Thursday, 31 October 2013

How-to: Enable disk logging on a FortiGate running FortiOS 5

By default disk logging has been disabled on FortiOS v5.0. One of the reasons this was done is because the flash memory on some devices are not designed for constant read/writes, so saving logs to it can degrade the disk (resulting in corrupted sectors). Having said that, we've got a few FortiGates that have been logging to disk for a few years now with no problems.

***UPDATE***
Disk logging is no longer available for any of the FortiGate SMB models that are running v5.2. This includes the FG90D, 80D, 70D, 60D/C, 40C, 30D, 20C etc. So if you have a FG60D that is running 5.0.7 with disk logging enabled and upgrade it to 5.2, your disk logging will be now be disabled and no longer available. Models 100D and higher will still have disk logging functionality available upon upgrading to 5.2.

Fortinet are pushing all the smaller devices to use FortiCloud or FortiAnalyzer for logging.
***UPDATE***

Below are the steps to re-enable disk logging:
  1. Confirm your device has a log disk
  2. Format the log disk
  3. Enable logging 
1. Confirm you device has a log disk

Firstly check that your FortiGate has the log disk available. Some units don't come with a log disk. To confirm use the get sys status command and ensure that the variable 'Log hard disk' shows 'Need format'.

fortigate # get sys status
Version: FortiGate-VM64 v5.0,build0228,130809 (GA Patch 4)
Virus-DB: 16.00560(2012-10-19 08:31)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 4.00345(2013-05-23 00:39)
IPS-ETDB: 0.00000(2000-00-00 00:00)
Serial-Number: FGVMEV0000000000
Botnet DB: 1.00000(2012-05-28 22:51)
License Status: Valid
Evaluation License Expires: Fri Nov  1 06:24:58 2013
VM Resources: 1 CPU/1 allowed, 475 MB RAM/1024 MB allowed
BIOS version: 04000002
Log hard disk: Need format
Hostname: fortigate
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 1
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 228
Release Version Information: GA Patch 4
FortiOS x86-64: Yes
System time: Wed Oct 30 15:43:01 2013


If your FortiGate doesn't have a hard disk you'll get the following:

fortigate # get sys status
Version: FortiGate-VM64 v5.0,build0228,130809 (GA Patch 4)
Virus-DB: 16.00560(2012-10-19 08:31)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 4.00345(2013-05-23 00:39)
IPS-ETDB: 0.00000(2000-00-00 00:00)
Serial-Number: FGVMEV0000000000
Botnet DB: 1.00000(2012-05-28 22:51)
License Status: Valid
Evaluation License Expires: Fri Nov  1 06:24:58 2013
VM Resources: 1 CPU/1 allowed, 475 MB RAM/1024 MB allowed
BIOS version: 04000002
Log hard disk: Not available
Hostname: fortigate
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 1
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 228
Release Version Information: GA Patch 4
FortiOS x86-64: Yes
System time: Wed Oct 30 15:43:01 2013


2. Format the log disk

Now enter the command execute formatlogdisk, then press y to confirm. This will format the disk then REBOOT the firewall.

fortigate # execute formatlogdisk
Log disk is /dev/sdb1.
Formatting this storage will erase all data on it, including
  logs, quarantine files;
and require the unit to reboot.
Do you want to continue? (y/n)y


3. Enable logging

When the device is back up login to the web GUI and navigate to Log & Report > Log Config > Log Settings. You should now see the 'Disk' option. Select this (and 'Enable local reports' if you want to run reports locally) then click apply. Ensure that 'Display logs from' says Disk.


If you don't have this option via the web GUI you can enable it via the CLI with the following commands:

fortigate # config log disk setting
fortigate (setting) # set status enable
fortigate (setting) # end

20 comments:

Love_Greece! said...

Really nice post! Thanks for sharing... definitely subscribing to this rss feed!

Anonymous said...

thanks..

Anonymous said...

Thanks!!!! ;)

Anonymous said...

Epic win. Thank you!

Anonymous said...

Firmware 5.2 this has been disabled on a lot of "low-end" models. :(

Allan Mouawad said...

Yup, unfortunately this is not available any-more for FG90Ds and below models that are running 5.2. All local logging has been disabled and you're now forced to use FortiCloud or a FortiAnalyzer. :`(

Anonymous said...

Yes that in 5.2 is bad. So i can give the harddisk in the trash or what... really stupid.

Anonymous said...

Well, you don't want to burn out the built in flash drive inside the FG by continuously writing log data to it.

Anonymous said...

Thanks! It helped.

Anonymous said...

i am unable to see disk option in GUI
and in cli it showing flash1

Anonymous said...

Allan, actually disk logging is disabled in 5.2 for all FG100D and below models.
B.t.w. when enabling disklogging using CLI a nice command to include is "set storage FLASH" or "DISK" so the command on most lowend models will be:

config log disk setting
set status enable
set storage FLASH
end

Allan Mouawad said...

Actually the above statement is only partially correct.

With 5.2 all models 90D and above support disk logging (if they have a disk); this means that the 80C/D models and below WILL NOT support disk logging.

The exception to this is the 100D FIRST GENERATION devices, These are the 100D's without the two SFP interfaces and you generally don't see them around. The other exceptions to this are the 200B without the FSM and the 300C (Gen1)

This means that your 90D will be able to support disk logging as well as your newer 100D models with the SFP interfaces.

The full list of devices where disk logging has been DISABLED can be found on the 5.2 release notes, but I've added them below to avoid further confusion.

• FG-100D (P09340-04 or earlier)
• FG-20C
• FG-20C_ADSL_A
• FG-200B/200B_POE (Without FSM)
• FG-300C_Gen1 (P09616-04 or earlier)
• FG-40C
• FG-60C
• FG-60C-POE
• FG-60C-SFP
• FG-70D
• FG-60D
• FG-80C/80CM (P05403-05, P05446-05)
• FW-20C
• FW-40C
• FW-20C_ADSL_A
• FW-60CX_A
• FW-60C
• FW-60CM (P08962-04 or later)
• FW-60CX_ADSL-A
• FW-60D
• FW-60D-POE
• FW-80CM (P05405-06 or later)

Anonymous said...

This is really crap from Fortinet - trying to get people to use their forticloud service. This seems to be the way forward from Fortinet. I have been a long time SMB user of fortigate's. However, it seems as each firmware comes up, they disable features that worked quite well with their lower end gear. Trying to get people to buy the more expensive gear. As of now, I'm looking for an alternative.

Anonymous said...

The good news is that FortiCloud is free. More correctly, there is a free version of FortiCloud. Simply register your FG and you can store your logs.

You can still log to memory...

Anonymous said...

For those of you who want to completely remove the FortiClound settings, you know just in case you figure they are aggregating your traffic logs for their own purposes.

CLI

config system fortiguard
unset service-account-id
end

Note that I don't have any other FortiGuard services available, so this doesn't affect me in any other way. I does reset the FortiCloud setting back to default, which puts the activate button back on the status page.

Anonymous said...

To enable logging to MEMORY not DISK. Works on all the 80CMs we use. (1500+)

#config log memory setting
#set status enable
#end

#config log gui
#set log-dev mem
#end

#diagnose log test

shafqat said...

i have a fortigate-60D i am facing a logging and reporting issue its local report option is not showing on GUI interface but cloud report option is still showing on fortigate how to enable the local report option in GUI .
current version of forti OS is 5.0.6

Unknown said...

log dis is not available in fortinet 100d model.

Anonymous said...

Thanks!!! works pefect.

Odd said...

Thanks for the info about the the SMB models! My mind was boiling before I read this.