Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bartman10
Contributor

FortiGate Suggestion: Allow Loging to USB

 

In the past 2-3 years many of my Fortigate devices have lost features due to the removal of internal storage. WAN Acceleration, web cache, logging.. From 90D, 60D, 94D and so on. Many new units also don't come with internal storage 50E. Fortinet, please consider allowing at least logging to a user provided USB device. We could use a USB flash drive or external HD. I understand maybe all 500GB on that HD may not be accessable for logging on say a 30D but something reasonable the device could support would be great!

-It costs Fortinet nothing, and could save Fortinet money. -Assists in troubleshooting problems with TAC. -Reduces RMA on devices as only user replaceable USB flash is being used, not affecting internal storage with read/write cycles. -Build loyalty with users like myself by restoring features the unit was sold with.

Users please speak with your sales rep and maybe comment in this post if you'd like to see this feature added.

 

 

I also posted this in the suggestions section but it kind of looks dead.. Sorry in advance if it's a no-no but many people I've spoken with at Fortinet also think this is a great idea but needs user support.

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.

Over 100 WiFi AP's and growing.

FAZ-200D

FAC-VM 2 node cluster

Friends don't let friends FWF!

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track. Over 100 WiFi AP's and growing. FAZ-200D FAC-VM 2 node cluster Friends don't let friends FWF!
9 REPLIES 9
AlexFeren
New Contributor III

Your suggestion makes sense. (I've thought similarly.) +1 from me.

 

I suspect Fortinet's negativity wouldn't come from technical but rather from marketing, particularly, their model segmentation and their positioning of FortiCloud.

Burhanripl
New Contributor

We face much competition in this part of the world with competitors for logging options not available with entry level & smb models of fortigate. Having said that, the new Sophos/Cyberoam  devices giving more than 50GB SSD hard disk even with entry level models. 

 

At least give option of USB logging or provide us a license software just like Sonicwall gives it to its customer.

 

We are even happy with Forticloud licensing, but allow the users to download the required logs in csv/pdf format. The logs available on cloud are useless if you cant download it in user readable format. 

Antonio_Milanese

Hello,

 

yes it is becoming increasingly difficult to justify the lack of an integrated logging solution in small deployments (say from 80D and upward) especially considering that the competition offers much more on this price range;

certainly can objected that it is possible to use the Forticloud logging but is viewed as a subpar solution and some customers are reluctant for regulatory issues to log outside their walls.

As I said in other posts the most reasonable solution in terms of features and performance is to provide an Express version of the FortiAnalyzer VM limited to say 2 devices and 20GB of usable space.

IMHO logging onto an external USB device can be potentially a detriment for the performance since all work is done  by the main cpu causing latencies in the packets processing.

Personally I found some viable alternatives using Graylog,ELK stack and Netflow but certainly would be perceived as more professional if the solution was integrated using only Fortinet software.

 

Best regards,

 

Antonio

 

bartman10

Where did this rumor of lacking CPU power and latency come from? Even in the same post the guy says Sophos offers logging on the entry level models. 

 

Most FG's are logging right now.. it's ether logging to RAM, to FAZ or to cloud.. so I really don't see where this argument comes from. FG dropping local logging on many units was entirely because of the cheep flash ram wearing out.. no where have I seen nor experienced any kind of CPU load due to local logging on a 90D.. and by the way, the 90D has a really weak cpu.

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.

Over 100 WiFi AP's and growing.

FAZ-200D

FAC-VM 2 node cluster

Friends don't let friends FWF!

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track. Over 100 WiFi AP's and growing. FAZ-200D FAC-VM 2 node cluster Friends don't let friends FWF!
Antonio_Milanese

Hi Bartman10 the problem it's not generating a logging line (I assume it's buffered lazywrited pipeline) but rather logging/analysis related tasks (indexing,queries,reporting,ecc) to consume CPU ! I think that We all agree that beyond a live troubleshooting activity logs have meaning only if:  - are searchable/drillable/correlatable  - presented with clear and navigable dashboards/reports   AFAIK  Fortigate usb mass storage driver it's linux based and most of activities are userland (queries,indexing,logrotaing,reporting,ecc), so even a good usb key it's a way slower in random access than an low spec ssd due to lack of a dedicated sata controller/protocol. therefore IMHO for the above reasons the more reasonable solution is to provide the possibility of using an express version of FAZ where the Fortigate unit has only to forward the log buffers and the resource consuming activity take place on FAZ itself. Of course this is my personal view how to solve the problem. Regards, Antonio

emnoc
Esteemed Contributor III

if that's what you really need;

 

the problem it's not generating a logging line (I assume it's buffered lazywrited pipeline) but rather logging/analysis related tasks (indexing,queries,reporting,ecc) to consume CPU !

 

Than your using the wrong tool. You have numerous other options that would  free, low cost or costly

 

e.g

 

splunk

sawmill

FAZ

ArcSight

FortiCloud

etc......

 

All of these are geared for what your asking for (  the above in bold ). off appliance logging and analysis IMHO is much better , cheaper over  the long run, simpler for a "centralize" collection and allows for you to index and parser logs for details much much effective.

 

 

ken

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Antonio_Milanese

Hello Emnoc,

sorry but I do not really understand your comments..

maybe it's my poor written english but I'm stating that I'm AGAINST using in-place Fortigate log analysis/management on lower models beyond live troubleshooting sessions and expecially with extenal usb key as log storage:

therefore IMHO for the above reasons the more reasonable solution is to provide the possibility of using an express version of FAZ where the Fortigate unit has only to forward the log buffers and the resource consuming activity take place on FAZ itself.

the reasons are obvious when you think that a userland mounted usb storage key it's not suitable (many times worse than a low quality sata ssd) for heavy random access of say 1/2 week of logs during searching/filtering/indexing..

Than your using the wrong tool. You have numerous other options that would free, low cost or costly splunk sawmill FAZ ArcSight FortiCloud etc......

 

yes... I'm already using opensource tools as I've said above in this thread..but the problem here it's that on lower Fortinet appliances (below 100d) the logging/reporting capabilities are a severe selling deficiency against the competition and increasingly difficult one to justify towards the customer:

it's not a technical matter, as you said there are viable alternatives paid or opensource, it is a matter of perception of the brand and the proposed solution or lack of.

Would the availability of an Express version of FAZ VM (with the limitation of 2 Fortigates and 10/20GB ) hurting sales of the paid version or the Forticloud subscriptions for customers with only 2 smb clustered or not Fortigates ? I do not think so:

- more than 2 FGT upgrade FAZ to full

- geografically dispersed units maybe Forticloud it's for you

Just my 2 cents

Regards,

Antonio

Mikael_A

Well, considering that the prices on both SOC and flash storage is shrinking it would not be a price related issue to add on say 32GB of flash to be enabled on demand along with a 2:nd SOC for handling the analytic side.

 

The 2:nd option would be to have an option for external logging on a USB device. Pref using flash.Then an option to easily import in into (as you say) lite version of FAZ that runs on your PC.  Like a troubleshooting tool.

 

Third option would be to actually have an option to upload the log files to a cloud service that presents the tool for partners via the web. And from there do the analytical.

itsupport7

I agree with the idea of adding flash for logging.  Seems simple and practical.

Served 1,000,000 burgers

Served 1,000,000 burgers
Labels
Top Kudoed Authors