Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
James_G
Contributor III

Performance of viewing logs from Fortigate (Since 6.2.3 upgrade)

On my FGT running 6.2.3, viewing traffic logs from FAZ is painfully slow, like 10 mins refresh slow. Can anyone replicate this with FGT 6.2.3 / FAZ 6.2.3.

 

The FGT 6.0.9 to FAZ 6.2.3 is running much quicker, as is just viewing the logs directly on FAZ. So this is only an issue with FGT 6.2.3.

 

Any blue sky thinking?

2 REPLIES 2
tsimeonov_FTNT

Hi James, I think the slowness could be caused by the query scope send from FGT to FAZ. In FGT 6.0.9 the the FGT sends limits 50 lines, while FGT 6.2.3 sets limit 500 e.g: v6.0.9: Execute SQL query: SELECT * FROM ((SELECT ti1.*, ti2."devid",ti2."vd","devname","csf" FROM "FSFADOM181-FGT-tlog-1583877480" ti1 LEFT JOIN "devtable" ti2 ON ti1.dvid=ti2.dvid ) ) t where ( TRUE AND ( ( "vd" = 'root' AND "subtype" = 'local'))) and ((devid='FGVM01TMXXXXXXXXXX' ) ) ORDER BY id DESC LIMIT 50 v6.2.3:

Execute SQL query: SELECT * FROM ((SELECT ti1.*, ti2."devid",ti2."vd","devname","csf" FROM "FSFADOM181-FGT-tlog-1583877480" ti1 LEFT JOIN "devtable" ti2 ON ti1.dvid=ti2.dvid ) ) t where ( TRUE AND ( ( "vd" = 'root' AND "subtype" = 'local'))) and ((devid='FGVM01TMYYYYYYYYYY' ) ) ORDER BY id DESC LIMIT 500

 

If it bothers  you, it could be a good idea to open ticket under Fortigate support.

 

Cheers

tanr
Valued Contributor II

@James_G, is it literally a 10 minute delay to load the page?  Because that sounds like something more than just more rows getting queried.  Per the post on query limit above, that would increase the delay by a factor of 10, but even if it's taking 5 seconds to load from FOS 6.0.9, that would "only" mean 50 seconds at 10x the query length.

 

Really sounds like something for TAC.