FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssener
Staff
Staff
Article Id 232353
Description This article describes how to set event handlers for generic object modification such as 'ALL' / 'always'.
Solution

It is a common admin error that default service objects with the highest scope is narrowed down to a very limited scope, resulting in a massive outage for the customers.

It also takes time to find out and recover from this state.

 

In detail, an example of a service object which normally covers any IP protocol and any port range for TCP / UDP etc.

If an admin mistakenly modifies service object ALL to a certain value, that would result in all the traffic processed by the rules which contain service object 'ALL' will be affected. (Similar problems for address object 'all' or even for schedule 'always' can happen).

Configuration

With the help of an event handler, it is possible to generate an alert when such pre-defined important objects are modified :

 

The raw log of such an event would look like this:

 

 date=2022-11-29 time=15:37:19 logid=0100044547 type=event subtype=system level=information slot=1 action=Edit msg=Edit firewall.service.custom ALL logdesc=Object attribute configured user=admin ui=GUI(172.26.137.87) cfgtid=16777501 cfgpath=firewall.service.custom cfgobj=ALL cfgattr=protocol-number[0->111] devid=FG76XXXXXYYYY vd=YYY-XXX dtime=2022-11-29 15:37:19

 

ssener_0-1670317964326.png

 

With the help of the above event handler, an admin could be quickly notified the default 'ALL' object is changed and it can cause serious issues.


Example log for default schedule object always being modified :

date=2022-12-06 itime=2022-12-06 09:23:40logid=0100044547 type=event subtype=system level=information slot=1 action=Edit msg=Edit firewall.schedule.recurring always logdesc=Object attribute configured user=admin ui=GUI(172.26.153.91) cfgtid=16777652 cfgpath=firewall.schedule.recurring cfgobj=always cfgattr=day[sunday monday tuesday wednesday thursday friday saturday->sunday tuesday wednesday thursday friday saturday] tz=+0300 devid=FG7KXXXXXYYYY vd=XXX-YYY dtime=2022-12-06 12:26:53 itime_t=1670318620


The key elements that can filter the critical event for schedule object 'always' are marked in the bolt in the raw log above.


Sample raw log for address object 'all' being modified can be seen below:

 

date=2022-12-06 time=12:27:10 logid=0100044547 type=event subtype=system level=information slot=1 action=Edit msg=Edit firewall.address all logdesc=Object attribute configured user=admin ui=GUI(172.26.153.91) cfgtid=16777653 cfgpath=firewall.address cfgobj=all cfgattr=subnet[0.0.0.0 0.0.0.0->3.3.3.3 255.255.255.255] devid=FG76XXXXYYYY vd=XXX-YYY dtime=2022-12-06 12:27:10 itime_t=1670318635

 

Again the critical conditions are marked in bolt. 


Remarks:

 

- The event handler would only apply within the FortiAnalyzer ADOM it exists. If there are multiple ADOMs, it is necessary to have it in all ADOMs where a FortiGate is sending event logs.

 

- The criteria selection should be 'and' not 'or', all three conditions should be met to trigger an alert, otherwise the handler would generate an alert at every config change.

Contributors