Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
albaker1
Contributor

Question on Logging Configuration in Firewall Policy

Being new to the FortiGates, I probably have a misunderstanding on the log settings within the firewall policy. In the FortiManager, we have certain lines set to "Log All Sessions" that we are particular interested in, with the majority set to either "Log Violation Traffic" (for blocks) or  "Log Security Events", and it's set this way with the intent of somewhat restricting logs that are being sent to our SIEM. We have to pay for extra log data, so we'd like to trim out what isn't needed.

 

After troubleshooting today, I believe this affects what's presented in the Log & Report > Forward Traffic. There were no results for a lline configured with "Log Security Events", but there was after this was changed to "Log All Sessions."

 

Is it typical practice to set every line in the Firewall Policy to "Log All Sessions." I understand there is a logging level configured in the syslog configuration, but does the logging level in the firewall policy affect what goes out via syslog?

 

Thank you.

1 Solution
funkylicious

If I'm not mistaken, only for local traffic/logs or sent to FortiAnalyzer.

Syslog has it's own settings in regards to facility.

geek

View solution in original post

geek
3 REPLIES 3
funkylicious
Contributor III

"Log security events" will only show up traffic log match UTM profile defined.
"Log all sessions" will include traffic log include both match and non-match UTM profile defined.

geek
geek
albaker1
Contributor

Is this only for the local logs on the FortiGate or does it include syslog or both?

 

funkylicious

If I'm not mistaken, only for local traffic/logs or sent to FortiAnalyzer.

Syslog has it's own settings in regards to facility.

geek
geek
Labels
Top Kudoed Authors