Logging deep-dive on FortiGate Firewalls

1. Introduction and Scope

This deployment guide provides a complete technical reference for designing, configuring, and operating logging on Fortinet FortiGate next generation firewalls running FortiOS. It covers every log target supported by FortiOS (local memory, local disk, FortiAnalyzer, FortiAnalyzer Cloud, FortiGate Cloud, FortiGuard, and syslog), every standard log category and subtype, the full filter framework (severity, traffic flags, UTM toggles, and free style filters), and advanced features including reliable encrypted syslog, multi VDOM overrides, log forwarding, rate limiting, and CEF or JSON output for SIEM integration.

The intent is to serve both as a deployment blueprint for greenfield installations and as a tuning reference for production environments that need to reduce log volume, integrate with a SIEM, satisfy compliance retention, or troubleshoot why certain events are missing or duplicated.

1.1 Audience

Network and security engineers responsible for FortiGate deployment, SOC analysts who consume FortiGate telemetry, and compliance staff who validate logging coverage against regulatory requirements such as PCI DSS, HIPAA, ISO 27001, and SOC 2.

1.2 Prerequisites

– Administrative access to the FortiGate (GUI and CLI) with super_admin or an admin profile that includes Log & Report read and write.
– Reachable log destinations (FortiAnalyzer, syslog collector, or FortiGate Cloud account) with firewall paths permitted for the relevant ports.
– Accurate system time on the FortiGate, ideally via NTP, since log correlation depends on synchronized clocks.
– DNS resolution from the FortiGate for cloud destinations such as FortiGate Cloud and FortiAnalyzer Cloud.

1.3 Document Conventions

CLI commands appear in monospace inside a shaded block. Replace placeholders shown in angle brackets (for example, <syslog_ip>) with values for your environment. Configuration shown is for the global VDOM unless explicitly noted as per VDOM. Where behavior differs across FortiOS 7.2, 7.4, and 7.6, the relevant version is called out inline.

2. FortiGate Logging Architecture

FortiOS generates log messages from a number of subsystems (the kernel, the IPS engine, the antivirus engine, the web filter, application control, VPN daemons, the policy engine, and the management plane) and feeds them through a central logging pipeline. The pipeline applies per destination filters, enforces severity thresholds, optionally rate limits, and then writes or transmits the resulting log to one or more configured targets.

2.1 Generation and Flow

Every log message carries a small set of header fields used for routing: type, subtype, level (severity), logid, and category. The pipeline evaluates each destination independently, which means the same event can be written to disk, sent to FortiAnalyzer, and forwarded to a syslog SIEM with different filters and different formats.

2.2 Supported Log Targets

Target	Use Case	Notes
Memory	Volatile, short term local buffer	Lost on reboot. Useful on low end models without disk. View in GUI under Log & Report.
Disk	Local persistent storage	Available only on models with internal storage. Default retention is 7 days; configurable via CLI.
FortiAnalyzer	Centralized analytics, long term retention, reporting	Recommended primary target for production. Supports reliable TCP and TLS.
FortiAnalyzer Cloud	Cloud hosted FortiAnalyzer service	Subscription based. Removes need to operate a FortiAnalyzer appliance.
FortiGate Cloud	Free tier basic logging and analytics	Included with FortiGate; limited retention on the free tier.
FortiGuard (legacy)	Reserved for specific service related logs	Rarely used as a primary target on modern FortiOS.
Syslog server	Third party SIEM (Splunk, QRadar, Sentinel, Elastic, FortiSIEM)	Up to four syslog targets are supported simultaneously. Multiple output formats available.

Important Disk logging must be explicitly enabled on models that support it; on lower end models it is disabled by default. Memory logging is fine for ad hoc viewing but is never a substitute for an external target in production.

2.3 Log Categories

FortiOS classifies every log into one of three top level categories. Within each category, a subtype identifies the precise origin of the event.

Category	Subtypes	Description
Traffic	forward, local, multicast, sniffer, ztna	Per session records produced by the policy engine. The highest volume category; controlled at the firewall policy level.
Event	system, user, router, vpn, wad, endpoint, ha, wireless, switch controller, sdn connector, compliance, security rating, and others	Operational and administrative events generated by FortiOS subsystems.
Security (UTM)	virus, webfilter, ips, application, dlp, anomaly, dns, ssh, ssl, file filter, casb, voip, waf, gtp, icap	Generated by the unified threat management inspection engines when a profile triggers an action.

3. Log Severity Levels

FortiOS uses the standard syslog severity scale, where 0 is the most severe and 7 is the least. Every log destination has a severity threshold; the FortiGate writes a log to a destination only if its severity is at or above the configured threshold. For example, setting severity to warning records warning, error, critical, alert, and emergency, while suppressing notice, information, and debug.

Level	Name	Typical Use
0	emergency	System unusable. Reserved for catastrophic conditions.
1	alert	Immediate action required. Examples: HA failover, hardware failure.
2	critical	Critical condition. Examples: critical IPS attack, license expiry.
3	error	Error condition. Examples: failed authentication, interface down.
4	warning	Warning condition. Examples: link flapping, near quota threshold.
5	notice	Normal but significant. Default for many destinations.
6	information	Informational. Most traffic logs sit here.
7	debug	Debug only. Generates very high volume; do not enable in production.

3.1 Recommended Thresholds by Target

Target	Recommended	Rationale
FortiAnalyzer	information	Full fidelity for analytics and reporting.
Syslog (SIEM)	information or notice	Information for security focused SIEMs; notice if syslog bandwidth is constrained.
Local disk	warning	Disk capacity is limited on most models; keep only meaningful events locally.
Memory	warning	Memory is constrained and volatile; keep the buffer focused on issues.
FortiGate Cloud (free tier)	warning or notice	Free tier retention favors a higher threshold.

Debug Never set a production destination to debug. Debug level traffic from UTM and kernel modules can saturate even a well sized FortiAnalyzer.

4. Local Logging: Memory and Disk

4.1 Memory Logging

Memory logging is enabled out of the box on every FortiGate. It is intended for transient viewing and quick troubleshooting; the buffer is small and is cleared on reboot.

CLI Configuration

config log memory setting
   set status enable
    set diskfull overwrite
end

config log memory filter
   set severity warning
    set forward-traffic enable
    set local-traffic disable
    set multicast-traffic disable
    set sniffer-traffic disable
    set anomaly enable
    set voip disable
    set gtp disable
end

4.2 Disk Logging

Disk logging persists logs to the FortiGate’s internal storage. It is available only on platforms that ship with a disk and is generally disabled by default to protect the disk from write wear. By default, logs older than seven days are purged; this is adjustable in the CLI. Disk logging is appropriate for branch offices that lack a local log collector but should not replace centralized logging.

Enabling Disk Logging

config log disk setting
    set status enable
    set max-log-file-size 100
    set roll-schedule daily
    set roll-time "00:00"
    set upload disable
    set diskfull overwrite
    set log-quota 4096
    set dlp-archive-quota 0
    set report-quota 0
    set maximum-log-age 30
end

Notable parameters:

– max-log-file-size size in megabytes at which a log file is rolled over.
– roll-schedule controls when logs roll: daily, weekly, or by size only.
– log-quota total megabytes allowed for logs on disk. Tune to your retention target.
– maximum-log-age days before old logs are deleted (default 7).
– diskfull behavior when the disk fills: overwrite (recommended) or nolog.

Disk Filter

config log disk filter
  set severity warning
set forward-traffic enable
  set local-traffic disable
  set multicast-traffic disable
  set sniffer-traffic disable
  set anomaly enable
  set voip disable
  set gtp disable
  set dlp-archive enable
  set ztna-traffic enable
end

Tip On models with eMMC storage, set max-log-file-size conservatively (50 to 100 MB) and consider a higher severity threshold (warning) to extend the life of the flash medium.

5. FortiAnalyzer and FortiAnalyzer Cloud

FortiAnalyzer (FAZ) is the recommended primary log target for any production deployment. It provides indexed storage, dashboards, reports, log forwarding, FortiView analytics, and incident management. FortiOS allows up to three FortiAnalyzer destinations to be configured simultaneously (referred to in CLI as fortianalyzer, fortianalyzer2, and fortianalyzer3), which supports both high availability and tiered deployments (for example, one local FAZ plus one regional FAZ).

5.1 Registering the FortiGate with FortiAnalyzer

config log fortianalyzer setting
   set status enable
    set server "10.10.20.40"
    set serial "FAZ-VMTM12345678"
    set upload-option realtime
    set reliable enable
    set enc-algorithm high
    set conn-timeout 10
    set monitor-keepalive-period 5
    set monitor-failure-retry-period 5
    set source-ip 10.10.10.1
    set hmac-algorithm sha256
end

Field notes:

– upload-option realtime sends as logs are produced (recommended); store-and-upload buffers and uploads on a schedule (useful on metered WAN).
– reliable enables TCP transport (port 514) instead of UDP, with retransmission on failure.
– enc-algorithm sets TLS cipher strength (high, high-medium, low, disable). Requires reliable enable.
– source-ip forces logs to leave from a known interface; helpful when an upstream firewall whitelists by source.

On the FortiAnalyzer side, the device shows up under Device Manager as unregistered and must be approved (Authorize action) before logs are accepted.

5.2 FortiAnalyzer Filter

The fortianalyzer filter mirrors the disk filter and controls what is offloaded. Information level is recommended unless bandwidth or storage is a constraint.

config log fortianalyzer filter
      set severity information
   set forward-traffic enable
   set local-traffic enable
   set multicast-traffic disable
   set sniffer-traffic enable
   set anomaly enable
   set voip enable
   set gtp disable
   set dns enable
   set ssh enable
   set ssl enable
   set ztna-traffic enable
   set dlp-archive enable
end

5.3 Multiple FortiAnalyzers

To configure additional FortiAnalyzers, repeat the configuration under fortianalyzer2 and fortianalyzer3. Each destination has its own setting and filter block.

config log fortianalyzer2 setting

set status enable
   set server "10.20.20.40"
   set reliable enable
   set enc-algorithm high
   set upload-option realtime
end

config log fortianalyzer2 filter

set severity warning
   set forward-traffic enable
end

5.4 FortiAnalyzer Cloud

FortiAnalyzer Cloud is configured similarly but uses a dedicated CLI block (config log fortianalyzer-cloud setting). It requires a valid subscription tied to the FortiGate serial number and outbound connectivity from the FortiGate to the FortiAnalyzer Cloud regional endpoint.

config log fortianalyzer-cloud setting

set status enable
   set access-config enable
   set upload-option realtime
   set conn-timeout 10
end

config log fortianalyzer-cloud filter

set severity information
   set forward-traffic enable
   set local-traffic enable
   set anomaly enable
end

Verification Use diagnose log test to generate test logs and confirm receipt at the FortiAnalyzer. Use diagnose test application miglogd 1 through 4 for deeper diagnostics on the log daemon.

6. Syslog and SIEM Integration

FortiOS supports up to four syslog destinations (syslogd, syslogd2, syslogd3, syslogd4), each independently configured for transport, format, facility, and filter. This is the integration path for third party SIEMs including Splunk, IBM QRadar, Microsoft Sentinel, Elastic, Graylog, and FortiSIEM.

6.1 Transport Modes

Mode	Transport	Description
udp (default)	UDP/514	Fire and forget. Fastest, but messages can be lost silently. Acceptable for low value telemetry.
legacy-reliable	TCP/514	TCP based but uses the legacy framing. Maintained for backward compatibility.
reliable	TCP/6514	RFC 5425 style framing. Required for TLS encryption. The recommended transport for SIEM integration.

6.2 Log Formats

Format	Description
default	FortiGate native key value pair format. Widely understood by Fortinet aware parsers.
csv	Comma separated values. Useful for ingest into spreadsheets and legacy parsers.
cef	ArcSight Common Event Format. Standard for many SIEMs.
rfc5424	RFC 5424 syslog format with structured data. (Available in 7.4 and later for syslogd.)
json	JSON object per log message. The cleanest input for modern log pipelines.

6.3 Basic Syslog Over UDP

config log syslogd setting
   set status enable
   set server "10.30.30.50"
   set mode udp
   set port 514
   set facility local7
   set source-ip 10.10.10.1
   set format default
   set max-log-rate 0
end

config log syslogd filter

set severity information
   set forward-traffic enable
   set local-traffic disable
   set multicast-traffic disable
   set sniffer-traffic disable
   set anomaly enable
   set voip disable
   set gtp disable
end

6.4 Reliable Syslog Over TCP With TLS

For production SIEM integration, use reliable mode with TLS to obtain delivery guarantees and confidentiality. The FortiGate validates the syslog server certificate against its trusted CA store; import the CA chain into Security Fabric > Certificates first.

config log syslogd setting

   set status enable
   set server "siem.example.com"
   set mode reliable
   set port 6514
   set facility local7
   set source-ip 10.10.10.1
   set format json
   set enc-algorithm high
   set ssl-min-proto-version TLSv1-2
   set certificate "fgt_syslog_client"
end

Common pitfalls:

– If the FortiGate cannot validate the server certificate (untrusted issuer, name mismatch, expired), the connection fails silently from the GUI; check diagnose debug application syslog for details.
– The enc-algorithm option only takes effect when mode is reliable. Attempting to set it in udp mode produces an error.
– Some SIEM platforms expect a specific facility; pick a free local facility (local0 through local7) that matches your collector configuration.

6.5 CEF and JSON for SIEM Integration

CEF is the canonical format for ArcSight and is widely understood by other SIEMs. JSON is preferred where the SIEM pipeline does its own field extraction (Splunk with the Fortinet TA, Elastic, Sentinel). Both formats are configured at the per destination setting level.

config log syslogd2 setting
   set status enable
   set server "10.30.30.51"
   set mode reliable
   set port 6514
   set format cef
   set enc-algorithm high
end

config log syslogd2 custom-field-name

edit 1
      set name "deviceCustomString1"
      set custom "vd"
   next
   edit 2
      set name "deviceCustomString2"
      set custom "policyname"
    next
end

CEF field mapping Use custom-field-name to map FortiGate fields into the CEF deviceCustomStringN slots so the SIEM dashboards highlight VDOM, policy name, and other context.

6.6 Multiple Syslog Servers

Each of the four syslog endpoints can be configured with different formats, severities, and filters. A common design is to send full fidelity (information level, JSON) to a primary SIEM and a higher severity subset (warning level, CEF) to an archival or compliance system.

7. Filters in Depth

Filters are the single most important tuning surface in FortiOS logging. Every log target (memory, disk, FortiAnalyzer, FortiAnalyzer Cloud, syslogd, syslogd2, syslogd3, syslogd4, FortiGate Cloud) has its own filter block, and changes made to one do not affect the others. This means logging behavior can be tailored per destination: full fidelity to FortiAnalyzer, summary to SIEM, warnings only to disk.

7.1 The Filter Building Blocks

Setting	Effect
severity	Minimum severity threshold (emergency through debug). Logs at or above the threshold pass.
forward-traffic	Inter zone or inter interface traffic logs (the bulk of traffic logging).
local-traffic	Traffic terminating on or originating from the FortiGate itself (management, VPN endpoints).
multicast-traffic	Multicast session logs (typically disabled to avoid noise).
sniffer-traffic	Logs from one armed sniffer policies.
ztna-traffic	Zero Trust Network Access traffic logs.
anomaly	DoS anomaly logs from DoS policies.
voip	SIP/SCCP voice logs.
gtp	GTP (mobile carrier) logs; only relevant on carrier grade platforms.
dns	DNS query/response logs from DNS filter.
ssh	SSH inspection logs.
ssl	SSL inspection logs.
dlp-archive	DLP message and file archives (high volume; disable unless required).

7.2 Free Style Filters

Beyond the toggles above, FortiOS supports free style filters that allow inclusion or exclusion of logs by category and arbitrary field expressions (log ID, source IP, destination port, user, and so on). Free style filters are the most powerful tool for trimming log volume without losing security relevant events.

Structure

config log <destination> filter

config free-style
       edit <id>
           set category <traffic | event | virus | webfilter | ips | application | dlp | anomaly | dns | ssh | ssl | voip | waf | gtp | file-filter | ztna | casb>
           set filter "<field expression>"
           set filter-type <include | exclude>
        next
     end
end

Examples

Exclude DNS queries to an internal resolver from the syslog feed:

config log syslogd filter

config free-style
       edit 1
          set category traffic
          set filter "dstip 10.10.10.53 and dstport 53"
          set filter-type exclude
       next
    end
end

Forward only two specific event log IDs to FortiAnalyzer2 from a particular pair of management workstations:

config log fortianalyzer2 filter
   config free-style
       edit 1
         set category event
         set filter "logid 0102043039 0102043040 and srcip 192.168.2.5 192.168.2.205"
         set filter-type include
        next
     end
end

Include only critical IPS events to a security focused syslog:

config log syslogd3 filter

set severity information
       config free-style
          edit 1
             set category ips
             set filter "severity critical"
             set filter-type include
          next
       end
end
“`

Operators Free style filter expressions accept and, or, parentheses, and space separated value lists. Field names match those in the raw log entry (run execute log filter category 0 followed by execute log display to see a sample).

7.3 Policy Level Logging

Traffic logging is also gated at the firewall policy level by the per policy logtraffic setting. A policy with logtraffic disable produces no traffic log regardless of the destination filter. The settings are:

Setting	Behavior
logtraffic all	Logs both session start (if enabled) and session end for every session matching the policy. Highest volume.
logtraffic utm	Logs only sessions that trigger a UTM event (virus detected, URL blocked, IPS signature, and so on). Recommended default.
logtraffic disable	No traffic logs from this policy. Use sparingly; UTM logs still appear if a security profile is attached.

Pair logtraffic with logtraffic-start to also log session initiation:

config firewall policy

edit 12
      set logtraffic all
      set logtraffic-start enable
    next
end

7.4 Filter Precedence

The effective filter for any single log is the intersection of three checks: (1) the policy level setting, (2) the destination’s severity threshold, and (3) the destination’s category toggles and free style rules. A log must pass all three to be emitted. When investigating missing logs, walk these three checks in order.

8. Log Type and Subtype Reference

This section enumerates every log category emitted by FortiOS, with the typical subtypes, log id ranges, and tuning guidance. Subtype names are exactly those that appear in the raw log entry as type and subtype fields and as the category argument to free style filters.

8.1 Traffic Logs (type=traffic)

Subtype	Source	Typical Volume / Notes
forward	Inter interface policy traffic	Highest volume. Tune via per policy logtraffic and free style excludes for known noisy flows.
local	Sessions to or from the FortiGate itself	Useful for management plane auditing. Disable on syslog for SOC focus.
multicast	Multicast policies	Usually disabled.
sniffer	One armed sniffer policies	Only present when sniffer policies exist.
ztna	ZTNA proxy access	Enable for ZTNA deployments.

8.2 Event Logs (type=event)

Event logs cover everything that is not a session and not a UTM trigger. The major subtypes are:

Subtype	Examples of Logged Events
system	Reboots, configuration changes, firmware upgrades, license events, FortiGuard updates.
user	Authentication success and failure, RADIUS or LDAP events, FSSO events, captive portal logins.
router	BGP, OSPF, RIP neighbor and adjacency events.
vpn	IPsec phase 1 and phase 2 negotiation, SSL VPN logins, tunnel up and down.
wad	Explicit proxy and web cache daemon events.
endpoint	FortiClient registration and compliance events.
ha	High availability heartbeat, failover, member state changes.
wireless	Wireless controller events (AP up/down, rogue AP detection).
switch-controller	FortiLink and managed switch events.
sdn-connector	Public cloud and SDN fabric connector events.
compliance-check	Security Rating and PSIRT compliance results.
security-rating	Security Fabric Rating run results.
connector	Fabric connector and SSO connector events.

 

8.3 Security (UTM) Logs (type=utm)

UTM logs are produced by the inspection engines when a security profile matches traffic. Each subtype maps to a security profile.

Subtype	Description
virus	Antivirus engine detection of a virus, EICAR, or grayware.
webfilter	Web filter URL category match (block, warn, monitor, allow).
ips	IPS signature, anomaly, or rate based protection match.
application	Application control signature match.
dlp	Data Loss Prevention sensor match (file, fingerprint, or pattern).
anomaly	DoS policy anomaly trigger.
dns	DNS filter domain category or threat feed match.
ssh	SSH deep inspection event.
ssl	SSL deep inspection event (handshake failure, bypass).
file-filter	File filter profile match (block by extension or type).
casb	Inline CASB user or application access decision (FortiOS 7.2+).
voip	SIP/SCCP profile match.
waf	Web Application Firewall profile match.
gtp	GTP firewall match (carrier deployments).
icap	ICAP server response action.

 

8.4 Log ID Structure

Every log message carries a 10 digit logid that uniquely identifies the event template. The first four digits identify the category and subtype; the remaining six identify the specific event within that subtype. Free style filters can match log IDs precisely (set filter "logid 0102043039"), which is the cleanest way to include or exclude one specific event class without affecting siblings.

You can download the message pdf from Fortinet docs site.

9. Advanced Features

9.1 Reliable Syslog and Encryption

As covered in Section 6, mode reliable plus enc-algorithm high enables RFC 5425 style TLS framed syslog over TCP 6514. The FortiGate authenticates the server certificate by default; to add mutual authentication, install a client certificate on the FortiGate (Security Fabric > Certificates > Local Certificate) and reference it with set certificate. This is the configuration recommended for any deployment where the syslog path crosses an untrusted network.

9.2 VDOM Overrides

On multi VDOM systems, log configuration lives in the global VDOM by default and applies to every VDOM. To allow per VDOM customization (different SIEM per tenant, different severity per business unit), enable the override flag in the global setting and configure override-setting plus override-filter inside the VDOM.

# In the global scope:
config log syslogd setting

set syslog-override enable
end

# Then inside the VDOM:
config vdom
   edit Tenant-A
        config log syslogd override-setting
           set status enable
           set server "10.40.40.50"
           set facility local1
         end
        config log syslogd override-filter
           set severity information
           set forward-traffic enable
           set local-traffic enable
        end
     next
end

The same pattern applies to fortianalyzer (faz-override) and fortianalyzer2/fortianalyzer3.

9.3 Rate Limiting

Some destinations support a maximum log rate to protect the receiver during log storms (for example, a misconfigured policy that logs every TCP retransmit). For syslog:

config log syslogd setting

set max-log-rate 1000
end

Where 0 means unlimited and any positive value is logs per second. Use rate limiting only as a safety net; the right long term answer is almost always a tighter filter.

9.4 Source IP Pinning

set source-ip forces the log daemon to use a specific local IP when connecting to a destination. This is essential when an upstream firewall whitelists the FortiGate by source IP, when the FortiGate has multiple egress interfaces, or when the destination expects logs from a loopback for routing stability.

9.5 Log Forwarding (FortiAnalyzer Feature)

FortiAnalyzer can receive logs from a fleet of FortiGates and then forward all or a subset of them to a downstream syslog server (a SIEM, an archival platform, or a managed SOC). This avoids opening the same syslog session from every FortiGate and provides a single tunable forwarding point. Forwarding can be configured in three modes: forwarding (real time), aggregation (batched), and disable. TLS is supported for the forwarded stream.

# On the FortiAnalyzer:
config system log-forward

edit 1
     set mode forwarding
     set fwd-server-type syslog
     set server-name "primary-siem"
     set server-addr "10.50.50.60"
     set fwd-reliable enable
     set fwd-secure enable
    next
end

9.6 Custom Field Mapping for CEF

CEF reserves a small number of custom string and number slots (deviceCustomString1 through 6, deviceCustomNumber1 through 3). FortiOS exposes custom-field-name under each syslog destination so that any field from the raw log can be promoted to a CEF custom slot. This is how SIEM dashboards show, for example, the FortiGate VDOM, policy name, or application name as a first class field.

9.7 Log Cache and Buffering

When a destination is briefly unreachable, FortiOS buffers outgoing logs in memory (the miglogd cache). The cache size is finite; sustained outages will eventually result in dropped logs. Reliable transports (TCP, TLS) hold the cache until acknowledgment, while UDP simply transmits and forgets. For destinations that must not lose logs, use reliable transport and monitor the receiver’s health proactively.

9.8 Anonymization and Privacy

Some deployments must anonymize user identifiers (usernames, source IPs) before logs leave the device for compliance with GDPR or local privacy law. FortiOS supports user anonymization via report-related settings and via configurable log field masking on FortiAnalyzer. For full anonymity, the cleanest pattern is to forward through FortiAnalyzer with an anonymized log forward profile rather than attempting masking at the FortiGate.

9.9 Log Compression and Storage

Disk logs are written in plaintext but rolled files are compressed (.gz). FortiAnalyzer compresses received logs on its side. When estimating storage, plan for roughly 200 to 400 bytes per traffic log post compression and 1 KB to 4 KB per UTM log; multiply by your expected log rate and retention to size a FortiAnalyzer disk.

9.10 Local In Policy Logging

Traffic destined to the FortiGate itself (management, BGP, VPN endpoints) is governed by local-in policies. To log it, enable local-in-policy logging globally and ensure local-traffic is enabled in the destination filter.

config system settings

set gui-local-in-policy enable
end

config firewall local-in-policy
   edit 0
      set intf "wan1"
      set srcaddr "all"
      set dstaddr "all"
      set action accept
      set service "HTTPS"
      set schedule "always"
    next
end

10. Verification, Testing, and Troubleshooting

10.1 Generating Test Logs

# Send a synthetic log to every enabled destination:
diagnose log test

This emits one log entry per type (traffic, event, utm) to every configured destination, which is the fastest way to confirm end to end delivery.

10.2 Inspecting the Log Daemon

# Inspect miglogd state:
diagnose test application miglogd 1
diagnose test application miglogd 6 # queue stats

# Realtime debug of syslog:
diagnose debug application syslogd -1
diagnose debug enable

# Realtime debug of FortiAnalyzer connection:
diagnose debug application fortianalyzerd -1
diagnose debug enable

10.3 Viewing Logs on the FortiGate

# Set the source and category:
execute log filter device disk # or memory, fortianalyzer
execute log filter category 0 # 0=traffic, 1=event, ...
execute log filter field srcip 10.1.1.5
execute log display

10.4 Common Issues

Symptom	Likely Cause and Resolution
No traffic logs from a specific policy.	Check the policy’s logtraffic setting and verify forward-traffic is enabled in the destination filter.
FortiAnalyzer shows the device as unauthorized.	Approve the device on FortiAnalyzer under Device Manager, and verify reliable and enc-algorithm match on both sides.
Syslog TLS connection fails to establish.	Validate the server certificate chain, confirm ssl-min-proto-version is supported by the server, and check NTP synchronization.
Logs arrive at the SIEM but fields are missing.	Verify format (default, json, cef) matches the SIEM parser, and review custom-field-name mappings.
Log volume is too high.	Switch policies to logtraffic utm where appropriate, raise the destination severity to notice or warning, and add free style excludes for known noisy categories (DNS to internal resolver, multicast).
Logs missing during peak load.	Move to reliable TCP or TLS transport, and confirm the destination is not rate limiting at the receiver.

 

10.5 Validation Checklist

1. Confirm NTP is synchronized: get system status shows the correct time.
2. Run diagnose log test and verify entries appear at each destination.
3. On FortiAnalyzer, verify the device is online with current logs (Device Manager > Logs).
4. On the SIEM, run a query for the last five minutes filtered by the FortiGate’s source IP.
5. Trigger a known UTM event (request a blocked URL, send EICAR) and confirm the event appears at every destination.
6. Inspect free style filters by submitting traffic that should match an include rule and traffic that should match an exclude rule.
7. Verify retention behavior by checking disk usage and oldest log entry after the configured maximum-log-age has elapsed.

11. Reference Designs

11.1 Small Branch (No Local Collector)

Single FortiGate at a branch office with limited bandwidth to headquarters. Goal is to ship security relevant events centrally while retaining a short window of traffic logs locally for on site troubleshooting.

– Disk: severity warning, forward and local traffic enabled, 7 day retention.
– FortiAnalyzer (over WAN): severity warning, UTM categories enabled, forward traffic enabled, reliable + TLS.
– No syslog destination; FortiAnalyzer feeds the central SIEM via FortiAnalyzer log forwarding.

11.2 Mid Size Enterprise (Centralized SOC)

FortiGate cluster fronting a data center; central SOC operates an enterprise SIEM.

– FortiAnalyzer: severity information, all categories enabled, reliable + TLS, real time upload. Primary store of record.
– Syslog (primary, SIEM): JSON format, reliable + TLS, severity information, free style exclude for known internal monitoring sources.
– Syslog (secondary, archival): CEF format, UDP acceptable, severity notice. Sent to a long term archival store for compliance.
– Disk: severity warning only, for on box forensics.

11.3 MSP / Multi Tenant

Single FortiGate cluster, multiple customer VDOMs, each with their own SIEM.

– Enable syslog-override and faz-override at the global scope.
– Per VDOM override-setting points at the tenant’s FortiAnalyzer or syslog endpoint, with the tenant’s certificate.
– Per VDOM override-filter applies the tenant’s preferred severity and category set.
– Global syslog destination remains in place for the MSP’s own NOC view.

11.4 Carrier / High Volume

Service provider edge with extremely high session counts.

– Policies set to logtraffic utm; logtraffic all only on a small set of high value policies.
– FortiAnalyzer: severity warning, free style include for IPS critical and DLP.
– Syslog (NetFlow style telemetry handled separately via sFlow/NetFlow, not syslog).
– max-log-rate set on every destination as a safety net (typically 10000 to 50000 logs per second).

12. Operational Guidance and Best Practices

12.1 Tuning to Reduce Volume

– Start with logtraffic utm on every policy; promote to logtraffic all only when warranted by an investigation or regulatory requirement.
– Exclude internal scanner and monitoring source IPs via free style filters; their traffic is high volume and rarely investigated.
– Disable multicast and sniffer logging on every destination unless those features are in use.
– Send DNS logs to FortiAnalyzer (where they aid investigation) but exclude them from a constrained SIEM feed.
– Avoid dlp-archive on any destination unless required for legal hold; archives carry full payload and dominate storage.

12.2 Retention Planning

Match retention to the destination. Disk typically retains 7 to 30 days. FortiAnalyzer retention is sized by license and disk capacity (90 days hot, 1 year archived is a common baseline). SIEM retention is set by the SIEM’s own policy; the FortiGate should not assume the SIEM retains anything specific.

12.3 High Availability

In an HA cluster, each member generates logs independently. Configure log destinations on the primary and synchronize to the secondary via standard HA configuration synchronization. The secondary’s logs are typically lower volume (passive member events only) but should still be ingested for failover analysis.

12.4 Change Management

– All log configuration changes should be made in a maintenance window and validated immediately with diagnose log test.
– Document the severity threshold and category toggles for every destination in a logging design document.
– Use config revisions (execute backup config) before and after any filter change.

12.5 Compliance Considerations

– PCI DSS log administrative actions (event/system) and security events (utm/ips, utm/virus) with at least one year retention and 90 days hot.
– HIPAA log authentication events (event/user), VPN sessions (event/vpn), and any DLP triggers (utm/dlp) with six year retention.
– ISO 27001 / SOC 2 log all administrative changes and authentication outcomes; retain consistent with the organization’s policy, typically one year hot.
– GDPR minimize personal data in logs forwarded outside the EU; consider anonymization at the FortiAnalyzer forwarding stage.

13. Quick Reference: CLI Cheat Sheet

Enable all key destinations at once

config log disk setting
   set status enable
end
config log fortianalyzer setting
   set status enable
   set server "<faz_ip>"
   set reliable enable
   set enc-algorithm high
end
config log syslogd setting
   set status enable
   set server "<siem_ip>"
   set mode reliable
   set port 6514
   set format json
   set enc-algorithm high
end

Standard production filter (apply to disk, fortianalyzer, syslogd)

config log <dest> filter

set severity information
   set forward-traffic enable
   set local-traffic enable
   set multicast-traffic disable
   set sniffer-traffic disable
   set anomaly enable
   set voip disable
   set gtp disable
end

Diagnostics

diagnose log test
diagnose test application miglogd 1
diagnose debug application syslogd -1
diagnose debug enable
execute log filter device fortianalyzer
execute log filter category 1
execute log display

Common free style filter snippets

# Exclude noisy internal scanner:
config free-style

edit 1
      set category traffic
      set filter "srcip 10.99.0.50"
      set filter-type exclude
    next
end

Include only critical and alert UTM events:

config free-style

edit 2
    set category ips
    set filter "severity critical alert"
    set filter-type include
   next
end