Thursday, August 28, 2014

This is why the forticloud is not a viable logging solution in a big enterprises networks.

A heavy usage firewall with tons of events,  can easily exhaust the quota set by forticloud logging services.  Granted you could increase the  quota by paying  for a quota subscription.

Here's the logging error you will see on the dashboard if logging stops or is in accessible;

Here a means for looking at the number events  logged ( fds = the events logged to the cloud  mem = the events logged to memory )

note: to reset statistics  kill off the miglod process and let it restart;



diag sys  kill 1  <PID>   YMMV with the latter.

Next, it's easy to  fill your quota and exhaust your disk usage.

NOTE: You can always keep deleting logs to make space available, but that can get boring very quick.

Forticloud is great for SOHO and a low usage SMB firewall, but it's not intended to replace enterprise level logging systems. This is where the Cisco Meraki wins at imho.

I will post about the Meraki cloud management and logging next month. But with the cisco meraki approach you get this via an activation license that you must buy for the meraki appliance.  This includes all appliances and not just firewalls, which is what the forticloud solution only supports.

Nothing is free from cisco btw ;)

The forticloud is a good try, see, and then buy if it meets your needs. Or you can always go with the localize fortianalyzer approach.

key points about forticloud;
  • is not a best-fit model for all setups
  • requires internet access for logging
  • expose your logging data in somebody else hands
  • is a quota based
  • requires internet access for retrieval ( so if your down and trying to get logging info, your Shit out of luck unless you have memory logging enabled )

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
      /  \

No comments:

Post a Comment