Track which Administrator made changes to Policy

Author
pkgh
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/23 00:28:53
  • Status: offline
2018/08/29 23:17:35 (permalink) 5.6
0

Track which Administrator made changes to Policy

Hi All, going thru all the event logs and posts I am still unsure, how do I track which of our admin made changes
to the policy.
 
This is one basic requirement to track changes and find a culprit, as once the changes are caught, no one will accept without proof.
We have multiple administrators with their own user ID's
Fortigate 1000D in HA running OS 6.0
Fortianalyzer running 5.6
 
Any help ?
#1

3 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 6501
    • Scores: 563
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Track which Administrator made changes to Policy 2018/08/30 00:30:16 (permalink)
    0
    config system global
    ...
        set revision-backup-on-logout enable
        set revision-image-auto-backup enable
    end

    This will save the config (and the firmware) after changes to the internal flash disk. Revisions are stored along with the username, and you can use the built-in 'diff' tool to see which changes were made.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    live89
    Silver Member
    • Total Posts : 98
    • Scores: 10
    • Reward points: 0
    • Joined: 2016/05/11 07:20:42
    • Status: offline
    Re: Track which Administrator made changes to Policy 2018/08/30 01:32:26 (permalink)
    0
    Hi
     
    You can do it by this way:
     
    FGT notification (Log&Report > Alert E-mail > enable Configuration changes)
    * you need to enable mail server on you FGT first at : config system email-server
     
    Then you'll get this kind of message:
    Message meets Alert condition
    date=2018-08-29 time=13:43:18 devname=FGT1 devid=FG800D1234567890 logid="0100044545" type="event" subtype="system" level="information" vd="root" eventtime=1535539398 logdesc="Object configured" user="blablauser" ui="GUI(1.2.3.4)" action="Delete" cfgtid=10552034 cfgpath="firewall.policy" cfgobj="696" msg="Delete firewall.policy 696
     
    and of course you can always see at Log&Report > System Events what has been changed in the fw settings
    post edited by ac89live - 2018/08/30 01:36:12
    #3
    emnoc
    Expert Member
    • Total Posts : 6210
    • Scores: 435
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: Track which Administrator made changes to Policy 2018/08/30 11:22:54 (permalink)
    0
    You can do this easy from the cli and use the  log and firewall.policy.xxx  for  the message  value.
     
    Ken
     

    PCNSE 
    NSE 
    StrongSwan  
    #4
    Jump to:
    © 2021 APG vNext Commercial Version 5.5