Skip to main content
IrbkOrrum
IrbkOrrum
Explorer III
October 24, 2024
Solved

Personal logging of FortiGate Changes

  • October 24, 2024
  • 2 replies
  • 4401 views

I've recently migrated our primary firewall from an ASA to a FortiGate 600.  Don't get me wrong, I love Cisco but the FortiGate firewall has been a HUGE improvement and I don't regret the change for a moment!  However, there was one thing about the ASA that I loved and has saved my butt more than once.  With every "commit" I made, I had the ASA spit out a CLI of what change I just made.  So like if I made some new service ports in the ASDM, when I hit "apply" I'd get an out put like so:
object service TCP-7046
service tcp destination eq 7046
description Nav Client Services
object service TCP-7047
service tcp destination eq 7047
description Nav SOAP Services

Then I would copy that info and place it into my own personal change log with a little note of what I was doing, so I've got my own personal change log of every change made.  An example entry:

4/30/2024
1. Create the NAV ports on the ASA
object service TCP-7046
service tcp destination eq 7046
description Nav Client Services
object service TCP-7047
service tcp destination eq 7047
description Nav SOAP Services

 

So now the question is, How do I log changes like this in the FortiGate?  I know there are settings within the FortiGate itself to do some logging but I like my own little log. I've got kind of a "basic" skeleton of logging that I could use like so
Name:, Source:, Destination:, Schedule:always, Service:, Action:, NAT:, Security Profile:, Log:UTM
and I just manually fill out the info, but that is a bit time consuming... but may be my only option.  Anyone have thoughts?

Best answer by mpeddalla

Hello  @IrbkOrrum ,

 

Thank you for contacting the Fortinet Forum portal.

Please refer to the article below which shows what changes are being made on GUI will be showing as cli configuration  the https://community.fortinet.com/t5/FortiGate/Technical-Tip-Verify-applied-configuration-change-in-CLI/ta-p/196389

 

diagnose debug reset

diagnose debug cli 8

diagnose debug enable

 

Additionally, you could get the script if you are managing Fortigate using Fortimanager.

 

Best regards,

Manasa.

 

If you feel the above steps helped resolve the issue, mark the reply as solved so that other customers can get it easily while searching for similar scenarios.

2 replies

kumarh
Staff
kumarh
Staff
October 24, 2024

Hello,

FortiGate does not have a built-in feature that provides CLI output of every change like Cisco ASA does with its "commit" commands. However, you can enable admin activity logging to capture configuration changes in FortiGate’s logs. This will allow you to track who made changes and what they were, though it won’t give you CLI-style output.


While FortiGate does not offer the same "commit" style output, you can use FortiManager to manage changes across FortiGates, which can log changes in a more structured way.

mpeddalla
Staff
mpeddallaAnswer
Staff
October 24, 2024

Hello  @IrbkOrrum ,

 

Thank you for contacting the Fortinet Forum portal.

Please refer to the article below which shows what changes are being made on GUI will be showing as cli configuration  the https://community.fortinet.com/t5/FortiGate/Technical-Tip-Verify-applied-configuration-change-in-CLI/ta-p/196389

 

diagnose debug reset

diagnose debug cli 8

diagnose debug enable

 

Additionally, you could get the script if you are managing Fortigate using Fortimanager.

 

Best regards,

Manasa.

 

If you feel the above steps helped resolve the issue, mark the reply as solved so that other customers can get it easily while searching for similar scenarios.

    IrbkOrrum
    IrbkOrrumAuthor
    Explorer III
    October 24, 2024

    Not as easy to use as the ASA was, however pretty much exactly what I want.  Kind of a pain to turn that on and off for every change your going to make but definitely gives you a good CLI log of exactly what you did.

    Terms & ConditionsAccessibility statement