Tuesday, January 24, 2012

Log uploads in realtime (FortiOS 4.0 MR3)

After upgrading several firewalls to 4.0 MR3 I noticed that by default the logs are no longer sent to my FortiAnalyzer unit in realtime. Instead they are scheduled to upload to the FAZ once per day.
If, like me, you are relying on these logs to provide realtime visibility into your network here is how to turn realtime logging back on.

On the CLI (really, Fortinet??):
config log fortianalyzer setting
set upload-option realtime

This is only available on smaller units, such as the FG60C and FWF60C.
On units such as the FG200B and FG310B the "set upload-option realtime" switch does not exist, thus defaulting to realtime logging to FAZ or Syslog.


David said...

Even the Fortigate 80C doesn't have the option.

Ben Boysza said...

AND they took away the Web Opt./Caching from the GUI - VERY annoying.

I'm having trouble with high-memory utilization on a FWF60C, NO UTM functions enabled. I was hoping it was log-store related, but it hasn't helped me in that area. Was a problem in MR3P2-4 but should've fixed by MR3P5. Perplexing since this FW replaced a 100A and still have memory issues with 323 sessions.

Firewall Support said...

very informative post..