Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
johnlloyd_13
Contributor II

Created on ‎11-14-2024 11:34 PM Edited on ‎11-15-2024 01:36 AM

Consensus for Firewall Policy Logging

hi,

we have FG-xx "F" in our environment

my question is, since these FG have internal HDD

1. is it "safe" to enable log "all sessions"?

2. haven't seen much FG docs regarding syslog, is logging buffer "circular" in a FG, i.e. overwritten by newer logs?

3. is there a default threshold or buffer size in the HDD by these "F" models?

 

is there also a "preferred" FW policy sequence based on its specific purpose/criteria? this is to prevent an overlap or "shadow" FW policy. refer sample below

1. DNAT using VIP

2. SNAT using IP pool

3. SNAT using Egress interface

 

Labels:
489
0 Kudos
1 Solution
dingjerry_FTNT
Staff
Staff

Created on ‎11-20-2024 09:04 AM Edited on ‎11-20-2024 09:05 AM

Hi @johnlloyd_13 ,

 

1. is it "safe" to enable log "all sessions"?

A:  It depends on what your FGT model is.  If it is low-end model, such as, FGT 81F, and you have a lot of traffic passing through the FGT, no, enabling "Log all sessions" is not recommended.

 

2. haven't seen much FG docs regarding syslog, is logging buffer "circular" in a FG, i.e. overwritten by newer logs?

 

A: I am not sure about the logging buffer for syslog. If there is such buffer stuff, I am pretty sure that the default behavior will be Overwrite.

 

3. is there a default threshold or buffer size in the HDD by these "F" models?

 

A:  Please check this KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-the-maximum-age-for-logs-on-dis...

 

The default settings for disk logging:

 

## config log disk setting

 # get
status : enable
ips-archive : enable
max-policy-packet-capture-size: 100
log-quota : 0
dlp-archive-quota : 0
report-quota : 0
maximum-log-age : 7
upload : disable
full-first-warning-threshold: 75
full-second-warning-threshold: 90
full-final-warning-threshold: 95
max-log-file-size : 20
roll-schedule : daily
roll-time : 00:00
diskfull : overwrite

Regards,

Jerry

View solution in original post

345
4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Created on ‎11-17-2024 09:29 PM

Hello John,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
427
Anthony_E
Community Manager
Community Manager

Created on ‎11-20-2024 02:28 AM

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
372
0 Kudos
ezhupa
Staff
Staff

Created on ‎11-20-2024 08:38 AM

Hello,

Depending on the FGT that you have and resources available you should be able to enable logging on the device. That being said, if the device is a low end device, it is recommended to log only security events (if security profiles are enabled on the policy) and when trying to troubleshoot specific issues enable logging to all sessions so to have a better understanding of the issue. 
The max amount of time logs can be kept on the FGT if they are not overwritten is 7 days if not mistaken. 

Policy checks on the FGT are done from TOP to BOTTOM, meaning first rule gets checked and so forth. If it matches a specific rule, other rules behind it are not checked anymore. 

 

Hope this helps!

351
dingjerry_FTNT
Staff
Staff

Created on ‎11-20-2024 09:04 AM Edited on ‎11-20-2024 09:05 AM

Hi @johnlloyd_13 ,

 

1. is it "safe" to enable log "all sessions"?

A:  It depends on what your FGT model is.  If it is low-end model, such as, FGT 81F, and you have a lot of traffic passing through the FGT, no, enabling "Log all sessions" is not recommended.

 

2. haven't seen much FG docs regarding syslog, is logging buffer "circular" in a FG, i.e. overwritten by newer logs?

 

A: I am not sure about the logging buffer for syslog. If there is such buffer stuff, I am pretty sure that the default behavior will be Overwrite.

 

3. is there a default threshold or buffer size in the HDD by these "F" models?

 

A:  Please check this KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-the-maximum-age-for-logs-on-dis...

 

The default settings for disk logging:

 

## config log disk setting

 # get
status : enable
ips-archive : enable
max-policy-packet-capture-size: 100
log-quota : 0
dlp-archive-quota : 0
report-quota : 0
maximum-log-age : 7
upload : disable
full-first-warning-threshold: 75
full-second-warning-threshold: 90
full-final-warning-threshold: 95
max-log-file-size : 20
roll-schedule : daily
roll-time : 00:00
diskfull : overwrite

Regards,

Jerry
346
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.