FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jcamacho1
Staff
Staff
Article Id 193067

Description

 

This article describes the support of FortiGate for TACACS+ Accounting starting from v7.0.2.


Solution


This feature allows customers to send FortiGate system log entries to an external TACACS+ accounting server. Up to three external TACACS+ servers can be configured, each with a different filter for log events. These filters include TACACS+ accounting for login events, config change events, and CLI commands audit.

 

To configure the TACACS+ Accounting settings:

 

config log tacacs+accounting setting

    set status enable

    set server "10.0.0.100"

    set server-key ************

end

 

To configure the filter for the TACACS+ Accounting:

 

config log tacacs+accounting filter

    set login-audit enable

    set config-change-audit enable

    set cli-cmd-audit enable

end

 

Note: Additional TACACS+ Accounting servers and filters can be configured with 'tacacs+accounting2' and 'tacacs+accounting3'.

 

To troubleshoot the TACACS+ Accounting settings:

 

diag debug enable
diag debug app syslogd -1 <- This helps to display the errors if any.

 

diag test app syslogd 4 <- Statistics on TACACS+ Logging.

 

FortiOS prior to v7.0.2 is capable of working with TACACS+ Authentication and Authorization, but not with Accounting. TACACS+ Accounting messages can lead to the following error message (diag debug application fnbamd):

 

2016-10-28 11:26:01 message_loop: checking timeouts

2016-10-28 11:26:09 fnbamd_fsm.c[2194] handle_req-Rcvd 8 req
2016-10-28 11:26:09 fnbamd_acct.c[301] fnbamd_acct_start_STOP-tac_plus accounting not supported
2016-10-28 11:26:09 fnbamd_fsm.c[1251] create_acct_session-Nothing to do for acct type 8
2016-10-28 11:26:09 fnbamd_fsm.c[2206] handle_req-Error creating acct session 8
 
Depending on the type of TACACS+ application the server can close the connection due to this 'rejection' from FortiGates.
 

For FortiOS prior to v7.0.2, it is recommended to disable accounting messages between the FortiGate units and TACACS+ servers.