Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Yagoba_IT
New Contributor II

Sending around 300GB (!) logs daily to the FortiGate Cloud, but I have no idea how to stop it

Hi!

Recently, we bought a FortiGate 40F after we had a 30E in use for some years.

 

Since some time, it seems that the unit sends around 300GB of logs to the FortiGate Cloud, which seems way too much in my point of view:

fg40_1.png

 

For reference, the Log Settings are:

fg40_2.png

 

What makes me wonder is that for all the policies under "Policy & Objects - Firewall Policy", it is shown that "All" gets logged:

fg40_3.png

 

However, I never configured it like this and when I open the details of a specific policy, I don't see that log "All" is configured. See as an example the details for policy "ENTRY-NET Outgoing Traffic":

fg40_4.png

 

So I'm not logging "All" allowed traffic but only if it triggers security events.

 

Furthermore, no matter what I set here, the "All" in the list of policies changes. So even if I DISABLE "Log Allowed Traffic" here, the list of policies still shows "all" in column "Log" for the policy "ENTRY-NET Outgoing Traffic".

 

Remark: I have the feeling that this "All"-logging started when I activated the "Security Fabric" under "Security Fabric - Fabric Connectors - Security Fabric Setup":

fg40_5.png

 

So my questions are:
- Is 300 GB of daily logs ok? I guess, no.
- If no, what have I done wrong in the configuration? In other words, how can I fix it?
- Why is the value in the Log column of the list of policies different from the actual log setting of a specific policy?

 

Thanks and best regards,
-Thomas

1 Solution
Yagoba_IT
New Contributor II

When checking back on the situation last week, it seems that the issue has "self-healed" somehow:

 

fg40_11.png

 

It could have been a side effect of updating the FW from v7.2.3 to v7.2.4 some time ago...

 

BTW, it took me some time to find this chart agin in the new firmware, because it moved from Log & Report > Log Settings (in v7.2.3) to Security Fabric > Fabric Connectors > Logging & Analytiscs > Settings > Cloud Logging (in v7.2.4).

View solution in original post

6 REPLIES 6
gfleming
Staff
Staff

You need to see the logs to understand what is causing the abundance of log messages.

 

You can also enable the "Hit Count" column in your Firewall Policy view to see which policies have the highest hit count. This would tell you most likely the culprit. I would assume it's an internal traffic policy and you have something very chatty inside your network.

Cheers,
Graham
Yagoba_IT
New Contributor II

Hi Graham,

 

thanks for your fast response and your help.

 

From my pic above showing the list of policies (fig. 3) you can see that policy "ENTRY-NET Outgoing Traffic" handles by far the highest amount of (outgoing) traffic. It is actually all the outgoing fraffic of the desktops, laptops and servers in our office. So this should be the policy producing the highest amount of log messages. To be completely sure, see below the hit count you suggested:

Fig. 6Fig. 6

 

So also the hit count indicates that the policy "ENTRY-NET Outgoing Traffic" will by far cause the most log entries. Please note that only internal policy we have so far is the policy "ENTRY-NET to DMZ-NET Bridging" and it only has 85 hits (currently).

 

So I still think the "All" value for all policies in column "Log" is a/the problem.

  • Why is this colum permanently showing "All" no matter what I set in the Logging Options of a specific policy (as I described in my original post in fig. 4)?
  • Is it maybe wrong to setup the (only) FortiGate we have as a Security Fabric Root (see fig. 5 in my original post) because this activates something like "full logging for all policies"? Or do we need to setup "filters for log messages we consider acceptable"?

 

Regards,
-Thomas

gfleming

Yes enabling security fabric enables logging of all traffic. Honestly though it sounds like something is wrong you should not have that much logs being sent for that low traffic/hit counts.

 

Can you go to FortiGate Cloud Analysis, FortiView, Traffic Analysis, Source and then sort the resulting table by Sessions count? Change from 60 minutes to 24 hours.

 

I would imagine there's going to be a very chatty device causing many log messages. We can try and narrow it down this way...

Cheers,
Graham
Yagoba_IT
New Contributor II

1. I don't really know how to go to "FortiGate Cloud Analysis, FortiView, Traffic Analysis, Source".

 

When I log in at https://login.forticloud.com/ I see this list:

Fig. 7Fig. 7

 

Is this the correct way for FortiGate Cloud Analysis?

If yes, I don't really know how to proceed. I cannot right-click the entry (row) and select something like "Analysis" or get via another way to any analysis view...

 

2. In the FortiGate 40F web interface I can select "Dashboard - FortiView Policies" and change to 24 hours. This is the result:

Fig. 8Fig. 8

 

Is the 87k session count suspicious?

 

3. "Dashboard - FortiView Sources" is not too helpful, because we have another firewall device from a different vendor before our actual internal network (the lower line is for the separate DMZ network):

Fig. 9Fig. 9

 

4. And "Dashboard - FortiView Sources" (sorted by column Sessions) looks like this:

Fig. 10Fig. 10

 

I'm a bit wondering why the sum of the sessions in this table does not nearly reach the 87/88k in the 2 pics above... Is the difference maybe caused by local sessions, i.e. sessions that originate downstream and are destined to the FortiGate?

 

Regards,
-Thomas

gfleming

I would dig into the host that had 80k sessions in a 24-hour period. It shouldnt account for hundreds of GB of logs but at least its a start. See if that traffic is legitimate.

Cheers,
Graham
Yagoba_IT
New Contributor II

When checking back on the situation last week, it seems that the issue has "self-healed" somehow:

 

fg40_11.png

 

It could have been a side effect of updating the FW from v7.2.3 to v7.2.4 some time ago...

 

BTW, it took me some time to find this chart agin in the new firmware, because it moved from Log & Report > Log Settings (in v7.2.3) to Security Fabric > Fabric Connectors > Logging & Analytiscs > Settings > Cloud Logging (in v7.2.4).

Labels
Top Kudoed Authors