Disk log quota issue

Baboda · ‎08-16-2017

Hello,

cannot understand why I can't increase log quota for FG800C3913801256 while I have 1650.8GB total available on my FAZ300D (5.4). I've also tryied to decrease FG800C3913801910 quota from 800GB to 10GB but cannot increase for FG800C3913801256. 800GB are missed somewhere :( see below please any help.

FAZ300D # execute log device disk-quota FG800C3913801256 900000 The input value is too large. Valid range is between 100 and 401 (MB).

FAZ300D # diagnose log device Device Name Device ID Used Space(logs / quarantine / content / IPS) Allocated Space Used% FG800C3913801256 FG800C3913801256 125.3GB( 125.3GB/ 0.0KB/ 0.0KB/ 1.4MB) 800.0GB 15.7% FG800C3913801910 FG800C3913801910 27.7MB( 27.7MB/ 0.0KB/ 0.0KB/ 0.0KB) 9.8GB 0.3% Total: 2 log devices, used=125.4GB quota=809.8GB

AdomName AdomOID Type Logs Database [Retention Quota UsedSpace(logs / quarantine / content / IPS) Used%] [Retention Quota Used Used%] root 3 FGT 30days 625.0GB 125.4GB( 125.4GB/ 0.0KB/ 0.0KB/ 1.4MB) 20.1% 30days 937.5GB 281.9GB 30.1% FortiMail 142 FML 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% FortiCache 144 FCH 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% FortiWeb 145 FWB 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% Syslog 147 SYS 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% FortiClient 148 FCT 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% FortiAnalyzer 149 FAZ 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% FortiSandbox 151 FSA 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% FortiCarrier 153 FGT 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% FortiManager 288 FMG 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% FortiDDoS 291 FDD 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% Total usage: 11 ADOMs, logs=125.4GB database=283.2GB(ADOMs usage:281.9GB + Internal Usage:1.2GB)

Total Quota Summary: Total Quota Allocated Available Allocate% 1650.8GB 1572.3GB 78.5GB 95.2%

System Storage Summary: Total Used Available Use% 1833.8GB 510.5GB 1323.3GB 27.8%

Reserved space: 183.0GB (10.0% of total space).

scao_FTNT · ‎08-16-2017

what is the FAZ version? "execute log device disk-quota" output seems not correct based on "diagnose log device" output

but from 5.4, FAZ has changed quota design and added new ADOM level quota, so you can remove (set device to 0 = unlimited) device quota config and let ADOM quota to take control (you can config on GUI when edit ADOM)

Thanks

Simon

Baboda · ‎08-18-2017

Thanks Simon,

also because upgrading to FAZ 5.4 was created the root adom but with FGTs version still at 5.0 while in the meantime we upgraded FGTs to 5.2 I've created new adom named FGT800C and migrated FGTs from root to this new one. Then I moved most space from root (which is empty right now) to FGT800C adom. I've also removed device log quota as by your advice:

FAZ300D # diagnose log device Device Name Device ID Used Space(logs / quarantine / content / IPS) Allocated Space Used% FG800C3913801256 FG800C3913801256 30.1GB( 30.1GB/ 0.0KB/ 0.0KB/ 2.4MB) unlimited n/a FG800C3913801910 FG800C3913801910 19.9MB( 19.9MB/ 0.0KB/ 0.0KB/ 0.0KB) unlimited n/a Total: 2 log devices, used=30.2GB quota=unlimited

AdomName AdomOID Type Logs Database [Retention Quota UsedSpace(logs / quarantine / content / IPS) Used%] [Retention Quota Used Used%] root 3 FGT 365days 9.8GB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 90days 39.1GB 715.4MB 1.8% FortiMail 142 FML 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% FortiCache 144 FCH 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% FortiWeb 145 FWB 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% Syslog 147 SYS 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% FortiClient 148 FCT 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% FortiAnalyzer 149 FAZ 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% FortiSandbox 151 FSA 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% FortiCarrier 153 FGT 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% FortiManager 288 FMG 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% FortiDDoS 291 FDD 365days 400.0MB 0.0KB( 0.0KB/ 0.0KB/ 0.0KB/ 0.0KB) 0.0% 365days 600.0MB 2.8MB 0.5% FGT800C 326 FGT 365days 454.1GB 30.2GB( 30.1GB/ 0.0KB/ 0.0KB/ 2.4MB) 6.6% 60days 1059.6GB 272.8GB 25.7% Total usage: 12 ADOMs, logs=30.2GB database=274.8GB(ADOMs usage:273.5GB + Internal Usage:1.2GB)

Total Quota Summary: Total Quota Allocated Available Allocate% 1650.8GB 1572.3GB 78.5GB 95.2%

System Storage Summary: Total Used Available Use% 1833.8GB 406.5GB 1427.3GB 22.2%

Reserved space: 183.0GB (10.0% of total space).

My question is .. is root adom necessary even though it is empty ? I can't delete it or at least if possible I'd like to make availbale its 50 GB to use for the new adom.

Last question is what's the difference between analytics and archive logs ? I see there is a quota each with default value 70%/30% and 60 days/365 days retention each.

scao_FTNT · ‎08-18-2017

is root adom necessary even though it is empty ? I can't delete it or at least if possible I'd like to make availbale its 50 GB to use for the new adom. -- root ADOM is the default ADOM (similar as FGT root VDOM), you can not delete this default ADOM, but you can change its quota to maybe 1000MB as other default ADOMs Last question is what's the difference between analytics and archive logs ? I see there is a quota each with default value 70%/30% and 60 days/365 days retention each. -- analytics is for SQL db after log inserted into SQL table and archive is for raw log (and IPS, antivirus file, email attachment etc if your FGT enabled this) and FAZ has 2 controls here, quota based, so when quota reach FAZ will start to delete oldest log table and log files, or policy based, so when xx days you configured reached first, FAZ start to delete. But for quota triggered delete, FAZ will popup a warning since FAZ can not keep user configured policy day (for example, you configured to keep 1 month SQL but FAZ only can keep 1 week since quota is too small) to ask user to increase quota config

Thanks

Simon

Baboda · ‎08-21-2017

Thanks a lot Simon!

really the last question is how file management (see the attached image) interacts with adom quota and policy. I mean if adom archive is 365 days but file management is 90 days does it means that anyway I have three month logs even though adom archive is 365 days ? Right now I've configured adom 90 days for analytics and 365 days for archive .. 90 days automatically delete in file management is it ok ?

scao_FTNT · ‎08-21-2017

file management, about raw log file auto delete, also functions here, so depends on which day reached first and then which function triggered

file management is a global settings so will work for all ADOMs/all device log files and new 5.4 ADOM policy config is a per ADOM control. here, if you config file management to auto delete raw log file (and archive files) for 90 days, then you can not keep 365 day archives as your ADOM policy config so yes for "have three month logs even though adom archive is 365 days"

Thanks

Simon