Mastering FortiGate Log Management: A Comprehensive Guide to CLI and GUI Log Checking
.
In the complex ecosystem of network security, FortiGate firewalls serve as the primary sentinels, processing millions of packets and enforcing security policies across enterprise perimeters. The ability to effectively check, filter, and analyze FortiGate logs is not merely an administrative task—it is a core security competency. Whether responding to an active breach, troubleshooting connectivity issues, or establishing performance baselines, security professionals must master both graphical and command-line log inspection methods.
This investigative report synthesizes official Fortinet documentation, community expertise, and practitioner insights to deliver a definitive guide on checking FortiGate firewall logs. From foundational GUI configuration to advanced CLI filtering techniques spanning two decades of FortiOS evolution, this article provides actionable intelligence for network administrators at all skill levels.
Foundational Concepts – Understanding FortiGate Log Architecture
The Anatomy of a Log Message
Before examining logs, one must understand their structure. As documented in Fortinet GURU’s detailed analysis, every FortiGate log message consists of two primary components:
The Log Header contains universal metadata:
- date/time: Timestamp in YYYY-MM-DD HH:MM:SS format
- log_id: A unique 5-10 digit identifier specific to the event type
- type: High-level category (traffic, event, UTM)
- subtype: Specific feature generating the log (webfilter, ips, admin)
- level: Priority indicator ranging from Emergency (0) to Debug (7)
- vd: Virtual domain context (typically "root")
The Log Body contains variable fields unique to each event:
- Policy and session identifiers (policyid, sessionid)
- Network transaction details (srcip, dstip, srcport, dstport, service)
- Security action outcomes (allow, block, monitor)
- Feature-specific context (URL categories, virus names, application IDs)
Understanding this architecture enables precise filtering and rapid threat identification.
Log Severity and Priority Levels
FortiGate employs six standard priority levels, with Debug as a rarely-used seventh level:
| Level | Value | Description | Action Implication |
|---|---|---|---|
| Emergency | 0 | System unstable | Immediate intervention required |
| Alert | 1 | Immediate action needed | Critical security event |
| Critical | 2 | Functionality affected | Service degradation |
| Error | 3 | Error condition | Functionality could be affected |
| Warning | 4 | Functionality could be affected | Investigate proactively |
| Notification | 5 | Normal but significant events | Baseline operations |
| Information | 6 | General operational info | Routine logging |
| Debug | 7 | Firmware/feature status | Troubleshooting only |
As noted in the Fortinet Administration Guide, establishing a baseline of normal operations at the Information level is essential before attempting to identify anomalous patterns.
GUI-Based Log Checking – The Enterprise Standard
Configuring Log Settings via Web Interface
The FortiOS Administration Guide (7.6.6) specifies that initial log configuration should maximize data collection. Navigate to Log & Report > Log Settings to:
- Enable logging categories: Traffic, event, UTM, and local traffic
- Set severity thresholds: Information level recommended for baselining
- Configure storage locations: Memory (volatile), Disk (persistent), FortiAnalyzer
- Establish quota alerts: Critical for preventing storage exhaustion during high-volume logging
Effective GUI Log Analysis Techniques
The Administration Guide emphasizes that logs illuminate problems but do not solve them. Efficient GUI analysis requires:
Strategic Filtering: Rather than reviewing all 50,000 log entries, apply multi-field filters combining:
- Time ranges (last hour, custom date ranges)
- IP addresses (source, destination, or both)
- Policy IDs (to isolate specific rule impacts)
- Action types (blocked vs. accepted connections)
Pattern Recognition: Sort by frequency of blocked ports or repeated source IPs to identify scanning activity or misconfigured applications.
Raw Log Export: When deeper analysis is required, use the Download Raw Log function. Files are named in the format: <log_type>-<location>-<timestamp>.log, containing complete field-level data suitable for import into SIEM or analytical tools.
CLI Log Checking – Precision and Control
The execute log display Command Ecosystem
When GUI access is unavailable due to network latency, blocked ports, or high CPU utilization, the CLI provides complete log access. According to the Fortinet Community Technical Tip, the primary command structure follows this workflow:
execute log filter reset # Clear existing filters execute log filter device [0-3] # Select source (0=memory, 1=disk, 2=FortiAnalyzer) execute log filter category [n] # Select log type execute log filter field [key] [value] # Apply specific match conditions execute log filter view-lines [5-1000] # Set results per page execute log display # Execute and display results Comprehensive Category Reference (FortiOS 5.4 – 7.6)
The CLI category system has expanded significantly across versions. Current FortiOS 7.6 offers 26 categories including:
| ID | Category | Use Case |
|---|---|---|
| 0 | traffic | Forward, local, multicast, sniffer traffic |
| 1 | event | System, admin, HA, user events |
| 2 | utm-virus | Antivirus detection and blocking |
| 3 | utm-webfilter | URL categorization and filtering |
| 4 | utm-ips | Intrusion prevention alerts |
| 5 | utm-emailfilter | Spam and email policy |
| 7 | utm-anomaly | DoS and flood protection |
| 10 | utm-app-ctrl | Application control identifications |
| 15 | utm-dns | DNS query logging |
| 19 | utm-file-filter | File type blocking |
| 24 | utm-virtual-patch | IPS virtual patching |
| 25 | utm-casb | Cloud application security |
| 26 | debug | Development and deep troubleshooting |
Critical Implementation Note: The Fortinet Community KB confirms that categories 6, 11, 13, 14, 18, and 21 are intentionally unused in current versions—do not attempt to reference them.
Advanced Filtering Techniques
Single Field Filtering:
execute log filter category 3 execute log filter field dstip 203.0.113.45 execute log display Multi-Value Field Filtering (for subtypes):
execute log filter category 1 execute log filter field subtype system ha # Shows both system AND HA events execute log filter view-lines 500 execute log display Free-Style Logical Expressions:
execute log filter free-style "(srcip 192.168.1.1) or (dstip 192.168.1.2)" execute log filter free-style "((srcip 10.0.0.1) and (dstport 80 443)) or (level emergency)" execute log filter free-style "(date 2024-11-15 not) and (dstip 198.51.100.10)" The free-style parser supports parentheses, and/or operators, and value ranges using hyphen notation (e.g., dstport 8000-8999).
Session Persistence and Pagination
Unlike GUI sessions, CLI log displays are session-persistent. Once configured, filters remain active until explicitly reset with execute log filter reset. This allows:
- Setting complex filters once at session start
- Repeatedly executing
execute log displayto page through results - The start-line value automatically increments by view-lines each display
- Maximum of 1000 lines per execution, unlimited total results
This enables complete log extraction even over low-bandwidth connections by capturing terminal output to local files.
Log Storage and Device Selection
Available Log Devices by FortiOS Version
The Fortinet Community Technical Tip documents significant evolution in storage options:
Pre-6.2 Devices:
- 0: memory
- 1: disk
- 2: fortianalyzer
- 3: forticloud
6.2 and Later Devices:
- 0: memory
- 1: disk
- 2: fortianalyzer
- 3: fortianalyzer-cloud
- 4: forticloud
Selection Command:
execute log filter device 1 # Query disk logs execute log filter device 2 # Query FortiAnalyzer (on-device cache) Important: Selecting a device does not pull logs directly from external servers; it queries the FortiGate’s locally cached index of those logs.
Memory vs. Disk Logging
| Attribute | Memory Logs | Disk Logs |
|---|---|---|
| Volatility | Lost on reboot | Persistent |
| Capacity | Limited (typically last 500-2000 events) | Large (GBs) |
| Speed | Fastest retrieval | Moderate |
| Use Case | Immediate troubleshooting | Compliance, forensics |
| CLI Access | device 0 | device 1 |
Expert Workflows – From Raw Data to Actionable Intelligence
Establishing Operational Baselines
The Fortinet Administration Guide stresses that effective troubleshooting requires knowing "what logs result from normal operation." Recommended baseline procedure:
- Configure logging: Enable Information severity on traffic and event categories
- Collect 7-day sample: Export weekly raw logs during known-good operations
- Document patterns: Average session counts, peak CPU/memory, common allowed applications
- Store securely: Maintain baseline files for comparison during incidents
Incident Response Workflow
When investigating suspected security events:
Phase 1 – Broad Reconnaissance:
execute log filter reset execute log filter device 1 execute log filter free-style "(level alert) or (level critical) or (level emergency)" execute log filter view-lines 1000 execute log display Phase 2 – Targeted Investigation:
execute log filter reset execute log filter category 0 execute log filter free-style "(dstip [suspicious IP]) and (action blocked)" execute log display Phase 3 – Contextual Enrichment:
execute log filter reset execute log filter category 1 execute log filter field subtype system execute log filter free-style "time [incident_time-1h]-[incident_time+1h]" execute log display # Identifies configuration changes near incident Performance Troubleshooting
When investigating slow throughput or high CPU:
execute log filter category 1 execute log filter field subtype his-performance # Historical performance stats execute log filter view-lines 500 execute log display This reveals cpu=, mem=, and total_session= metrics over time to establish degradation patterns.
Common Pitfalls and Expert Solutions
"No Logs Found" – Diagnosis and Resolution
Symptom: execute log display returns "0 logs found."
Investigation:
- Check filter settings:
execute log filter dump - Verify device selection matches log storage location
- Confirm category selection is appropriate for available logs
- Reset filters:
execute log filter reset
Root Causes: Overly restrictive filters, selecting disk on units without HDD/SSD, category mismatch.
Incomplete Log Display
Symptom: Only 10 lines appear despite thousands of logs.
Solution: Increase view-lines up to the 1000 maximum:
execute log filter view-lines 1000 GUI Unavailability Workaround
When HTTPS management is non-responsive:
- SSH to FortiGate management IP
- Execute CLI log commands as documented above
- Enable terminal logging in SSH client (Putty, SecureCRT) to capture output
- Process raw logs locally using text editors or analysis tools
Frequently Asked Questions (FAQ)
What is the difference between "execute log display" and "diagnose debug application"?
execute log display queries recorded, indexed logs from storage (memory/disk/FortiAnalyzer). diagnose debug captures real-time events as they occur and is used for active troubleshooting of specific features (IPsec, routing, FSSO). They serve complementary purposes—historical analysis vs. live debugging.
Can I view FortiAnalyzer logs directly from the FortiGate CLI?
Yes, using execute log filter device 2 (or 3 for FortiAnalyzer Cloud). However, this queries logs cached on the FortiGate, not the full FortiAnalyzer database. For complete FortiAnalyzer queries, use the FortiAnalyzer CLI or GUI.
How long are logs retained in memory?
Memory logs follow a circular buffer—oldest entries are overwritten when capacity is reached. Retention time varies by log volume but typically spans hours to a few days. Disk logs persist until manually deleted or rotated per retention policies.
Why does my execute log filter free-style command fail with "invalid expression"?
Common syntax errors include:
- Missing parentheses around compound conditions
- Using quotes inconsistently
- Incorrect field names (use
dstip, notdestination-ip) - Value ranges without hyphen (correct:
srcport 1000-2000, incorrect:srcport 1000 2000)
Can I export CLI log output to a file?
Direct file export from FortiGate CLI is not supported. Use terminal logging features in your SSH client, or enable logging of all CLI commands and output using FortiGate's config log cli-command settings.
How do I view historical VPN tunnel logs?
Filter for category 1 (event) with subtype ipsec:
execute log filter category 1 execute log filter field subtype ipsec execute log display What log categories should I monitor for security threats?
Essential categories: 2 (virus), 3 (webfilter), 4 (ips), 7 (anomaly), 10 (app-ctrl). For compliance monitoring, include 0 (traffic) and 1 (event, especially admin and system events).
Conclusion: The Imperative of Log Proficiency
FortiGate logging proficiency separates reactive administrators from proactive security engineers. As this comprehensive review demonstrates, the platform offers unparalleled flexibility through both GUI simplicity and CLI granularity. The documented methods—from baseline establishment in the Administration Guide to the intricate free-style filtering documented by the Fortinet Community—provide a complete toolkit for any operational scenario.
Modern network defense requires practitioners who can seamlessly transition between high-level GUI analysis and precision CLI interrogation. By mastering the commands, categories, and workflows detailed in this report, security professionals ensure they remain effective regardless of network conditions, interface availability, or incident complexity. The logs contain the truth of your network—knowing how to extract it is not optional; it is essential.