Hi!
Recently, we bought a FortiGate 40F after we had a 30E in use for some years.
Since some time, it seems that the unit sends around 300GB of logs to the FortiGate Cloud, which seems way too much in my point of view:
For reference, the Log Settings are:
What makes me wonder is that for all the policies under "Policy & Objects - Firewall Policy", it is shown that "All" gets logged:
However, I never configured it like this and when I open the details of a specific policy, I don't see that log "All" is configured. See as an example the details for policy "ENTRY-NET Outgoing Traffic":
So I'm not logging "All" allowed traffic but only if it triggers security events.
Furthermore, no matter what I set here, the "All" in the list of policies changes. So even if I DISABLE "Log Allowed Traffic" here, the list of policies still shows "all" in column "Log" for the policy "ENTRY-NET Outgoing Traffic".
Remark: I have the feeling that this "All"-logging started when I activated the "Security Fabric" under "Security Fabric - Fabric Connectors - Security Fabric Setup":
So my questions are:
- Is 300 GB of daily logs ok? I guess, no.
- If no, what have I done wrong in the configuration? In other words, how can I fix it?
- Why is the value in the Log column of the list of policies different from the actual log setting of a specific policy?
Thanks and best regards,
-Thomas
Solved! Go to Solution.
When checking back on the situation last week, it seems that the issue has "self-healed" somehow:
It could have been a side effect of updating the FW from v7.2.3 to v7.2.4 some time ago...
BTW, it took me some time to find this chart agin in the new firmware, because it moved from Log & Report > Log Settings (in v7.2.3) to Security Fabric > Fabric Connectors > Logging & Analytiscs > Settings > Cloud Logging (in v7.2.4).
You need to see the logs to understand what is causing the abundance of log messages.
You can also enable the "Hit Count" column in your Firewall Policy view to see which policies have the highest hit count. This would tell you most likely the culprit. I would assume it's an internal traffic policy and you have something very chatty inside your network.
Hi Graham,
thanks for your fast response and your help.
From my pic above showing the list of policies (fig. 3) you can see that policy "ENTRY-NET Outgoing Traffic" handles by far the highest amount of (outgoing) traffic. It is actually all the outgoing fraffic of the desktops, laptops and servers in our office. So this should be the policy producing the highest amount of log messages. To be completely sure, see below the hit count you suggested:
So also the hit count indicates that the policy "ENTRY-NET Outgoing Traffic" will by far cause the most log entries. Please note that only internal policy we have so far is the policy "ENTRY-NET to DMZ-NET Bridging" and it only has 85 hits (currently).
So I still think the "All" value for all policies in column "Log" is a/the problem.
Regards,
-Thomas
Yes enabling security fabric enables logging of all traffic. Honestly though it sounds like something is wrong you should not have that much logs being sent for that low traffic/hit counts.
Can you go to FortiGate Cloud Analysis, FortiView, Traffic Analysis, Source and then sort the resulting table by Sessions count? Change from 60 minutes to 24 hours.
I would imagine there's going to be a very chatty device causing many log messages. We can try and narrow it down this way...
1. I don't really know how to go to "FortiGate Cloud Analysis, FortiView, Traffic Analysis, Source".
When I log in at https://login.forticloud.com/ I see this list:
Is this the correct way for FortiGate Cloud Analysis?
If yes, I don't really know how to proceed. I cannot right-click the entry (row) and select something like "Analysis" or get via another way to any analysis view...
2. In the FortiGate 40F web interface I can select "Dashboard - FortiView Policies" and change to 24 hours. This is the result:
Is the 87k session count suspicious?
3. "Dashboard - FortiView Sources" is not too helpful, because we have another firewall device from a different vendor before our actual internal network (the lower line is for the separate DMZ network):
4. And "Dashboard - FortiView Sources" (sorted by column Sessions) looks like this:
I'm a bit wondering why the sum of the sessions in this table does not nearly reach the 87/88k in the 2 pics above... Is the difference maybe caused by local sessions, i.e. sessions that originate downstream and are destined to the FortiGate?
Regards,
-Thomas
I would dig into the host that had 80k sessions in a 24-hour period. It shouldnt account for hundreds of GB of logs but at least its a start. See if that traffic is legitimate.
When checking back on the situation last week, it seems that the issue has "self-healed" somehow:
It could have been a side effect of updating the FW from v7.2.3 to v7.2.4 some time ago...
BTW, it took me some time to find this chart agin in the new firmware, because it moved from Log & Report > Log Settings (in v7.2.3) to Security Fabric > Fabric Connectors > Logging & Analytiscs > Settings > Cloud Logging (in v7.2.4).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.