Enable Traffic Logging

Traffic logging records every session that hits the firewall — source, destination, ports, action, bytes. Without it, you have no visibility into what's actually flowing. With it, you can answer "did this traffic happen?" and "who accessed that?" — critical for troubleshooting and compliance.

Logging Levels

Per firewall policy:

• Disable — no logging (don't use except for high-volume LAN-internal flows).
• Log Security Events — only sessions where a security profile (AV/IPS/Web Filter) hit something.
• Log All Sessions — every accepted session (and denied if log denied).

The cost of "Log All Sessions" is disk and CPU. On a busy box, you may need to be selective. On a normal SMB box, log everything.

Steps

Per-policy traffic logging

1. Policy & Objects → Firewall Policy → open the policy.
2. Scroll to Logging Options.
3. Log Allowed Traffic — All Sessions (recommended for most policies).
4. Log Violation Traffic — Enable (logs sessions hitting deny policies).
5. Capture Packets — Enable if you want to keep PCAP for matched sessions (disk-heavy).
6. OK.

Global default

To log denied traffic that doesn't match any policy (implicit deny):

1. Log & Report → Log Settings.
2. Local Log → Event Logging → Enable for the events you care about.
3. Log Allowed Traffic in Local Log section.
4. Apply.

📸 Screenshot needed

Firewall policy Logging Options section showing All Sessions selected.

CLI Equivalent

config firewall policy
edit <id>
    set logtraffic all      # Or: utm (security events only), disable
    set logtraffic-start enable    # log session-start, not just session-end
next
end

# Global denied-traffic logging:
config log setting
    set local-in-allow enable
    set local-in-deny-broadcast enable
    set local-in-deny-unicast enable
end

Where Logs Go

By default, logs go to the FortiGate's internal disk. For long-term storage:

• FortiAnalyzer — purpose-built (see Send Logs to FortiAnalyzer).
• FortiCloud — Sangoma-hosted cloud (see Send Logs to FortiCloud).
• Syslog server — generic Linux/Windows syslog (see Send Logs to Syslog).

Configure these in Log & Report → Log Settings.

Verify

After enabling, generate test traffic from a LAN client. Check:

# Recent traffic logs:
execute log filter category 0     # Traffic = 0
execute log filter device disk
execute log display

Or GUI: Log & Report → Forward Traffic — should show your test session.

Common Issues

• Logs missing for some traffic. Policy has Log Security Events (only AV/IPS hits logged). Change to All Sessions.
• Disk fills. Log All Sessions on a busy firewall produces GB/day. Forward to FortiAnalyzer or reduce retention.
• Logs delayed. FortiGate batches log writes; minor delay normal.
• Forward Traffic page empty in GUI. Disk logging disabled — check config log disk setting; show; end.

Related Pages

• View Logs for a Specific IP Address
• Configure Log Storage
• Send Logs to FortiAnalyzer