The FortiGate device must off-load audit records on to a different system or media than the system being audited.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-234181 | FGFW-ND-000110 | SV-234181r879886_rule | CCI-001851 | medium |
| Description | ||||
| Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. | ||||
| STIG | Date | |||
| Fortinet FortiGate Firewall NDM Security Technical Implementation Guide | 2023-06-01 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
AU-4(1)
1.00
- DISA · 1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-001851
1.00
- DISA · 1 · disa_xccdf · related
Details
Check Text (C-234181r879886_chk)
Verify remote logging is configured.
Via the GUI:
Login via the FortiGate GUI with super-admin privileges.
- Navigate to Log and Report.
- Navigate to Log Settings.
- Verify the Remote and Archiving settings.
or
Via the CLI:
Open a CLI console via SSH or from the "CLI Console" button in the GUI.
Run the following commands to verify which logging settings are enabled:
# show full-configuration log fortianalyzer setting | grep -i 'status\|server'
# show full-configuration log fortianalyzer2 setting | grep -i 'status\|server'
# show full-configuration log fortianalyzer3 setting | grep -i 'status\|server'
# show full-configuration log syslogd setting | grep -i 'status\|server'
# show full-configuration log syslogd2 setting | grep -i 'status\|server'
# show full-configuration log syslogd3 setting | grep -i 'status\|server'
# show full-configuration log syslogd4 setting | grep -i 'status\|server'
- The output should indicate enabled and an IP address.
If the FortiGate is not logging to a fortianalyzer or syslog server, this is a finding.
Fix Text (F-37331r863253_fix)
Login via the GUI with super-admin privileges.
1. Click Log and Report.
2. Click Log Settings.
To add a FortiAnalyzer:
- In the Remote Logging and Archiving, enable logging to FortiAnalyzer and provide the IP address.
To add a Syslog server:
- In the Remote Logging and Archiving, enable Send logs to Syslog and provide the IP address.
3. Apply changes.
or
1. Open a CLI console via SSH or from the "CLI Console" button in the GUI.
2. Configure a fortianalyzer or syslog server with the following commands:
FortiAnalyzer:
# config log fortianalyzer setting
# set status enable
# set server {IP Address}
# set upload-option realtime
# end
Syslog:
# config log syslogd setting
# set status enable
# set server {IP Address}
# set mode reliable
# end