1000, 1800, 2200, 2600, 3000, 3500, 3700, 4200, 4400, 4800, 6300, 6500, 7121.

 

FortiGate VM does not support the comlog feature.


FortiSwitch-5003B Gen 2.
FortiSwitch-5203B Gen 2.

FortiController-5103B.
FortiController-5902D.
FortiController-5903C.

 

FortiProxy does not support the comlog feature.

 

Solution

 

This flash drive will not be erased during the format from the BIOS menu or as a result of a software upgrade. It is configurable per physical unit and cannot be used for reporting or remote logging.

If enabled, the log contains all console output starting from the time it is enabled to the time it is disabled. It also writes a timestamp every hour to confirm that logging was enabled.

If the unit encounters unexpected behavior such as sudden reboots or non-responsiveness, the output of the following might show some clues as to why the issue happened.   


Enable and use COMLog from the CLI:

 

  1. Enable COMLog using the following command:

 

diag debug comlog enable/disable

 

  1. Use the following command to display COMLog status, including speed, file size, and log start/end:

 

diag debug comlog info

 

  1. Use the following command to clear the COMLog on the system management controller (SMC):

 

diag debug comlog clear

 

  1. Use the following command to read the COMLog from SMC:

 

diag debug comlog read

 

Note:
This command is not visible, will not show if '?' is used, and will not auto-complete with the Tab key.

The last word, 'read', must be typed.

 

  1. If the output is displayed page by page, the console output type can be changed to the 'standard' with the following configuration:

 

config system console
    set output standard
end

 

It is recommended to use the WEB GUI or SSH connection to collect the output instead of the console port.
Since the console speed is limited, displaying the COMLog can take a significant amount of time.

 

  1. If the COMLog is being displayed through the console connection, the COMLog functionality will be disabled to avoid the log being overwritten by displaying it on the console. It is re-enabled at the end of reading it but remains disabled in the event that reading COMLog fails or if Ctrl+C is used to interrupt the COMLog output.

    Starting from FortiOS 5.4.1, the COMLog status will always be restored when the command quits executing, no matter what causes it (Press Q, or Control C, or error, or finishes reading all COMLogs).

WARNING: While comlog is enabled, avoid configuring passwords and license keys as these would be in plaintext and readable in the log. It is possible to disable comlog before configuring passwords and license keys and enable the comlog after the configuration.

 

Enable COMLog from the Web-based Manager:

 

  1. Go to System -> Settings. Under the Debug Logs section, find the Console logs line.
  2. Select Regenerate to copy the COMLog content from SMC hardware to the local tmp folder. The update process may take up to 10 minutes depending on the size of the COMLog.
  3. Select Download to transfer COMLog content from the local tmp folder to the PC.
  4. The COMLog file downloaded via GUI is Zlib-compressed. To convert it to text format, it is necessary to decompress it using any Zlib decompressor tool. For example, the 'zlib-flate' on Linux:

 

zlib-flate -uncompress < IN_FILE > OUT_FILE

 

IN_FILE: the COMLog file downloaded via GUI.

OUT_FILE: the COMLog file to be saved in text format.