Mantra Networking Mantra Networking

FortiGate Firewall: Logging and Reporting

FortiGate Firewall: Logging and Reporting
Created By: Lauren R. Garcia

Table of Contents

  • Overview
  • Log Message Types
  • Key Log Fields
  • Log Storage Options
  • Reporting Features
  • Troubleshooting Log & Reporting Issues
  • Useful CLI Commands
  • Conclusion

Overview: FortiGate Firewall Logging and Reporting

What Is FortiGate Logging and Reporting?

FortiGate Firewall Logging and Reporting refers to the suite of features within Fortinet’s FortiGate firewalls that capture, store, and analyze network activity and security events. These features provide detailed records of everything happening on your network—ranging from user logins and configuration changes to blocked threats and allowed traffic. Logging and reporting are core to the FortiGate platform, supporting both real-time monitoring and historical analysis.

Why Is It Important?

  • Visibility and Accountability: Logs offer a clear view into network traffic, user actions, and security events. This visibility helps administrators detect suspicious activity, investigate incidents, and maintain accountability for changes made on the firewall.
  • Threat Detection and Response: By analyzing logs, you can quickly identify potential threats such as malware, intrusion attempts, or policy violations, and respond before they escalate.
  • Compliance and Auditing: Many industries require organizations to maintain security logs for regulatory compliance (e.g., PCI DSS, HIPAA). FortiGate’s logging features help meet these requirements by providing reliable records and audit trails.
  • Troubleshooting and Optimization: Logs are invaluable for diagnosing network issues, understanding why certain traffic is blocked or allowed, and optimizing firewall rules for better performance and security.

How Does It Work?

  • Log Generation: FortiGate generates logs for a wide variety of events, including system actions, network traffic, security detections, and configuration changes.
  • Log Storage: Logs can be stored locally on the device, sent to centralized platforms like FortiAnalyzer, forwarded to external syslog servers, or uploaded to the cloud (FortiCloud). The storage method depends on your needs for retention, analysis, and compliance.
  • Reporting and Analysis: Built-in and custom reports transform raw log data into actionable insights. Features like scheduled reports, drill-down analysis, and interactive dashboards help you monitor trends, spot anomalies, and demonstrate compliance.
  • Integration: FortiGate logging integrates with Security Information and Event Management (SIEM) systems and other tools, enabling centralized monitoring across your security infrastructure.

In summary, FortiGate Firewall Logging and Reporting is essential for maintaining strong network security, ensuring compliance, and keeping your organization’s digital environment healthy and transparent. Understanding how it works empowers you to make informed decisions, respond to incidents efficiently, and continuously improve your security posture.

Log Message Types

FortiGate firewalls generate a variety of log messages to help administrators monitor, audit, and troubleshoot network activity. Understanding these log types is essential for effective security management and compliance.

  • Event Logs:
    Record system events such as administrator logins, configuration changes, and device status updates. Useful for tracking changes and auditing administrative actions.
  • Traffic Logs:
    Capture details about network traffic that is allowed or denied by firewall policies. These logs provide visibility into source/destination IPs, ports, protocols, and actions taken.
  • Security Logs:
    Log events detected by security modules like Intrusion Prevention System (IPS), antivirus, web filtering, and application control. They help identify threats and policy violations.
  • UTM Logs:
    Unified Threat Management logs cover advanced features such as Data Loss Prevention (DLP), spam filtering, and vulnerability scanning. They are crucial for compliance and advanced threat detection.
  • System Logs:
    Document hardware status, system resource usage, and service operations. These logs are essential for diagnosing device health and performance issues.
Log Type Description
Event Logs System events, admin logins, and configuration changes.
Traffic Logs Logs of network traffic allowed or denied by firewall policies.
Security Logs Logs from IPS, antivirus, web filtering, and application control modules.
UTM Logs Unified Threat Management events like DLP, spam filtering, and vulnerability scans.
System Logs Logs related to system performance, hardware, and services.

Key Log Fields

FortiGate firewall logs contain a variety of fields that provide detailed information about each logged event. Understanding these key fields is crucial for effective monitoring, troubleshooting, and compliance.

  • Date/Time:
    Indicates when the log entry was recorded, including both the date and the time of the event.
  • Source IP (srcip):
    The IP address from which the traffic or event originated.
  • Destination IP (dstip):
    The IP address targeted by the traffic or event.
  • Source Port (srcport):
    The port number used by the source device.
  • Destination Port (dstport):
    The port number on the destination device.
  • Action (action):
    The result of the event, such as allow, deny, or close.
  • Policy ID (policyid):
    The identifier of the firewall policy that matched the traffic or event.
  • Service (service):
    The protocol or application involved (e.g., HTTPS, FTP).
  • Severity/Level (level):
    Indicates the importance or risk level of the event, such as notice, warning, or critical.
  • Session ID (sessionid):
    Unique identifier for the network session associated with the log entry.
  • Virtual Domain (vd):
    The name of the virtual domain (VDOM) where the log was generated, useful in multi-tenant environments.
Field Name Description
Date/Time Timestamp of the log entry (date and time the event occurred).
Source IP (srcip) Originating IP address of the traffic or event.
Destination IP (dstip) Target IP address of the traffic or event.
Source Port (srcport) Port number used by the source device.
Destination Port (dstport) Port number used by the destination device.
Action (action) Result of the event (e.g., allow, deny, close).
Policy ID (policyid) ID of the firewall policy that matched the traffic or event.
Service (service) Protocol or application involved in the event.
Severity/Level (level) Importance or risk level of the event (e.g., notice, warning, critical).
Session ID (sessionid) Unique identifier for the session associated with the log.
Virtual Domain (vd) Name of the VDOM where the log was generated.

Log Storage Options

FortiGate firewalls offer several log storage options to suit different needs for retention, compliance, and analysis. Choosing the right storage method depends on your hardware, network size, and regulatory requirements.

  • Local Disk:
    Logs are stored directly on the FortiGate device, either in system memory, flash, or an onboard hard drive (if available). Local storage is limited by device capacity and is best for short-term retention or small deployments. Logs older than a set period (default: 7 days) are automatically deleted to free up space. Disk logging must be enabled, and constant rewrites can reduce flash memory lifespan. Not all models support disk logging[1][3][5].
  • FortiAnalyzer:
    A dedicated, centralized appliance or virtual machine for log collection, storage, and advanced analytics. FortiAnalyzer provides long-term retention, powerful search, reporting, and event correlation. It is ideal for organizations with multiple Fortinet devices or compliance needs[1][5][6].
  • Syslog Server:
    Logs can be sent to external syslog servers for aggregation, long-term storage, and integration with third-party SIEM solutions. Up to four syslog or FortiSIEM servers can be configured. Syslog supports multiple formats (CSV, CEF, RFC5424, JSON) for compatibility[1][5].
  • FortiCloud:
    Cloud-based log storage and analytics managed by Fortinet. The free tier stores logs for 7 days, while paid subscriptions extend retention up to 1 year. FortiCloud is easy to deploy, reduces on-premises storage needs, and allows access to logs from anywhere[1][10][13].
Storage Option Description Best Use Case
Local Disk Stores logs on the FortiGate's internal memory, flash, or hard drive. Limited by device capacity and retention period. Small deployments, short-term retention, or quick troubleshooting.
FortiAnalyzer Centralized appliance or VM for log collection, storage, analysis, and reporting across multiple devices. Enterprise environments, compliance, and advanced analytics.
Syslog Server Sends logs to external syslog or SIEM servers in multiple formats for aggregation and long-term storage. Integration with third-party tools, custom log management, or regulatory storage requirements.
FortiCloud Cloud-based log storage managed by Fortinet. Free tier (7 days); paid tier (up to 1 year). Remote access, ease of management, and scalable retention without local hardware.

Reporting Features

FortiGate firewalls provide a variety of reporting features that help administrators analyze log data, monitor network activity, and ensure compliance with security policies.

  • Predefined Reports:
    Built-in report templates covering traffic patterns, security events, compliance checks, and usage statistics. These reports offer quick insights without the need for customization.
  • Custom Reports:
    Allows users to create tailored reports by selecting specific filters, data fields, and chart types to meet unique organizational requirements.
  • Scheduled Reports:
    Automates report generation and delivery via email or other methods on a set schedule, ensuring stakeholders receive timely updates.
  • Drill-down Analysis:
    Interactive reports that enable users to explore summarized data in detail, facilitating root cause analysis and deeper understanding of network events.
Feature Description
Predefined Reports Built-in templates for traffic, security, compliance, and usage reporting.
Custom Reports User-defined filters, charts, and data fields for tailored reporting.
Scheduled Reports Automated report generation and email delivery on a set schedule.
Drill-down Analysis Interactive exploration of log details from summary to detailed views.

Troubleshooting Log & Reporting Issues

Troubleshooting logging and reporting issues on FortiGate firewalls involves a systematic approach to identify and resolve common problems that prevent logs from being generated, stored, or displayed correctly.

  1. Verify Logging Is Enabled:
    Ensure logging is enabled both globally and within each relevant firewall policy or UTM profile. Without this, traffic and event logs will not be generated.
  2. Check Log Storage and Retention:
    Confirm there is sufficient disk space on the device or that external log storage (FortiAnalyzer, Syslog, FortiCloud) is reachable and configured correctly. Review log retention settings to avoid automatic deletion of important logs.
  3. Validate Connectivity to Log Devices:
    If using external log storage, use tools like execute ping to test connectivity. Ensure IP addresses, credentials, and ports are correct for FortiAnalyzer, Syslog, or FortiCloud destinations.
  4. Review Log Filters and Severity Levels:
    Make sure log filters and severity levels are set appropriately. Filtering out certain levels (e.g., only logging critical events) may hide important information needed for troubleshooting.
  5. Inspect Log Settings in the GUI:
    Go to Log & Report sections (e.g., Web Filter, Application Control) to confirm logs are being generated. If logs are missing from the GUI, check that the correct log source is selected under Log Settings.
  6. Restart Logging Daemon if Needed:
    If logs suddenly stop appearing, restart the logging daemon using CLI commands or reboot the device if necessary.
  7. Clear and Rebuild Log Databases:
    For GUI display issues, use commands like execute report flush-cache and execute report recreate-db to clear and rebuild reporting databases.
  8. Compare Logs to Baseline:
    Compare current logs to a known baseline of normal operation. This helps identify anomalies or missing log types.
Issue Possible Cause Resolution Steps
Logs not appearing in GUI Logging not enabled in policy or global settings; incorrect log source selected Enable logging in policies and global settings; select correct log source in GUI
Logs missing from external device Connectivity issue; wrong IP/credentials; device offline Test connectivity; verify settings; ensure log device is online
Rapid log deletion Insufficient disk space; short retention settings Increase disk space; adjust retention period
Performance drop after enabling logging Disk logging impacting resources Switch to external logging (FortiAnalyzer, Syslog, or FortiCloud)
Incomplete or delayed logs in SIEM Syslog format/size issues; high log volume Adjust syslog settings; review SIEM parsing configuration

Useful CLI Commands for Troubleshooting: 

# Check log device status
diagnose log device

# Test connectivity to external log device
execute ping <log_device_ip>

# View log filters and settings
show log

# Restart logging daemon (Miglogd)
diagnose sys kill 11 <PID_of_miglogd>

# Clear and rebuild reporting database
execute report flush-cache
execute report recreate-db

Useful CLI Commands

FortiGate firewalls provide a robust command-line interface (CLI) that enables administrators to perform advanced troubleshooting, configuration, and monitoring tasks related to logging and reporting. Below are some essential CLI commands commonly used to manage and diagnose log and reporting functions.

  • Check Log Device Status:
    diagnose log device
    Displays the status of log storage devices (local disk, FortiAnalyzer, etc.) and their available space.
  • Filter Logs by Criteria:
    execute log filter field <field> <value>
    Sets filters to narrow down logs based on specific fields like source IP, destination IP, or action.
  • Display Filtered Logs:
    execute log display
    Shows the logs that match the previously set filters.
  • Enable Debug Logging:
    diagnose debug enable
    Activates debug mode for troubleshooting log-related issues.
  • Debug Logging Application:
    diagnose debug application logd -1
    Enables detailed debugging for the logging daemon to help identify issues with log generation or forwarding.
  • Show Log Settings:
    show log
    Displays the current log configuration on the device.
  • Restart Logging Daemon:
    diagnose sys kill 11 <PID_of_miglogd>
    Restarts the logging process if logs are not being generated or forwarded.
  • Clear and Rebuild Reporting Database:
    execute report flush-cache
    execute report recreate-db
    Used if there are issues with report generation or log display in the GUI.
Command Description
diagnose log device Show status and details of log storage devices.
execute log filter field <field> <value> Filter logs by specific criteria (e.g., source IP, action).
execute log display Display logs that match set filters.
diagnose debug enable Enable debug mode for troubleshooting.
diagnose debug application logd -1 Enable detailed debugging for the logging daemon.
show log Display current log configuration.
diagnose sys kill 11 <PID_of_miglogd> Restart the logging process (Miglogd) if needed.
execute report flush-cache
execute report recreate-db 		Clear and rebuild the reporting database for GUI log/report issues.

Note: Use these commands with caution, especially on production systems. Always review official Fortinet documentation for your specific FortiOS version before making changes.

Conclusion

Throughout this blog post, we’ve explored the essential components of FortiGate Firewall logging and reporting, helping you gain a deeper understanding of how to monitor, analyze, and act on security events within your network. Here's a quick recap of what we've covered:

  • Log Message Types — We broke down the different types of logs FortiGate generates, including traffic, event, security, UTM, and system logs, each serving a unique purpose in your security ecosystem.
  • Key Log Fields — Understanding fields like source/destination IP, action, policy ID, and severity is critical for interpreting log data and identifying potential threats or misconfigurations.
  • Log Storage Options — Whether you're using local disk, FortiAnalyzer, Syslog, or FortiCloud, knowing where and how your logs are stored ensures better scalability, retention, and compliance.
  • Reporting Features — We explored how FortiGate’s reporting tools—predefined, custom, scheduled, and drill-down—can turn raw log data into actionable insights.
  • Troubleshooting Log & Reporting Issues — We outlined a step-by-step approach to resolving common logging issues, from verifying settings to restarting services and rebuilding log databases.
  • Useful CLI Commands — Equipped with a set of powerful CLI commands, you now have the tools to dig deeper into log diagnostics and configuration directly from the FortiGate console.

Logging and reporting are more than just compliance checkboxes—they are the eyes and ears of your firewall. By mastering these features, you're not only improving visibility but also strengthening your organization’s security posture.

Thanks for following along! We hope this guide helped demystify FortiGate logging and reporting for you. If you have any questions, feedback, or want to share your own tips, feel free to drop a comment or reach out.

Share Share Share Share Share Email