What's the difference between Local Traffic logs and Forward Traffic logs on FortiGates?
Comparing some similar terms in logging
💡
This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.
There are a lot of different types of FortiGate logs that admins can review but the most popular/common are probably "Local Traffic" and "Forward Traffic" logs. These are essential for troubleshooting but it's important to understand their differences.
Here's the quick breakdown:
- Local Traffic logs provide details where the FortiGate itself is either the source or the destination of the communication.
- It means that the traffic is not simply passing through; it's terminating at (or originating from) the FortiGate's control plane or services.
- These logs help admins track communication attempts for a variety of components including (but not limited to):
- Authentication (RADIUS, LDAP, TACACS+)
- Routing protocol updates (e.g. OSPF, BGP, etc)
- FortiGuard Service updates (firmware, antivirus definitios, IP signatures, etc).
- Administrative access
- Forward Traffic logs record traffic that passes through the firewall from one interface to another.
- This captures traffic records for user or data-plane traffic.
- Forward traffic logs are the most common type of traffic log and crucial for:
- Security Policy Enforcement (showing which policies allowed or denied specific traffic flows)
- Network visibility (understanding user activity)
- Compliance and auditing (providing a record of network activity for regulatory requirements.
For more information, check out these resources:
Log settings and targets | Administration Guide
Local-in policy | Administration Guide
