FNFG-FW-000045 - In the event that communication with the central audit server is lost, the FortiGate firewall must continue to queue traffic log records locally. - fortianalyzer|syslogd server

Information

It is critical that when the network element is at risk of failing to process traffic logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Responses to audit failure depend on the nature of the failure mode.

In accordance with DoD policy, the traffic log must be sent to a central audit server. When logging functions are lost, system processing cannot be shut down because firewall availability is an overriding concern given the role of the firewall in the enterprise. The system should either be configured to log events to an alternative server or queue log records locally. Upon restoration of the connection to the central audit server, action should be taken to synchronize the local log data with the central audit server.

If the central audit server uses User Datagram Protocol (UDP) communications instead of a connection-oriented protocol such as TCP, a method for detecting a lost connection must be implemented.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

For audit log resilience, it is recommended to log to the local FortiGate disk, and two central audit servers. To do this, log in to the FortiGate GUI with Super-Admin privilege.

1. Click Log and Report.
2. Click Log Settings.
3. For Local Log setting options, toggle the Disk setting to right.

To add a FortiAnalyzer:
4. For Remote Logging and Archiving, toggle the Send logs to the FortiAnalyzer/FortiManager setting and enter the appropriate IP address.

To add a syslog server:
5. For Remote Logging and Archiving, toggle the Send logs to syslog setting and enter the appropriate IP address.
6. Click Apply to save the settings.

or

1. Open a CLI console, via SSH or available from the GUI.
2. Run the following command:
# config log disk setting
# set status enable
# set diskfull overwrite
# end
# config log fortianalyzer setting
# set status enable
# set server {IP Address}
# set upload-option realtime
# end
# config log syslogd setting
# set status enable
# set server {IP Address}
# set mode reliable
# end

Note: The central audit server can be a FortiAnalyzer, a syslog server, or one of each.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_FN_FortiGate_Firewall_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5b., CAT|II, CCI|CCI-000140, Rule-ID|SV-234140r628776_rule, STIG-ID|FNFG-FW-000045, Vuln-ID|V-234140

Plugin: FortiGate

Control ID: 544352d7d76bdfc28abc0775181383e29510f5e664a421598da24f145af07e3a