Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Yagoba_IT
New Contributor II

Created on ‎12-12-2022 03:43 AM Edited on ‎12-13-2022 10:12 AM

Sending around 300GB (!) logs daily to the FortiGate Cloud, but I have no idea how to stop it

Hi!

Recently, we bought a FortiGate 40F after we had a 30E in use for some years.

 

Since some time, it seems that the unit sends around 300GB of logs to the FortiGate Cloud, which seems way too much in my point of view:

fg40_1.png

 

For reference, the Log Settings are:

fg40_2.png

 

What makes me wonder is that for all the policies under "Policy & Objects - Firewall Policy", it is shown that "All" gets logged:

fg40_3.png

 

However, I never configured it like this and when I open the details of a specific policy, I don't see that log "All" is configured. See as an example the details for policy "ENTRY-NET Outgoing Traffic":

fg40_4.png

 

So I'm not logging "All" allowed traffic but only if it triggers security events.

 

Furthermore, no matter what I set here, the "All" in the list of policies changes. So even if I DISABLE "Log Allowed Traffic" here, the list of policies still shows "all" in column "Log" for the policy "ENTRY-NET Outgoing Traffic".

 

Remark: I have the feeling that this "All"-logging started when I activated the "Security Fabric" under "Security Fabric - Fabric Connectors - Security Fabric Setup":

fg40_5.png

 

So my questions are:
- Is 300 GB of daily logs ok? I guess, no.
- If no, what have I done wrong in the configuration? In other words, how can I fix it?
- Why is the value in the Log column of the list of policies different from the actual log setting of a specific policy?

 

Thanks and best regards,
-Thomas

Labels:
1982
0 Kudos
1 Solution
Yagoba_IT
New Contributor II

Created on ‎05-15-2023 06:44 AM

When checking back on the situation last week, it seems that the issue has "self-healed" somehow:

 

fg40_11.png

 

It could have been a side effect of updating the FW from v7.2.3 to v7.2.4 some time ago...

 

BTW, it took me some time to find this chart agin in the new firmware, because it moved from Log & Report > Log Settings (in v7.2.3) to Security Fabric > Fabric Connectors > Logging & Analytiscs > Settings > Cloud Logging (in v7.2.4).

View solution in original post

1689
0 Kudos
6 REPLIES 6
gfleming
Staff
Staff

Created on ‎12-12-2022 11:08 AM

You need to see the logs to understand what is causing the abundance of log messages.

 

You can also enable the "Hit Count" column in your Firewall Policy view to see which policies have the highest hit count. This would tell you most likely the culprit. I would assume it's an internal traffic policy and you have something very chatty inside your network.

Cheers,
Graham
1957
0 Kudos
Yagoba_IT
New Contributor II
In response to gfleming

Created on ‎12-13-2022 10:12 AM

Hi Graham,

 

thanks for your fast response and your help.

 

From my pic above showing the list of policies (fig. 3) you can see that policy "ENTRY-NET Outgoing Traffic" handles by far the highest amount of (outgoing) traffic. It is actually all the outgoing fraffic of the desktops, laptops and servers in our office. So this should be the policy producing the highest amount of log messages. To be completely sure, see below the hit count you suggested:

Fig. 6Fig. 6

 

So also the hit count indicates that the policy "ENTRY-NET Outgoing Traffic" will by far cause the most log entries. Please note that only internal policy we have so far is the policy "ENTRY-NET to DMZ-NET Bridging" and it only has 85 hits (currently).

 

So I still think the "All" value for all policies in column "Log" is a/the problem.

  • Why is this colum permanently showing "All" no matter what I set in the Logging Options of a specific policy (as I described in my original post in fig. 4)?
  • Is it maybe wrong to setup the (only) FortiGate we have as a Security Fabric Root (see fig. 5 in my original post) because this activates something like "full logging for all policies"? Or do we need to setup "filters for log messages we consider acceptable"?

 

Regards,
-Thomas

1938
0 Kudos
gfleming
Staff
Staff
In response to Yagoba_IT

Created on ‎12-13-2022 10:43 AM

Yes enabling security fabric enables logging of all traffic. Honestly though it sounds like something is wrong you should not have that much logs being sent for that low traffic/hit counts.

 

Can you go to FortiGate Cloud Analysis, FortiView, Traffic Analysis, Source and then sort the resulting table by Sessions count? Change from 60 minutes to 24 hours.

 

I would imagine there's going to be a very chatty device causing many log messages. We can try and narrow it down this way...

Cheers,
Graham
1935
0 Kudos
Yagoba_IT
New Contributor II
In response to gfleming

Created on ‎12-13-2022 12:46 PM

1. I don't really know how to go to "FortiGate Cloud Analysis, FortiView, Traffic Analysis, Source".

 

When I log in at https://login.forticloud.com/ I see this list:

Fig. 7Fig. 7

 

Is this the correct way for FortiGate Cloud Analysis?

If yes, I don't really know how to proceed. I cannot right-click the entry (row) and select something like "Analysis" or get via another way to any analysis view...

 

2. In the FortiGate 40F web interface I can select "Dashboard - FortiView Policies" and change to 24 hours. This is the result:

Fig. 8Fig. 8

 

Is the 87k session count suspicious?

 

3. "Dashboard - FortiView Sources" is not too helpful, because we have another firewall device from a different vendor before our actual internal network (the lower line is for the separate DMZ network):

Fig. 9Fig. 9

 

4. And "Dashboard - FortiView Sources" (sorted by column Sessions) looks like this:

Fig. 10Fig. 10

 

I'm a bit wondering why the sum of the sessions in this table does not nearly reach the 87/88k in the 2 pics above... Is the difference maybe caused by local sessions, i.e. sessions that originate downstream and are destined to the FortiGate?

 

Regards,
-Thomas

1928
0 Kudos
gfleming
Staff
Staff
In response to Yagoba_IT

Created on ‎12-14-2022 04:07 PM

I would dig into the host that had 80k sessions in a 24-hour period. It shouldnt account for hundreds of GB of logs but at least its a start. See if that traffic is legitimate.

Cheers,
Graham
1912
0 Kudos
Yagoba_IT
New Contributor II

Created on ‎05-15-2023 06:44 AM

When checking back on the situation last week, it seems that the issue has "self-healed" somehow:

 

fg40_11.png

 

It could have been a side effect of updating the FW from v7.2.3 to v7.2.4 some time ago...

 

BTW, it took me some time to find this chart agin in the new firmware, because it moved from Log & Report > Log Settings (in v7.2.3) to Security Fabric > Fabric Connectors > Logging & Analytiscs > Settings > Cloud Logging (in v7.2.4).

1690
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.