Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Sheikh
Staff
Staff

Created on ‎04-25-2025 10:37 AM Edited on ‎05-15-2025 02:21 AM By Moderator

Article Id 389314

Technical Tip: Event-based monitoring and auditing of FortiNAC configuration changes by admins

Description This article explains how admins can keep the network secure and compliant by monitoring configuration changes as they happen in the FortiNAC environment.
Scope FortiNAC or FortiNAC-F (any version).
Solution

In business-critical environments, it is essential to receive timely alerts when modifications are made to FortiNAC configurations. Unauthorized or incorrect changes - whether intentional or accidental - can lead to network disruptions or restricted access to production systems. To mitigate such risks, it is important to monitor and be notified of changes related to model configurations, port settings, policies, and the FortiNAC system.

 

There are no predefined events in FortiNAC that directly provide these details; however, by leveraging a combination of related events, administrators can configure email alerts to receive notifications on relevant changes.

 

Note:

Administrators can further customize the setup by adding or removing events as needed. This technical guide serves as a baseline, outlining commonly useful events that can aid both administrators and auditors.


Basically, the whole process is divided into three steps:

 

  1. Identify relevant events.
  2. Configure Alarms to trigger on these events.
  3. Set up Email notification systems.

 

Step 1: Identify relevant Events.

Open the FortiNAC GUI console and log in. Select Events & Alarms after expanding Logs, and then select Events. After selecting Event, a row is added above, and a list of events will be shown. For more information, see Events - FortiNAC-F administration guide.

 

FNAC Events.png

 

FNAC Events 2.png

 

These are a few events related to 'Model Configurations' and 'Ports' changes on the devices that were added to the FortiNAC inventory. 

 

Event Name Event Description
Access Configuration Modified Generated whenever an access configuration is modified.

Administrative Status Success

 The user has gone into port properties for an individual port and successfully turned the admin status on or off.

Port Uplink Configuration Modified

An administrator modified the uplink setting of a port. The switch name, port, and administrator are included in the event.

Port CLI Task Success
Port CLI Task Failure

 Indicates whether a CLI configuration applied to a port ran and failed or succeeded.

 

These are a few events related to 'policies and profile modifications' in FortiNAC.

 

Event Name Event Description
Access Policy Modified Generated whenever an access policy is modified.

Endpoint Compliance Configuration Modified

 Generated whenever an endpoint compliance configuration is modified.

Endpoint Compliance Configuration Platform Setting Modified

 Generated whenever an endpoint compliance configuration platform setting is modified.

Endpoint Compliance Modified

 Generated whenever an endpoint's compliance is modified.
Authentication Configuration Modified
 Generated whenever an authentication configuration is modified.
Profile Modified Generated when a user modifies a user/host profile. Event message contains user information for the user who made the change, whether the change was an add, remove, or replace, and the complete profile after the changes.
Authentication Policy Modified Generated whenever an authentication policy is modified.


These are a few events related to 'System and admin accounts' in FortiNAC.

 

Admin Profile Modified

Generated when the admin profile has been changed. Reports the user and the change made to the profile.

Admin User Created

Administrative user created. User types are not included in the event message.

Admin User Destroyed

Administrative user deleted from the database.

System Power Off

Indicates that the user specified in the event message powered off the FortiNAC server. See Power management.

System Reboot

Indicates that the user specified in the event message rebooted the FortiNAC server. See Power management.

Container Destroyed

The container has been deleted from the database. Deleting a container deletes all of the devices it contains.

 

Step 2: Configure alarms to trigger on these events: FortiNAC events and alarms list.

To configure alarms to trigger based on the events. Go to Logs, select Events & Alarms, and on the right-hand side, select Mappings and then select Add a new alarm or modify an existing one.

 

Map events to alarms - FortiNAC-F administration guide

 

FNAC Events mapping to Alarm.png

 

Step 3: Set up an email notification system.

After the mapping is complete and a 'Send Email' option is chosen, ensure that SMTP configurations are enabled in FortiNAC. Configure the relevant settings as required for the mail server, and select 'Test Email Settings' to verify them.

 

See Email settings - FortiNAC-F administration guide.

 

FNAC - SMTP.png

 

Note:

It is recommended to configure an event mapping for 'Email Failure'. Even though administrators will not be able to receive emails if the mail server is unavailable or the connection to the mail server is lost, they can see when FortiNAC was unable to send emails and take the appropriate action when email communication is resumed.

  

Related documents:

Technical Tip: Troubleshooting alarm emails 

FortiNAC Admin guide

Technical Tip: FortiNAC Hardening 

FortiNAC events and alarms list
276
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.