Detections
Analytics

FGFW-ND-000175 - The FortiGate device must generate log records for a locally developed list of auditable events. - eventfilter

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack; to recognize resource utilization or capacity thresholds; or to identify an improperly configured network device. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Obtain local audit list and enable event logging to match requirements within the list.
Log in to the FortiGate GUI with Super-Admin privilege.

1. Open a CLI console, via SSH or available from the GUI.
2. Run the following command and set to enable any events that match a requirement in the local policy:
 # config log setting
 # set resolve-ip {enable | disable}
 # set resolve-port {enable | disable}
 # set log-user-in-upper {enable | disable}
 # set fwpolicy-implicit-log {enable | disable}
 # set fwpolicy6-implicit-log {enable | disable}
 # set log-invalid-packet {enable | disable}
 # set local-in-allow {enable | disable}
 # set local-in-deny-unicast {enable | disable}
 # set local-in-deny-broadcast {enable | disable}
 # set local-out {enable | disable}
 # set daemon-log {enable | disable}
 # set neighbor-event {enable | disable}
 # set brief-traffic-format {enable | disable}
 # set user-anonymize {enable | disable}
 # set expolicy-implicit-log {enable | disable}
 # set log-policy-comment {enable | disable}
 # set log-policy-name {enable | disable}
 # end
 # config log eventfilter
 # set event {enable | disable}
 # set system {enable | disable}
 # set vpn {enable | disable}
 # set user {enable | disable}
 # set router {enable | disable}
 # set wireless-activity {enable | disable}
 # set wan-opt {enable | disable}
 # set endpoint {enable | disable}
 # set ha {enable | disable}
 # set compliance-check {enable | disable}
 # set security-rating {enable | disable}
 # set fortiextender {enable | disable}
 # set connector {enable | disable}
 # end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_FN_FortiGate_Firewall_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000169, CCI|CCI-000366, Rule-ID|SV-234194r628777_rule, STIG-ID|FGFW-ND-000175, Vuln-ID|V-234194

Plugin: FortiGate

Control ID: 111ae36ba03c40feae24e2458ceb61d126ade41c07bb31e0e51a866c87f18150