OpenControls Logo

STIG Viewer

The FortiGate device must generate log records for a locally developed list of auditable events.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-234194FGFW-ND-000175SV-234194r879887_ruleCCI-000169medium
Description
Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack; to recognize resource utilization or capacity thresholds; or to identify an improperly configured network device. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.
STIGDate
Fortinet FortiGate Firewall NDM Security Technical Implementation Guide2023-06-01

Details

Check Text (C-234194r879887_chk)

Log in to the FortiGate GUI with Super-Admin privilege. 1. Open a CLI console, via SSH or available from the GUI. 2. Run the following command: # show full-configuration log setting Compare the output to the locally developed list to ensure enabled events match the local list. 3. Run the following command: # show full-configuration log eventfilter Compare the output to the locally developed list to ensure enabled events match the local list. If the FortiGate device does not generate log records for a locally developed list of auditable events, this is a finding.

Fix Text (F-37344r611770_fix)

Obtain local audit list and enable event logging to match requirements within the list. Log in to the FortiGate GUI with Super-Admin privilege. 1. Open a CLI console, via SSH or available from the GUI. 2. Run the following command and set to enable any events that match a requirement in the local policy: # config log setting # set resolve-ip {enable | disable} # set resolve-port {enable | disable} # set log-user-in-upper {enable | disable} # set fwpolicy-implicit-log {enable | disable} # set fwpolicy6-implicit-log {enable | disable} # set log-invalid-packet {enable | disable} # set local-in-allow {enable | disable} # set local-in-deny-unicast {enable | disable} # set local-in-deny-broadcast {enable | disable} # set local-out {enable | disable} # set daemon-log {enable | disable} # set neighbor-event {enable | disable} # set brief-traffic-format {enable | disable} # set user-anonymize {enable | disable} # set expolicy-implicit-log {enable | disable} # set log-policy-comment {enable | disable} # set log-policy-name {enable | disable} # end # config log eventfilter # set event {enable | disable} # set system {enable | disable} # set vpn {enable | disable} # set user {enable | disable} # set router {enable | disable} # set wireless-activity {enable | disable} # set wan-opt {enable | disable} # set endpoint {enable | disable} # set ha {enable | disable} # set compliance-check {enable | disable} # set security-rating {enable | disable} # set fortiextender {enable | disable} # set connector {enable | disable} # end