Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mcwz
New Contributor

FortiOS 5.2.0 logging issues

Hello, we' re running a FGT-60C with FortiOS 5.0.7 and think about upgrading to 5.2.0. Unfortunately Fortinet has changed logging in 5.2.0. From the release notes: > Disk logging and memory logging changes > > On some FortiGate models, flash-based logging is not available in FortiOS v5.2.0. > For these platforms, Fortinet recommends the free FortiCloud central logging & reporting service, > as it offers higher capacity and extends the features available to the FortiGate. Fortinet' s recommendation to use their Forticloud is NOT an option. Sending security sensitive information like firewall logs to any 3rd party vendor or cloud service is only for people who are not quite right in the head. Other options: 1) Logging to external USB disk: would be very nice but so far as we know this is not possible? 2) Syslog: requires a machine which acts as syslog server, additional syslog analyzer is required for reporting, searching/filtering in realtime is not really possible. 3) Fortianalyzer: better than syslog but expensive and would be a total overkill. 4) Logging to memory: not sure if this would still be possible with 5.2.0? If yes that' s the only tolerable option and would be ok for troubleshooting but not long term logging. After about one day memory is full mainly caused by broadcast logging. Probably nobody in the world needs this bullshit broadcast logging. We' ve already been in contact with support but Fortinet is to foolish to make an option to disable it. 5) Staying on 5.0.7 until the box dies and replace it with another vendor. Any ideas or recommendations? Best regards
7 REPLIES 7
emnoc
Esteemed Contributor III

1) Logging to external USB disk: would be very nice but so far as we know this is not possible? 2) Syslog: requires a machine which acts as syslog server, additional syslog analyzer is required for reporting, searching/filtering in realtime is not really possible. 3) Fortianalyzer: better than syslog but expensive and would be a total overkill. 4) Logging to memory: not sure if this would still be possible with 5.2.0? If yes that' s the only tolerable option and would be ok for troubleshooting but not long term logging. After about one day memory is full mainly caused by broadcast logging. Probably nobody in the world needs this bullshit broadcast logging. We' ve already been in contact with support but Fortinet is to foolish to make an option to disable it. 5) Staying on 5.0.7 until the box dies and replace it with another vendor.
1: not going to happen any time soon. That' s why fortianalyzer and cloud is available 2: that' s a option easy an cheap and addon for event analysis like sawmill/splunk are easy to use for log crunch. Don' t require heavy hardware ( could be virtualized ) 3: YMMV , see #2 and sawmill/splunk 4: logging too memory does exist 5: that' s option, do you really need anything from 5.2 at this time? Alternatives, build a local syslog server, aggregate the logs and send from that logging server to a cloud based roll-up server or another DC in your control ( we do the latter using ipsec and a fortigate that allows a ipsec tunnel to my main datacenter) . This could be cheaper in the long run than forticloud or using something like AWS. You would have to price and estimate the connection type, disk size and host size. You can also send this securely via ipsec-vpn to AWS or most other hosting providers. We use AWS since it houses our backup redundant site.
Sending security sensitive information like firewall logs to any 3rd party vendor or cloud service is only for people who are not quite right in the head.
>You know forticloud uses SSL encryption >is 100% secured and >what exactly is sensitive about the data being sent or your concerned with As with any remote logging, you have to worry about the path being down. Remember forticloud is a SMB solution and should not be taken as a enterprise solution. A true enterprise would not hesitate with a fortinalyzer, local syslog and event analysis tools like splunk/sawmill/logrhythm/etc...

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
mcwz
New Contributor

Hi emnoc, thanks for your answer just as I feared there are no other options. 1) would be the best for everyone using one of the " low end" devices and from a technical point of view that would be no problem. I understand that Fortinet doesn' t support it because they want to sell their products (Fortianalyzer). Maybe good for them but bad for the customer. 2) syslog is ok for long term logging and analysis/reporting but not for realtime troubleshooting. 3) expensive and over-the-top for small offices. 4) that' s good news. So we can use it for troubleshooting and maybe combine it with syslog (for long term logging). 5) I think as long as the box is alive we' ll keep it, later... let' s see ;-) I know that forticloud uses SSL encryption but this just means that transport is almost secure. My concerns about ANY cloud solution are that I don' t trust them ;) Firewall log data contains confident information like internal IP adresses, host names, services, etc. and should not be stored outside the company (except if it is encrypted before sending using own keys). That might sound paranoid but in europe where I' m from we are very sensitiv about data privacy.
oheigl
Contributor II

Hi, if you really need it for real time troubleshooting, you will not get much out of the logs produce by the FortiGate. The only thing you will see is maybe that something is not working, but no why. For this you need to go to the CLI and run some debug commands anyway, I think syslog would fit perfectly for you. Also what do you think the time difference will be if you send the logs via syslog, a few seconds? Kind regards, Oliver
emnoc
Esteemed Contributor III

I know that forticloud uses SSL encryption but this just means that transport is almost secure. My concerns about ANY cloud solution are that I don' t trust them ;) Firewall log data contains confident information like internal IP adresses, host names, services, etc. and should not be stored outside the company (except if it is encrypted before sending using own keys). That might sound paranoid but in europe where I' m from we are very sensitiv about data privacy.
I' m too in EMEA area and we are using a private cloud provider using virtual-instances that we managed ( via AWS and Telefonica ) Since the cloud is our DR site in some instances, we have a remote-syslog server and a collection server at the primary sites. This runs the syslogd with it exporting all logging via tcp to the cloud instance that we control. That should cover any security concern. Except now that I think about it, how secure is the virtual-instance from the provider eyes I guess you could use filesystem/diskencryption if you need that level of data security for data sitting at a rest. Based on your concerns, you really have 2 choices; 1: fortinet analyzer ( granted it' s good but now worth the $$$$.$$ imho, & more so if you have crafting sysadmin and knowledge over a logging cruncher and viewer like splunk, etc.... 2: local syslog daemon server and optionally a roll-up collector if your talking about multiple sites Forticloud should NOT be looked at as a true logging services. Even with the addon 200gb (iirc) optional it was never built or sold as a enterprise level logging services. And limited the data present per devices. Also if you path to foricloud is broken ( a few months ago i had just that problems ) than gaining access to the logging is almost as good a tits on a boar hog. Looks good but not effective for producing milk What you really need to ask your self these questions; 1: how much log data do you estimate per hour/per day/per month ? 2: do you have more than 1 site 3: do you need a centralize collection 4: do you need log analysis and correlation 5: are you logging other systems ( router/switches/unix/window host etc....) 6: do you need loggng rollup and can push logs 7: do you picture the need for logging compression 8: how much security do you need in logging transportation and storage 9: how much log retention do you need 1 week 2 months 1 year , etc... 10: do you have any regulatory compliance or auditing for log info fwiw, I' m logging over 400mb of logs per-day on avg & just on the fortigate stuff alone We have 8 sites to date with 8 more coming by Q1-2 2015 if I had to guess We have a big gap in logging rt/switch gear btw We have approx 400+ devices in the core/host network and that number would triple by end of 2015 if i had to guess We have built a independent OOB and management network for logging transmission & management of our systems that independent of the main data path We played with logging over multicast at one given time We have 800+ u/linux hosts that need logging collection and log rollup So Forticloud was quickly eliminate and much the same for fortianalyzer. We actually threw all of the fortianalyzer outs a year + ago due to our logging demands where to grow over years time. forticloud is good for playing around, and for SOHO/SMB operations but that' s just about it imho FAZ is good for a sml to med enterprise but as you start to explore it, you will find it ha a lot of gap Same for the fortimanager, it too does some degree of logging but it' s has even bigger gaps just my 2cts input

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Paul_S

emnoc, what do you use for logging instead of FAZ?

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
mcwz
New Contributor

Hi, after some internal discussions we have made our decision. We discontinue selling Fortinet products. The main reason is that our longstanding distributor has cancelled their contract with Fortinet. We' ll continue with Checkpoint (our main firewall vendor) for our larger customers. For the SMB business we' re currently evaluating. Maybe we go for Sonicwall, let' s see... Thank you all for your thoughts and help. Kind regards
Paul_S

mcwz, does checkpoint and sonic wall address your logging concerns better than fortinet? do they cost about the same for the firewall and the logging portion?

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors