FNFG-FW-000155 - The FortiGate firewall must allow authorized users to record a packet-capture-based IP, traffic type (TCP, UDP, or ICMP), or protocol.

Information

Without the ability to capture, record, and log content related to a user session, investigations into suspicious user activity would be hampered.

This configuration ensures the ability to select specific sessions to capture in order to support general auditing/incident investigation or to validate suspected misuse.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Log in to the FortiGate GUI with Super-Admin privilege.

Create a Packet Capture Filter
1. Click Network.
2. Click Packet Capture.
3. Click +Create New.
4. Select an interface from the drop down menu.
5. Specify the maximum number of packets to capture.
6. Enable Filters to configure filtering based upon Host (addresses), Port, VLAN, or Protocol.
7. Click OK.

Then,
1. Select a packet filter from the list of packet capture filters.
2. Right-click on the selected filter.
3. Click Start.
4. Click OK.
The packet capture continues until either the configured number of packets is reached, or the administrator stops the packet capture. The administrator must download the packet capture for viewing with an external application, like Wireshark or tcpdump.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_FN_FortiGate_Firewall_Y22M10_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-14(2), CAT|II, CCI|CCI-001462, Rule-ID|SV-234159r611477_rule, STIG-ID|FNFG-FW-000155, Vuln-ID|V-234159

Plugin: FortiGate

Control ID: f8537d3a99b79a27450aaae998f01b3c5321702a130459bba8d650757c653e8b