FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 1 - What's New for FortiOS 5.2 > Logging and Reporting

Logging and Reporting

New logging and reporting features include:

Traffic and UTM Logging Improvements

Traffic and UTM Logging has been simplified in FortiOS 5.2 by making the following changes:

  • Removing all overlapping fields between the UTM Logs and Traffic Logs, with the exception of the common fields sessionid, vd, user, and group, and application control critical info, which will be present in both the Traffic Log and Application log.
  • Fields have been renamed so that they are the same in all logs.
  • Some rarely used fields were removed; for example, profiletype.
  • The action field reflects the Firewall action (accept or deny). This will allow you to see from the traffic logs if the session was allowed or blocked and whether it was allowed or blocked by the firewall or by a security feature. If it was a security feature, you will need to look at the UTM logs to determine which feature blocked the traffic.
  • The field utmaction is set to the most severe actions across all security features. The severity from highest to lowest is: Block, Reset, Traffic Shape, Allow.
  • You can now drill-down from a traffic log to its corresponding UTM logs.
  • extended-utm-log and log options for security profiles have been removed.
  • Log roll logic have been rewritten so that traffic log file and related utm log files are rolled together. Uploadd will pack these files together to send to a FortiAnalyzer unit.
  • An anomaly log category has been added to separate anomaly logs from IPS logs.

FortiGate Daily Security Report

The FortiGate UTM Security Analysis Report has been renamed the FortiGate Daily Security Report.

A variety of other changes have also occurred to the report:

  • A new cover page has been added that contains the report name, date, date range, and device name.
  • A table of contents page has been added.
  • The information VPN usage now shows all use, rather than just a top 10 list. This allows a complete list to be shown that includes all tunnels for Site-to-Site IPsec VPNs and all users for dial-up IPsec VPN tunnels, SSL VPN tunnels, and SSL VPN web mode. Information on connection time has also been added.
  • Entries will not be displayed when there is a zero bandwidth/or connection time.

GTP Logging Improvements

Several changes have been made concerning GPRS Tunneling Protocol (GTP) and logging.

GTP-U Logging

FortiOS 5.2 supports GPRS Tunnelling Protocol User Plane (GTP-U) logging for both forwarded and dropped packets at the kernel level. FortiGate log entries now contain International Mobile Subscriber Identity (IMSI), Mobile Subscriber Integrated Services Digital Network-Number (MSISDN), Access Point Name (APN), and header Tunnel Endpoint Identifier (TEID) if available/applicable.

Three new CLI commands are added to GTP profile for GTP-U logging:

  • gtpu-forwarded-log: Enable/disable logging of forwarded GTP-U packets.
  • gtpu-denied-log: Enable/disable logging of denied GTP-U packets.
  • gtpu-log-freq: Sets the logging frequency of GTP-U packets.

config firewall gtp

edit gtp_profile

set gtpu-forwarded-log enable

set gtpu-denied-log enable

set gtpu-log-freq 10



The log frequency value is per number of packets, for example set gtpu-log-freq 10 means the FortiGate unit should have a log entry per 10 packets.

GTP Event Log

A new GTP event log has been added, which can be found by going to Logging & Reports > Event Log > GTP. This log will show GTP activity status and a Deny Cause for any traffic that was blocked or dropped.

In order to see this log, it must be enabled either in the Log Settings or in the CLI.


config log eventfilter

set gtp enable


Flash-based Logging Disabled on Some Models

On some FortiGate models, flash-based logging is not available in FortiOS 5.2. For these platforms, Fortinet recommends the free FortiCloud central logging & reporting service, as it offers higher capacity and extends the features available to the FortiGate.

For a full list of affected models, please refer to the Release Notes.

Accessing Policy-specific Logs from the Policy List

In FortiOS 5.2, the log viewer can be opened directly from the policy table, with filters applied automatically to show only the logs relating to that policy. To view these logs, right-click on the Seq.# column for the policy and select Show Matching Logs.

The log viewer will filter using the Policy UUID if it is enabled. If not, the Policy ID will be used.

IPS Event Context Data in Log Messages

Attack context logging can now be enabled for an IPS sensor, which will add two new fields, attackcontext and attackcontextid, into an attack log.

The atkctx field in log will output BASE64 encoded string of:

<PATTERNS> trigger patterns separated by ';' </PATTERNS> <URI> uri buffer </URI> <HEADER> header buffer </HEADER> <BODY> body buffer </BODY> <PACKET> packet buffer </PACKET>"


Attackcontext entries longer than 1KB is split in multiple log entries, which share the same incidentserialno. Attackcontextid will help identify these segment by showing what order they have in the sequence; for example, <1/3> means this log is the first segment of a log message containing three segments in total.

Sniffer Traffic Log

Forward traffic from a FortiGate unit that is in one-arm sniffer mode can now be logged on that FortiGate unit. To log this traffic, the appropriate logging option must be selected for the sniffer interface.

Logging information can be viewed in the new sniffer log, which can be found by going to Log & Report > Forward Traffic > Sniffer Traffic.

Selecting Sources for Reports

The source for reports can now be configured to be either forward traffic, sniffer traffic, or both.


config report setting

set status enable

set report-source {forward-traffic | sniffer-traffic | both}


Threat Weight

The 5.0 feature client reputation has been renamed Threat Weight in FortiOS 5.2 and has been moved from Security Profiles to Log & Report > Log Config > Threat Weight. It can now be configured in the CLI using the command config log threat-weight.

Disk Usage Information in System Event Logs

Disk usage information will now be included in system event logs for FortiGate models that have a hard disk.

Event Log Generated When a Crash Occurs

A brief event log will now be generated when a crash occurs with brief information about the crash.

Displaying FortiFlow Names

Object name data will now be pulled from FortiFlow in applicable locations, including the Forward Traffic log and the Top Destinations widget.