Hi from my point of view following: --> My suggestion would be to prevent logging to the disk which means this is the biggest problem on a FGT because this disk' s are flash disk' s. I do not have to explain what happens if heavy logging is done on a flash disk. --> If you can and it is visible for you use FAZ (FortiAnalyzer). --> If you can' t use FAZ look that you do not heavy logging on disk and log only this what you must (If you havet to follow SOC compliance you can' t) --> At leaset I recommend to configure logs properly which means as overview: Activate/Deactivate für DLP UTM-Log/Log # config dlp sensor # edit [Name of Profile] # set extended-utm-log [enable | disable] # set dlp-log [enable | disable] # end Activate/Deactivate for Antivirus UTM-Log/Log # config antivirus profile # edit [Name of Profile] # set extended-utm-log [enable | disable] # set av-block-log [enable | disable] # set av-virus-log [enable | disable] # end Activate/Deactivate for VoiP UTM-Log/Log # config voip profile # edit [Name of Profile] # set extended-utm-log [enable | disable] # config sip # set status [enable | disable] # set log-violations [enable | disable] # set log-call-summary [enable | disable] # end # config sccp # set status [enable | disable] # set log-call-summary [enable | disable] # set log-violations [enable | disable] # end # end Activate/Deactivate for Application UTM-Log/Log # config application list # edit [Name of Profile] # set extended-utm-log [enable | disable] # set log [enable | disable] # set other-application-log [enable | disable] # set unknown-application-log [enable | disable] # end Activate/Deactivate for Deep-Inspection UTM-Log/Log # config firewall deep-inspection-options # edit [Name of Profile] # set extended-utm-log [enable | disable] # set ssl-invalid-server-cert-log [enable | disable] # set allow-invalid-server-cert [enable | disable] # end Activate/Deactivate for WebFilter UTM-Log/Log # config webfilter profile # edit [Name of Profile] # set extended-utm-log [enable | disable] # set log-all-url [enable | disable] # set web-content-log [enable | disable] # set web-filter-command-block-log [enable | disable] # set web-filter-cookie-log [enable | disable] # set web-filter-applet-log [enable | disable] # set web-filter-jscript-log [enable | disable] # set web-filter-js-log [enable | disable] # set web-filter-vbs-log [enable | disable] # set web-filter-unknown-log [enable | disable] # set web-filter-referer-log [enable | disable] # set web-filter-cookie-removal-log [enable | disable] # set web-url-log [enable | disable] # set web-invalid-domain-log [enable | disable] # set web-ftgd-err-log [enable | disable] # set web-ftgd-quota-usage [enable | disable] # end Activate/Deactivate for WebFilter [Minimal] UTM-Log/Log # config webfilter profile # edit [Name of Profile] # set extended-utm-log enable # set log-all-url enable # set web-url-log enable # set web-ftgd-err-log enable # end Activate/Deactivate for Spamfilter UTM-Log/Log # config spamfilter profile # edit [Name of Profile] # set extended-utm-log [enable | disable] # end Activate/Deactivate Global Settings Log # config log setting # set fwpolicy-implicit-log [enable | disable] # set gui-location [fortianalyzer] # set local-in-allow [enable | disable] # set local-in-deny [enable | disable] # set local-out [enable | disable] # set resolve-apps [enable | disable] # set resolve-hosts [enable | disable] # set resolve-ip [enable | disable] # set user-anonymize [enable | disable] # end Activate/Deactivate Global Settings (Empfehlung] Log # config log setting # set fwpolicy-implicit-log enable # set gui-location [fortianalyzer] # set local-in-allow disable # set local-in-deny disable # set local-out disable # set resolve-apps enable # set resolve-hosts enable # set resolve-ip enable # set user-anonymize disable # end Activate/Deactivate Eventfilter (Empfehlung] Log # config log eventfilter # set event [enable | disable] # set router [enable | disable] # set system [enable | disable] # set user [enable | disable] # set vpn [enable | disable] # set wan-opt [enable | disable] # set wireless-activity [enable | disable] # end Activate FortiAnalyzer Log # config log fortianalyzer setting # set status enable # set ips-archive enable # set server [FortiAnalyzer IP] # set enc-algorithm default # set localid [set a local ID for Device like Serial Nr.] # set psksecret [Password for Preshared Key] # set conn-timeout 10 # set monitor-keepalive-period 5 # set monitor-failure-retry-period 5 # set source-ip 0.0.0.0 # set upload-option realtime # set reliabl enable # end Activate/Deactivate all Devices Log # config log memory setting # set status [enable | disable] # set diskfull overwrite # end # config log disk setting # set status [enable | disable] # set diskfull overwrite # end # config log syslogd setting # set status [enable | disable] # end # config log fortiguard setting # set status [enable | disable] # end After that -if you log to disk- decide to roll and archive log on FGT: Activate roll of logs # config log disk setting # set roll-schedule [daily oder weekly] # set roll-time [hh:mm] # get status : enable ips-archive : enable log-quota : 1024 dlp-archive-quota : 500 report-quota : 50 upload : disable upload-format : compact drive-standby-time : 0 full-first-warning-threshold: 75 full-second-warning-threshold: 90 full-final-warning-threshold: 95 max-log-file-size : 100 storage : (null) roll-schedule : daily roll-time : 00:00 diskfull : overwrite # end Activate archiving to FTP server # config log disk setting # set upload enable # set upload-delete-files disable # set upload-destination ftp-server # set upload-format compact # set uploaddir /log-archive/ # set uploadip xxx.xxx.xxx.xxx # set uploaduser [username] # set uploadpass [password] # set uploadport 21 # set uploadsched disable # set uploadtype app-ctrl attack dlp dlp-archive event spamfilter traffic virus webfilter # set uploadzip enable # get status : enable ips-archive : enable log-quota : 1024 dlp-archive-quota : 500 report-quota : 50 upload : enable upload-destination : ftp-server uploadport : 21 source-ip : 0.0.0.0 uploadpass : * uploaddir : /log-archive/ uploadtype : traffic event virus webfilter attack spamfilter dlp-archive dlp app-ctrl uploadzip : enable upload-format : compact uploadsched : disable uploadtime : 0 drive-standby-time : 0 upload-delete-files : disable full-first-warning-threshold: 75 full-second-warning-threshold: 90 full-final-warning-threshold: 95 max-log-file-size : 100 storage : (null) roll-schedule : daily roll-time : 00:00 diskfull : overwrite uploadip : xxx.xxx.xxx.xxx uploaduser : [username] # end If you upload the logs to FTP you can compress the files in form of gz: tlog.FGT60C3G12013754.root.20120927000000.gz If you do not have a FAZ you CAN NOT Upload the archived logs again to FGT. You can look at them (the logs are in cleartext but in a special form like database export). Keep in mind the logs of FGT are not raw on the disk which means the logs are within a DB (postgresql). At least I do not recommend FortiCloud logging with or without license (without license 1 GB free but no possibiltiy to roll and archive; max 30 days). At least if your logs are importante from SOC compliance point you should build up a FAZ on VM. The license is not that expensive and you prevent disk crash' s on FGT. Regarding the different configuration please rev to the CLI refrence which gives you more information about the different positions etc. hope this helps have fun Andrea