Tuesday, May 20, 2014

[HOW] Enable disk logging on a FortiGate in FortiOS 5

By default disk logging has been disabled on FortiOS v5.0. One of the reasons this was done is because the flash memory on some devices are not designed for constant read/writes, so saving logs to it can degrade the disk (resulting in corrupted sectors). Having said that, we've got a few FortiGates that have been logging to disk for a few years now with no problems.

Below are the steps to re-enable disk logging:
1. Confirm your device has a log disk
2. Format the log disk
3. Enable logging 

1. Confirm you device has a log disk

Firstly check that your FortiGate has the log disk available. Some units don't come with a log disk. To confirm use the get sys status command and ensure that the variable 'Log hard disk' shows 'Need format'.

fortigate # get sys status 
Version: FortiGate-VM64 v5.0,build0228,130809 (GA Patch 4)
Virus-DB: 16.00560(2012-10-19 08:31)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 4.00345(2013-05-23 00:39)
IPS-ETDB: 0.00000(2000-00-00 00:00)
Serial-Number: FGVMEV0000000000
Botnet DB: 1.00000(2012-05-28 22:51)
License Status: Valid
Evaluation License Expires: Fri Nov  1 06:24:58 2013
VM Resources: 1 CPU/1 allowed, 475 MB RAM/1024 MB allowed
BIOS version: 04000002
Log hard disk: Need format
Hostname: fortigate
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 1
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 228
Release Version Information: GA Patch 4
FortiOS x86-64: Yes
System time: Wed Oct 30 15:43:01 2013

If your FortiGate doesn't have a hard disk you'll get the following:

fortigate # get sys status 
Version: FortiGate-VM64 v5.0,build0228,130809 (GA Patch 4)
Virus-DB: 16.00560(2012-10-19 08:31)
Extended DB: 1.00000(2012-10-17 15:46)
IPS-DB: 4.00345(2013-05-23 00:39)
IPS-ETDB: 0.00000(2000-00-00 00:00)
Serial-Number: FGVMEV0000000000
Botnet DB: 1.00000(2012-05-28 22:51)
License Status: Valid
Evaluation License Expires: Fri Nov  1 06:24:58 2013
VM Resources: 1 CPU/1 allowed, 475 MB RAM/1024 MB allowed
BIOS version: 04000002
Log hard disk: Not available
Hostname: fortigate
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 1
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 228
Release Version Information: GA Patch 4
FortiOS x86-64: Yes
System time: Wed Oct 30 15:43:01 2013

2. Format the log disk

Now enter the command execute formatlogdisk, then press y to confirm. This will format the disk then REBOOT the firewall.

fortigate # execute formatlogdisk 
Log disk is /dev/sdb1.
Formatting this storage will erase all data on it, including
  logs, quarantine files;
and require the unit to reboot.
Do you want to continue? (y/n)y

3. Enable logging

When the device is back up login to the web GUI and navigate to Log & Report > Log Config > Log Settings. You should now see the 'Disk' option. Select this (and 'Enable local reports' if you want to run reports locally) then click apply. Ensure that 'Display logs from' says Disk.

If you don't have this option via the web GUI you can enable it via the CLI with the following commands:

fortigate # config log disk setting
fortigate (setting) # set status enable
fortigate (setting) # end


Reference: 






No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...