Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiOS 5.2.0 logging issues
Hello,
we' re running a FGT-60C with FortiOS 5.0.7 and think about upgrading to 5.2.0. Unfortunately Fortinet has changed logging in 5.2.0.
From the release notes:
> Disk logging and memory logging changes
>
> On some FortiGate models, flash-based logging is not available in FortiOS v5.2.0.
> For these platforms, Fortinet recommends the free FortiCloud central logging & reporting service,
> as it offers higher capacity and extends the features available to the FortiGate.
Fortinet' s recommendation to use their Forticloud is NOT an option. Sending security sensitive information like firewall logs to any 3rd party vendor or cloud service is only for people who are not quite right in the head.
Other options:
1) Logging to external USB disk: would be very nice but so far as we know this is not possible?
2) Syslog: requires a machine which acts as syslog server, additional syslog analyzer is required for reporting, searching/filtering in realtime is not really possible.
3) Fortianalyzer: better than syslog but expensive and would be a total overkill.
4) Logging to memory: not sure if this would still be possible with 5.2.0? If yes that' s the only tolerable option and would be ok for troubleshooting but not long term logging. After about one day memory is full mainly caused by broadcast logging. Probably nobody in the world needs this bullshit broadcast logging. We' ve already been in contact with support but Fortinet is to foolish to make an option to disable it.
5) Staying on 5.0.7 until the box dies and replace it with another vendor.
Any ideas or recommendations?
Best regards
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) Logging to external USB disk: would be very nice but so far as we know this is not possible? 2) Syslog: requires a machine which acts as syslog server, additional syslog analyzer is required for reporting, searching/filtering in realtime is not really possible. 3) Fortianalyzer: better than syslog but expensive and would be a total overkill. 4) Logging to memory: not sure if this would still be possible with 5.2.0? If yes that' s the only tolerable option and would be ok for troubleshooting but not long term logging. After about one day memory is full mainly caused by broadcast logging. Probably nobody in the world needs this bullshit broadcast logging. We' ve already been in contact with support but Fortinet is to foolish to make an option to disable it. 5) Staying on 5.0.7 until the box dies and replace it with another vendor.1: not going to happen any time soon. That' s why fortianalyzer and cloud is available 2: that' s a option easy an cheap and addon for event analysis like sawmill/splunk are easy to use for log crunch. Don' t require heavy hardware ( could be virtualized ) 3: YMMV , see #2 and sawmill/splunk 4: logging too memory does exist 5: that' s option, do you really need anything from 5.2 at this time? Alternatives, build a local syslog server, aggregate the logs and send from that logging server to a cloud based roll-up server or another DC in your control ( we do the latter using ipsec and a fortigate that allows a ipsec tunnel to my main datacenter) . This could be cheaper in the long run than forticloud or using something like AWS. You would have to price and estimate the connection type, disk size and host size. You can also send this securely via ipsec-vpn to AWS or most other hosting providers. We use AWS since it houses our backup redundant site.
Sending security sensitive information like firewall logs to any 3rd party vendor or cloud service is only for people who are not quite right in the head.>You know forticloud uses SSL encryption >is 100% secured and >what exactly is sensitive about the data being sent or your concerned with As with any remote logging, you have to worry about the path being down. Remember forticloud is a SMB solution and should not be taken as a enterprise solution. A true enterprise would not hesitate with a fortinalyzer, local syslog and event analysis tools like splunk/sawmill/logrhythm/etc...
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi emnoc,
thanks for your answer just as I feared there are no other options.
1) would be the best for everyone using one of the " low end" devices and from a technical point of view that would be no problem. I understand that Fortinet doesn' t support it because they want to sell their products (Fortianalyzer). Maybe good for them but bad for the customer.
2) syslog is ok for long term logging and analysis/reporting but not for realtime troubleshooting.
3) expensive and over-the-top for small offices.
4) that' s good news. So we can use it for troubleshooting and maybe combine it with syslog (for long term logging).
5) I think as long as the box is alive we' ll keep it, later... let' s see ;-)
I know that forticloud uses SSL encryption but this just means that transport is almost secure. My concerns about ANY cloud solution are that I don' t trust them ;) Firewall log data contains confident information like internal IP adresses, host names, services, etc. and should not be stored outside the company (except if it is encrypted before sending using own keys). That might sound paranoid but in europe where I' m from we are very sensitiv about data privacy.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
if you really need it for real time troubleshooting, you will not get much out of the logs produce by the FortiGate. The only thing you will see is maybe that something is not working, but no why.
For this you need to go to the CLI and run some debug commands anyway, I think syslog would fit perfectly for you. Also what do you think the time difference will be if you send the logs via syslog, a few seconds?
Kind regards,
Oliver
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know that forticloud uses SSL encryption but this just means that transport is almost secure. My concerns about ANY cloud solution are that I don' t trust them ;) Firewall log data contains confident information like internal IP adresses, host names, services, etc. and should not be stored outside the company (except if it is encrypted before sending using own keys). That might sound paranoid but in europe where I' m from we are very sensitiv about data privacy.I' m too in EMEA area and we are using a private cloud provider using virtual-instances that we managed ( via AWS and Telefonica ) Since the cloud is our DR site in some instances, we have a remote-syslog server and a collection server at the primary sites. This runs the syslogd with it exporting all logging via tcp to the cloud instance that we control. That should cover any security concern. Except now that I think about it, how secure is the virtual-instance from the provider eyes


PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc,
what do you use for logging instead of FAZ?
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x,
FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM
5.6.5 | Fortimail 5.3.11 Network+, Security+
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
after some internal discussions we have made our decision. We discontinue selling Fortinet products.
The main reason is that our longstanding distributor has cancelled their contract with Fortinet. We' ll continue with Checkpoint (our main firewall vendor) for our larger customers. For the SMB business we' re currently evaluating. Maybe we go for Sonicwall, let' s see...
Thank you all for your thoughts and help.
Kind regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mcwz,
does checkpoint and sonic wall address your logging concerns better than fortinet? do they cost about the same for the firewall and the logging portion?
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x,
FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM
5.6.5 | Fortimail 5.3.11 Network+, Security+
