The FortiGate firewall must allow authorized users to record a packet-capture-based IP, traffic type (TCP, UDP, or ICMP), or protocol.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-234159	FNFG-FW-000155	SV-234159r628776_rule		Medium

Description
Without the ability to capture, record, and log content related to a user session, investigations into suspicious user activity would be hampered. This configuration ensures the ability to select specific sessions to capture in order to support general auditing/incident investigation or to validate suspected misuse.

STIG	Date
Fortinet FortiGate Firewall Security Technical Implementation Guide	2021-01-29

Details

Check Text ( C-37344r611475_chk )
Log in to the FortiGate GUI with Super-Admin privilege. 1. Click Network. 2. Click Packet Capture. 3. Verify different Packet Capture Filters are configured and that capture packets based on interface, host, VLAN, or protocol. If FortiGate does not allow an authorized administrator to capture packets based on interface, host, VLAN, or protocol, this is a finding.

Fix Text (F-37309r611476_fix)
Log in to the FortiGate GUI with Super-Admin privilege. Create a Packet Capture Filter 1. Click Network. 2. Click Packet Capture. 3. Click +Create New. 4. Select an interface from the drop down menu. 5. Specify the maximum number of packets to capture. 6. Enable Filters to configure filtering based upon Host (addresses), Port, VLAN, or Protocol. 7. Click OK. Then, 1. Select a packet filter from the list of packet capture filters. 2. Right-click on the selected filter. 3. Click Start. 4. Click OK. The packet capture continues until either the configured number of packets is reached, or the administrator stops the packet capture. The administrator must download the packet capture for viewing with an external application, like Wireshark or tcpdump.

Fix Text (F-37309r611476_fix)

Log in to the FortiGate GUI with Super-Admin privilege.

Create a Packet Capture Filter
1. Click Network.
2. Click Packet Capture.
3. Click +Create New.
4. Select an interface from the drop down menu.
5. Specify the maximum number of packets to capture.
6. Enable Filters to configure filtering based upon Host (addresses), Port, VLAN, or Protocol.
7. Click OK.

Then,
1. Select a packet filter from the list of packet capture filters.
2. Right-click on the selected filter.
3. Click Start.
4. Click OK.
The packet capture continues until either the configured number of packets is reached, or the administrator stops the packet capture. The administrator must download the packet capture for viewing with an external application, like Wireshark or tcpdump.