Description | This article describes how to set event handlers for generic object modification such as 'ALL' / 'always'. |
Solution |
It is a common admin error that default service objects with the highest scope is narrowed down to a very limited scope, resulting in a massive outage for the customers. It also takes time to find out and recover from this state.
In detail, an example of a service object which normally covers any IP protocol and any port range for TCP / UDP etc. If an admin mistakenly modifies service object ALL to a certain value, that would result in all the traffic processed by the rules which contain service object 'ALL' will be affected. (Similar problems for address object 'all' or even for schedule 'always' can happen). |
Configuration |
With the help of an event handler, it is possible to generate an alert when such pre-defined important objects are modified :
The raw log of such an event would look like this:
date=2022-11-29 time=15:37:19 logid=0100044547 type=event subtype=system level=information slot=1 action=Edit msg=Edit firewall.service.custom ALL logdesc=Object attribute configured user=admin ui=GUI(172.26.137.87) cfgtid=16777501 cfgpath=firewall.service.custom cfgobj=ALL cfgattr=protocol-number[0->111] devid=FG76XXXXXYYYY vd=YYY-XXX dtime=2022-11-29 15:37:19
With the help of the above event handler, an admin could be quickly notified the default 'ALL' object is changed and it can cause serious issues.
date=2022-12-06 itime=2022-12-06 09:23:40logid=0100044547 type=event subtype=system level=information slot=1 action=Edit msg=Edit firewall.schedule.recurring always logdesc=Object attribute configured user=admin ui=GUI(172.26.153.91) cfgtid=16777652 cfgpath=firewall.schedule.recurring cfgobj=always cfgattr=day[sunday monday tuesday wednesday thursday friday saturday->sunday tuesday wednesday thursday friday saturday] tz=+0300 devid=FG7KXXXXXYYYY vd=XXX-YYY dtime=2022-12-06 12:26:53 itime_t=1670318620
date=2022-12-06 time=12:27:10 logid=0100044547 type=event subtype=system level=information slot=1 action=Edit msg=Edit firewall.address all logdesc=Object attribute configured user=admin ui=GUI(172.26.153.91) cfgtid=16777653 cfgpath=firewall.address cfgobj=all cfgattr=subnet[0.0.0.0 0.0.0.0->3.3.3.3 255.255.255.255] devid=FG76XXXXYYYY vd=XXX-YYY dtime=2022-12-06 12:27:10 itime_t=1670318635
Again the critical conditions are marked in bolt.
- The event handler would only apply within the FortiAnalyzer ADOM it exists. If there are multiple ADOMs, it is necessary to have it in all ADOMs where a FortiGate is sending event logs.
- The criteria selection should be 'and' not 'or', all three conditions should be met to trigger an alert, otherwise the handler would generate an alert at every config change. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.