Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wotik
New Contributor III

Logs recorded only at a certain time

In Firewall Policy I have configured data flow policy between two subnets. I have set a schedule for this policy when it is active (specific hours on specific days). I also have full logging enabled for this policy (All Sessions in Logging Options) and would not like to change it.

Is there any way that when this policy is inactive (time outside its activity schedule), its logs are not collected as well? I want to get the effect that logs are collected only when this policy is active.

Best Regards,
Wojtek
Best Regards,Wojtek
1 Solution
srajeswaran

When the policy for A to B is inactive, there is traffic from B to A and thats generating logs , is this correct?

 

B to A traffic is hitting default deny policy and generating logs ? I think if we create a new policy for B to A with logging disabled and create a schedule to activate this policy while A to B is inactive may help us.

Schedule 1 - to Activate A to B policy (action allow with traffic logs)
Schedule 2 - Activate B to A policy (action drop with no traffic logs)

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

5 REPLIES 5
srajeswaran
Staff
Staff

Isn't that the default behavior? Logs are generated when the traffic is matching the active policy. Are you seeing logs for traffic hitting the inactive policy?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

wotik
New Contributor III

@srajeswaran yes, that's the default behavior.

 

I already write what I want to achieve:
I have a traffic policy between two subnets (A and B). This policy is active for a limited period of time. When it is inactive (out of office hours), it cuts off connectivity between the two subnets (for security reasons).

 

Unfortunately, in the second of the disconnected networks (B), network devices (e.g. NAS servers) must be running all the time, whose services try to communicate with devices from the first subnet (A) and I cannot change it. So NAS servers from subnet B try to communicate with subnet A 24/h - also when the policy allowing traffic between A and B is inactive.

 

This results in large amounts of redundant logs during this time. Therefore, I want to completely disable logging while this policy is inactive. Alternatively, maybe there is some way to disable logging of only specific IPs at a given time, or some other idea...

Best Regards,
Wojtek
Best Regards,Wojtek
srajeswaran

When the policy for A to B is inactive, there is traffic from B to A and thats generating logs , is this correct?

 

B to A traffic is hitting default deny policy and generating logs ? I think if we create a new policy for B to A with logging disabled and create a schedule to activate this policy while A to B is inactive may help us.

Schedule 1 - to Activate A to B policy (action allow with traffic logs)
Schedule 2 - Activate B to A policy (action drop with no traffic logs)

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

wotik
New Contributor III

@srajeswaran - I guess that's what I was after. :)

 

The second policy, active while the first one is inactive, with disabled logging from specific Source, Destination, Service and Action - Deny does its job. All connections from B to A are blocked by it (they do not reach the Implict Deny) and are not logged.

 

Another important point is that any other "suspicious" calls from B to A while the second policy is active are still blocked and logged via the Implict Deny policy. Thus, I do not deprive myself of monitoring the remaining network traffic from B to A.

 

Many thanks again! :)

Best Regards,
Wojtek
Best Regards,Wojtek
wotik
New Contributor III

@srajeswaran  I had thought about such a solution before, but there was some obstacle for me to use it (I don't remember what it was). Now I'm going to try to do it again.

 

Thanks for the tips.

I'll let you know how it went.

Best Regards,
Wojtek
Best Regards,Wojtek
Labels
Top Kudoed Authors