FGFW-ND-000115 - The FortiGate device must generate an immediate real-time alert of all audit failure events requiring real-time alerts.

Information

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.

Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Log in to the FortiGate GUI with Super-Admin privilege.

1. Click Security Fabric.
2. Click Automation.
3. Click +Create New (Automation Stitch).
4. Assign a meaningful name.
5. For Trigger, select FortiOS Event Log.
6. For Event field, Click + (and choose a specific event type).
7. For Action, select Email, specify recipients, and Email subject.
8. Click OK.

Note: The following are all relevant Event Log entries. For most complete coverage, configure an Automation Stitch for each of the Event Log entries below:

Disk Full
Disk Log access failed
Disk log directory deleted
Disk log file deleted
Disk log full over first warning
Disk logs failed to back up
Disk logs failed to back up to USB
Disk partitioning or formatting Error
Disk unavailable
FortiAnalyzer connection down
FortiAnalyzer connection failed
FortiAnalyzer is not configured for Security Fabric service
FortiAnalyzer log access failed
Log disk failure imminent
Log disk full
Log disk unavailable
Memory log access failed
Memory log full over final warning level
Memory log full over first warning level
Memory log full over second warning level
Memory logs failed to back up

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_FN_FortiGate_Firewall_Y23M07_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(2), CAT|II, CCI|CCI-001858, Rule-ID|SV-234182r879733_rule, STIG-ID|FGFW-ND-000115, Vuln-ID|V-234182

Plugin: FortiGate

Control ID: fd727463e2aaf408e670c36a44e5b6bdef9785674423bbe7b807c56e17a1e798