UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The FortiGate device must generate log records for a locally developed list of auditable events.


Overview

Finding ID Version Rule ID IA Controls Severity
V-234194 FGFW-ND-000175 SV-234194r628777_rule Medium
Description
Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack; to recognize resource utilization or capacity thresholds; or to identify an improperly configured network device. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.
STIG Date
Fortinet FortiGate Firewall NDM Security Technical Implementation Guide 2021-01-29

Details

Check Text ( C-37379r611769_chk )
Log in to the FortiGate GUI with Super-Admin privilege.

1. Open a CLI console, via SSH or available from the GUI.
2. Run the following command:
# show full-configuration log setting

Compare the output to the locally developed list to ensure enabled events match the local list.

3. Run the following command:
# show full-configuration log eventfilter

Compare the output to the locally developed list to ensure enabled events match the local list.

If the FortiGate device does not generate log records for a locally developed list of auditable events, this is a finding.
Fix Text (F-37344r611770_fix)
Obtain local audit list and enable event logging to match requirements within the list.
Log in to the FortiGate GUI with Super-Admin privilege.

1. Open a CLI console, via SSH or available from the GUI.
2. Run the following command and set to enable any events that match a requirement in the local policy:
# config log setting
# set resolve-ip {enable | disable}
# set resolve-port {enable | disable}
# set log-user-in-upper {enable | disable}
# set fwpolicy-implicit-log {enable | disable}
# set fwpolicy6-implicit-log {enable | disable}
# set log-invalid-packet {enable | disable}
# set local-in-allow {enable | disable}
# set local-in-deny-unicast {enable | disable}
# set local-in-deny-broadcast {enable | disable}
# set local-out {enable | disable}
# set daemon-log {enable | disable}
# set neighbor-event {enable | disable}
# set brief-traffic-format {enable | disable}
# set user-anonymize {enable | disable}
# set expolicy-implicit-log {enable | disable}
# set log-policy-comment {enable | disable}
# set log-policy-name {enable | disable}
# end
# config log eventfilter
# set event {enable | disable}
# set system {enable | disable}
# set vpn {enable | disable}
# set user {enable | disable}
# set router {enable | disable}
# set wireless-activity {enable | disable}
# set wan-opt {enable | disable}
# set endpoint {enable | disable}
# set ha {enable | disable}
# set compliance-check {enable | disable}
# set security-rating {enable | disable}
# set fortiextender {enable | disable}
# set connector {enable | disable}
# end