Logging FortiGate traffic

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will enable logging to capture the details of the network traffic processed by your FortiGate unit. Capturing log details will provide you with detailed traffic information that you can use to asses any network issues.

 

 

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Recording log messages and enabling event logging

 
Go to Log & Report > Log Config > Log Settings.Select where log messages will be recorded. You can save log messages to disk if it is supported by your FortiGate unit, to a FortiAnalyzer or FortiManager unit if you have one, or to FortiCloud if you have a subscription. Each of these options allow you to record and view log messages and to create reports based on them.In most cases, it is recommended to Send Logs to FortiCloud, as shown in the example.

Next, enable Event Logging. You can choose to Enable All types of logging, or specific types, such as WiFi activity events, depending on your needs.

Under the GUI Preferences, ensure that the Display Logs From is set to the same location where the log messages are recorded (in the example, FortiCloud).

2. Enabling logging in the security policies

 
Go to Policy & Objects > Policy > IPv4. Edit the policies controlling the traffic you wish to log.Under Logging Options, select All Sessions. In most cases, you should select Security Events, as All Sessions requires more system resources and storage space. For now, however, All Sessions will be used to verify that logging has been set up successfully.

3. Results

 
View traffic logs by going to Log & Report > Traffic Log > Forward Traffic. The logs display a variety of information about your traffic, including date/time, source, device, and destination.To change the information shown, right-click on any column title and select Column Settings to enable or disable different columns.

For further reading, check out Logging and reporting overview in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
  • Marc Snelling

    Is there any place in the logs that will record when a session is torn down due to timeout? For instance if a firewall has rules between an application and a database zone – and the application side is losing connection because it thinks the connection is still up, but it has been torn down due to there being no traffic within the default one hour session-TTL. Setting the session-TTL value higher on an individual policy helps prevent this, but wondering if anything actually logs the tear-down?

  • Furqan

    Hello,
    1- Getting too many traffic logs on FA the Quota is set to 300 GB but its getting override every 24 hours due to too many logs, the current version of FGT is 4.3.2 and i am planning to upgrade it to 5.2.11. Please let me know if we can optimize the logs on Fortigate policies like in new versions i can see few options
    a) Security event or all sessions options
    b) Generate Logs when Session Starts and Capture Packets
    I want to enable all sessions under policy and if i do not select the options specify in option b) than will it send less traffic OR when i select option “Generate Logs when Session Starts” than it will send less traffic ?