This article describes how to configure and use the new 'Policy change summary' and 'audit trail' features.

FortiOS 7.2 and above.

Policy change summary: Each time a firewall policy is created or edited, the administrator will be prompted to write a summary as a record of the changes.

To configure the firewall policy change summary feature in the GUI:

1. Go to System -> Feature Visibility.
2. Enable Workflow Management.
3. Select Apply.
4.  Go to System -> Settings.
5. Enable Policy change summary:

To configure the firewall policy change summary feature in the CLI:

config system settings

    set gui-enforce-change-summary {disable | require | optional}

end

• Disable: No prompt to add a summary is given.
• Required: Users are required to add a summary.
• Optional: Users will be prompted to add a summary, but it will not be mandatory.

Enabling the Policy change summary will add a new field to the General System Event Logs, this field is named 'Config Comments', screenshot below for reference:

Note:

The default option for the policy summary feature is 'required'. However, the option will not be applied until the feature is enabled as in the instructions above.

In a multiple VDOM environment, the policy summary option can be enabled on a per-VDOM basis:

Under Global -> System -> VDOM, select the VDOM and enable the feature with the preferred option:

The Audit trail feature can be used to review the policy change summaries, along with the date and time of each change and a log of which administrator committed the change.

To review the audit trail in the GUI:

• Go to Policy & Objects -> Firewall Policy.
• Select the desired policy.

• Select Audit Trail to open the summary list for that policy.

• From the list of entries, select the desired item.

Note:

• The 'Policy change summary' option was first added in FortiOS 7.2.0, and so it is unavailable in FortiOS 7.0 and earlier (see also: Add Policy change summary and Policy expiration to Workflow Management).
• The audit trail feature requires the FortiGate to have one of the following configured/available:
  • Local Disk logging (e.g. models with local disk storage like the FortiGate-61F, 101F, etc.)
  • FortiAnalyzer or FortiAnalyzer Cloud (supported in FortiOS 7.2.1 and later)
    • Note: FortiGate Cloud does not currently support Audit Trail features on the FortiGate.
• If the FortiGate does not have one of the aforementioned logging options available then it will either not see the option at all for Audit Trail in the GUI (e.g. in the Firewall Policy section), or it will see the following warning:

To confirm if the device has a hard disk, check the Data Sheet of the device or run the below commands on the FortiGate to confirm:

get system status         <- Check for 'Log hard disk'.

get hardware status       <- Check for 'Hard disk'.

If the device is confirmed to have a log disk then check and confirm if disk logging is enabled/disabled. Enable disk logging to activate the Audit trail feature:

To check the status of FortiAnalyzer/FortiAnalyzer Cloud connectivity, navigate to Security Fabric -> Fabric Connectors -> Logging & Analytics.

After confirming that disk and/or FortiAnalyzer logging is enabled, refresh the GUI or log out/log back in to the FortiGate web GUI. The audit trail feature should be available on the Firewall Policy.

Debug logs from httpsd debugging:

diagnose debug reset

diagnose debug application httpsd -1

diagnose debug console time enable

diagnose debug enable

To disable the debugging:

diagnose debug disable

diagnose debug reset

Related documents:

• Log hard disk: 'Not available' message when hard disk is present in the unit
• Technical Tip: 'Log hard disk: Not available' message when hard disk is present in the unit
• FortiGate Debugger Chrome Extension
• Technical Tip: Fortinet Support Tool - Google Chrome Extension for troubleshooting GUI issues