Memory logging enabled-fortinet-FortiOS

Memory logging enabled-fortinet-FortiOS
0

Memory logging enabled-fortinet-FortiOS

Vendor: fortinet

OS: FortiOS

Description:
Indeni will alert if logging to the system memory is enabled.

Remediation Steps:
Turn off memory logging as soon as possible.
|1. Login via ssh to the Fortinet firewall and run the FortiOS command “get log memory setting” to review the logging memory status. If the FortiGate unit has a hard disk, it is enabled by default to store logs. If the FortiGate unit has only flash memory, disk logging is disabled by default.
|2. Login via https to the Fortinet firewall and go to the menu System > Dashboard > Status. Look at the system resources widget to review the Memory utilization graph. If the memory utilization is high then it is recommended to disable the logging to memory setting. Use the FortiOS commands “execute filter log device X”, “execute log filter category Y” and “execute log delete” to clear the logs.
|3. Run the FortiOS command “execute log filter device“ to get a list of the supported log devices. Consider storing logs to Syslog, FortiAnalyzer or FortiCloud instead of memory or hard disk.
|4. If logging to memory is the only option then it is a good practice to manually set the warning thresholds and the max memory log buffer size under the “config log memory global-setting” FortiOS CLI.
|5. For more information review the Fortinet Handbook: https://docs.fortinet.com/uploaded/files/3421/logging-reporting-54.pdf

How does this work?
This script retrieves the log system memory setting by using the REST API

Why is this important?
This metric is used to identify if logging to the system memory is enabled. Enabling logging to the system memory is not recommended because this may affect the performance of the device. In addition, logs stored in the memory are cleared when the FortiGate device is restated. Based on the network security best practice is recommended to store logs to a remote device. Fortinet recommends uploading the logs for analysis to a remote device such as FortiAnalyzer or FortiGuard Analysis server. Check the link below for more information: https://docs.fortinet.com/uploaded/files/3421/logging-reporting-54.pdf

Without Indeni how would you find this?
The user would have to login to the device and use the “get log memory setting” command to identify if the logging memory is enabled on the device.

fortios-get-log-memory-setting

name: fortios-get-log-memory-setting
description: FortiGate check memory logging status
type: monitoring
monitoring_interval: 10 minutes
requires:
    vendor: fortinet
    os.name: FortiOS
    product: firewall
comments:
    fortios-memory-logging:
        why: |
            This metric is used to identify if logging to the system memory is enabled. Enabling logging to the system
            memory is not recommended because this may affect the performance of the device. In addition, logs stored in
            the memory are cleared when the FortiGate device is restated. Based on the network security best practice is
            recommended to store logs to a remote device. Fortinet recommends uploading the logs for analysis to a remote
            device such as FortiAnalyzer or FortiGuard Analysis server. Check the link below for more information:
            https://docs.fortinet.com/uploaded/files/3421/logging-reporting-54.pdf
        how: |
            This script retrieves the log system memory setting by using the REST API
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: HTTP
        command: /api/v2/cmdb/log.memory/setting?global=1
    parse:
        type: JSON
        file: get_log_memory_setting.parser.1.json.yaml

FortinetMemoryLogging

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/fortinet/FortinetMemoryLogging.scala