Memory logging enabled for Fortinet

Vendor

Fortinet

Description

Indeni will alert if logging to the system memory is enabled.

Remediation Steps

Turn off memory logging as soon as possible.

1. Login via ssh to the Fortinet firewall and run the FortiOS command "get log memory setting" to review the logging memory status. If the FortiGate unit has a hard disk, it is enabled by default to store logs. If the FortiGate unit has only flash memory, disk logging is disabled by default.

2. Login via https to the Fortinet firewall and go to the menu System > Dashboard > Status. Look at the system resources widget to review the Memory utilization graph. If the memory utilization is high then it is recommended to disable the logging to memory setting. Use the FortiOS commands "execute filter log device X", "execute log filter category Y" and "execute log delete" to clear the logs.

3. Run the FortiOS command "execute log filter device" to get a list of the supported log devices. Consider storing logs to Syslog, FortiAnalyzer or FortiCloud instead of memory or hard disk.

4. If logging to memory is the only option then it is a good practice to manually set the warning thresholds and the max memory log buffer size under the "config log memory global-setting" FortiOS CLI.

5. For more information review the Fortinet Handbook: https://docs.fortinet.com/uploaded/files/3421/logging-reporting-54.pdf

How does this work?

This script logs into the FortiGate using SSH and retrieves the log system memory status by using the output of the FortiOS command "get log memory setting". The "get log disk setting" command provides detailed information about the configured logging memory settings.

Why is this important?

This script logs into the FortiGate using SSH and retrieves the log system memory status by using the output of the FortiOS command "get log memory setting". The "get log disk setting" command provides detailed information about the configured logging memory settings.

Without Indeni how would you find this?

The user would have to login to the device and use the "get log memory setting" command to identify if the logging memory is enabled on the device.


View Source Code