I recently spun up a trial of the virtual FortiAnalyzer VM and it is working great. As a result, I have a few questions regarding changes I am not sure I should make:
- on my firewall policies, I set logging for all polices to ALL and am wondering if I am going to get a lot of useless information, let alone potentially bog down permformance on the firewall; should I leave as is or change to UTM?
- under Log Settings, I also have Log to Memory and FortiCloud turned on; with the FortiAnalyzer in place, should I turn off one or both of those?
happy to hear that the FortiAnalyzer is working great for you!
Regarding making some changes on your FortiGate for logging:
- if you set your policies to log all traffic, this means every bit of traffic via the policy (allowed and denied) will be logged. This provides the greatest visibility but also generates the greatest logging volume.
- if you set your policies to log UTM, this means that logs will only be generated for traffic that also triggers some kind of UTM inspection, like something blocked or monitored by webfilter for example. All other traffic will not be logged and thus not be visible in FortiAnalyzer. Less visibility, but less volume as well.
-> if you are not concerned about the logging volume, I would generally recommend to log all traffic, simply for the information it provides.
-> if you have issues with bandwidth or exceeding the logging volume on FortiAnalyzer, then switching to UTM logging (in at least a few policies) can help; the most important logs (those with UTM action) are still retained, but other logs are not generated.
- logging all traffic doesn't generally impact the performance of the FortiGate too badly - from experience, you can expect somewhere around 10-15% of memory to be used for that, and UTM logging would be somewhat below this, but would still eat some resources as well.
Regarding logging to memory and FortiCloud:
- If you are logging to FortiAnalyzer and/or FortiCloud, you can disable memory logging on the FortiGate
-> this reduces resource usage and means less of a strain on memory because logs do not need to be kept in it
-> it does mean no logs would be stored locally on FortiGate, so FortiGate would have to fetch logs from FortiAnalyzer or FortiCloud to display in GUI (or logs need to be viewed in FortiAnalyzer/FortiCloud)
- regarding logging to FortiCloud: you can keep that for redundancy (if FortiAnalzer has issues, logs are still in FortiCloud, and vice versa)
-> disabling FortiCloud logging will not make much of a difference (the same daemon collects logs and sends to FortiAnalyzer and FortiCloud; essentially it just sends the same logs to two locations instead of one with minimal additional resources required)
-> it will eat into internet bandwidth a bit to log to FortiCloud (depending on firewall usage and logging settings, a few hundred MBs to a few GB may be sent per day)
I hope this helps :)
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.