FNFG-FW-000165 - The FortiGate firewall must generate traffic log records when attempts are made to send packets between security zones that are not authorized to communicate.


Without generating log records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Access for different security levels maintains separation between resources (particularly stored data) of different security domains.

The firewall can be configured to use security zones configured with different security policies based on risk and trust levels. These zones can be leveraged to prevent traffic from one zone from sending packets to another zone. For example, information from certain IP sources will be rejected if the destination matches specified security zones that are not authorized.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Log in to the FortiGate GUI with Super-Admin privilege.

1. Click Log and Report.
2. Click Log Settings.
3. Configure the Log Settings for Local Traffic Log to ALL.
4. Click Apply.

In addition to these log settings, configure individual firewall policies with the most suitable Logging Options.

1. Click Policy and Objects.
2. Click IPv4 or IPv6 Policy.
3. Click +Create New to configure organization specific policies, with Action set to DENY.
4. Configure Logging Options to log All Sessions (for most verbose logging).
5. Ensure Enable this policy is toggled to right.
6. Click Implicit Deny Policy.
7. Click Edit.
8. Select Log Violation Traffic.
9. Click OK.

See Also


Item Details


References: 800-53|AU-12c., CAT|II, CCI|CCI-000172, Rule-ID|SV-234161r628776_rule, STIG-ID|FNFG-FW-000165, Vuln-ID|V-234161

Plugin: FortiGate

Control ID: 5622f5ae0587f0d622c798480e81f3c2e7f7abf4b4702c5980b9441fee063fb6