Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1) Logging to external USB disk: would be very nice but so far as we know this is not possible? 2) Syslog: requires a machine which acts as syslog server, additional syslog analyzer is required for reporting, searching/filtering in realtime is not really possible. 3) Fortianalyzer: better than syslog but expensive and would be a total overkill. 4) Logging to memory: not sure if this would still be possible with 5.2.0? If yes that' s the only tolerable option and would be ok for troubleshooting but not long term logging. After about one day memory is full mainly caused by broadcast logging. Probably nobody in the world needs this bullshit broadcast logging. We' ve already been in contact with support but Fortinet is to foolish to make an option to disable it. 5) Staying on 5.0.7 until the box dies and replace it with another vendor.1: not going to happen any time soon. That' s why fortianalyzer and cloud is available 2: that' s a option easy an cheap and addon for event analysis like sawmill/splunk are easy to use for log crunch. Don' t require heavy hardware ( could be virtualized ) 3: YMMV , see #2 and sawmill/splunk 4: logging too memory does exist 5: that' s option, do you really need anything from 5.2 at this time? Alternatives, build a local syslog server, aggregate the logs and send from that logging server to a cloud based roll-up server or another DC in your control ( we do the latter using ipsec and a fortigate that allows a ipsec tunnel to my main datacenter) . This could be cheaper in the long run than forticloud or using something like AWS. You would have to price and estimate the connection type, disk size and host size. You can also send this securely via ipsec-vpn to AWS or most other hosting providers. We use AWS since it houses our backup redundant site.
Sending security sensitive information like firewall logs to any 3rd party vendor or cloud service is only for people who are not quite right in the head.>You know forticloud uses SSL encryption >is 100% secured and >what exactly is sensitive about the data being sent or your concerned with As with any remote logging, you have to worry about the path being down. Remember forticloud is a SMB solution and should not be taken as a enterprise solution. A true enterprise would not hesitate with a fortinalyzer, local syslog and event analysis tools like splunk/sawmill/logrhythm/etc...
PCNSE
NSE
StrongSwan
I know that forticloud uses SSL encryption but this just means that transport is almost secure. My concerns about ANY cloud solution are that I don' t trust them ;) Firewall log data contains confident information like internal IP adresses, host names, services, etc. and should not be stored outside the company (except if it is encrypted before sending using own keys). That might sound paranoid but in europe where I' m from we are very sensitiv about data privacy.I' m too in EMEA area and we are using a private cloud provider using virtual-instances that we managed ( via AWS and Telefonica ) Since the cloud is our DR site in some instances, we have a remote-syslog server and a collection server at the primary sites. This runs the syslogd with it exporting all logging via tcp to the cloud instance that we control. That should cover any security concern. Except now that I think about it, how secure is the virtual-instance from the provider eyes I guess you could use filesystem/diskencryption if you need that level of data security for data sitting at a rest. Based on your concerns, you really have 2 choices; 1: fortinet analyzer ( granted it' s good but now worth the $$$$.$$ imho, & more so if you have crafting sysadmin and knowledge over a logging cruncher and viewer like splunk, etc.... 2: local syslog daemon server and optionally a roll-up collector if your talking about multiple sites Forticloud should NOT be looked at as a true logging services. Even with the addon 200gb (iirc) optional it was never built or sold as a enterprise level logging services. And limited the data present per devices. Also if you path to foricloud is broken ( a few months ago i had just that problems ) than gaining access to the logging is almost as good a tits on a boar hog. Looks good but not effective for producing milk What you really need to ask your self these questions; 1: how much log data do you estimate per hour/per day/per month ? 2: do you have more than 1 site 3: do you need a centralize collection 4: do you need log analysis and correlation 5: are you logging other systems ( router/switches/unix/window host etc....) 6: do you need loggng rollup and can push logs 7: do you picture the need for logging compression 8: how much security do you need in logging transportation and storage 9: how much log retention do you need 1 week 2 months 1 year , etc... 10: do you have any regulatory compliance or auditing for log info fwiw, I' m logging over 400mb of logs per-day on avg & just on the fortigate stuff alone We have 8 sites to date with 8 more coming by Q1-2 2015 if I had to guess We have a big gap in logging rt/switch gear btw We have approx 400+ devices in the core/host network and that number would triple by end of 2015 if i had to guess We have built a independent OOB and management network for logging transmission & management of our systems that independent of the main data path We played with logging over multicast at one given time We have 800+ u/linux hosts that need logging collection and log rollup So Forticloud was quickly eliminate and much the same for fortianalyzer. We actually threw all of the fortianalyzer outs a year + ago due to our logging demands where to grow over years time. forticloud is good for playing around, and for SOHO/SMB operations but that' s just about it imho FAZ is good for a sml to med enterprise but as you start to explore it, you will find it ha a lot of gap Same for the fortimanager, it too does some degree of logging but it' s has even bigger gaps just my 2cts input
PCNSE
NSE
StrongSwan
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.