Enable IPS packet logging
Packet logging saves the network packets containing the traffic matching an IPS signature to the attack log. The FortiGate unit will save the logged packets to wherever the logs are configured to be stored, whether memory, internal hard drive, a FortiAnalyzer unit, or the FortiGuard Analysis and Management Service.
You can enable packet logging in the filters. Use caution in enabling packet logging in a filter. Filters configured with few restrictions can contain thousands of signatures, potentially resulting in a flood of saved packets. This would take up a great deal of space, require time to sort through, and consume considerable system resources to process. Packet logging is designed as a focused diagnostic tool and is best used with a narrow scope.
|Although logging to multiple FortiAnalyzer units is supported, packet logs are not sent to the secondary and tertiary FortiAnalyzer units. Only the primary unit receives packet logs.|
To enable packet logging for a filter
- Create a filter in an IPS sensor.
- Before saving the filter, check the box next to Packet Logging just under the filter action options.
- Select the IPS sensor in the security policy that allows the network traffic the FortiGate unit will examine for the signature.
For information on viewing and saving logged packets, see "Configuring packet logging options".