Detections
Analytics
FGFW-ND-000295 - The FortiGate device must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the ISSO.
Information
The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can be used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, is important in showing whether someone is an internal employee or an outside threat.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Log in via the GUI with super-admin privileges.1. Click Log and Report.
2. Click Log Settings.
3. Locate the Remote Logging and Archiving section.
4. Configure FortiGate to log to a FortiAnalyzer or syslog server.
- Enable logging to FortiAnalyzer and provide the IP address. Additional FortiAnalyzer logging destinations can be configured in the CLI.
- Enable the 'Send logs to syslog' toggle and provide the IP address. Additional syslog logging destinations can be configured in the CLI.
5. Apply changes.
or
1. Open a CLI console via SSH or from the 'CLI Console' button in the GUI.
2. Configure a FortiAnalyzer or syslog server with the following commands:
FortiAnalyzer Logging:
config log fortianalyzer setting
set status enable
set server {IP Address}
set upload-option realtime
end
syslog Logging:
config log syslogd setting
set status enable
set server {IP Address}
set mode reliable
end
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_FN_FortiGate_Firewall_Y23M07_STIG.zip
Item Details
Audit Name: DISA Fortigate Firewall NDM STIG v1r4
Category: SYSTEM AND INFORMATION INTEGRITY
References: 800-53|SI-2c., CAT|I, CCI|CCI-002605, Rule-ID|SV-234218r917639_rule, STIG-ID|FGFW-ND-000295, Vuln-ID|V-234218
Plugin: FortiGate
Control ID: e0270e8a5e5e1549824353194f3d90c0a749b47ab45b11833532c5791390ab18