Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pkgh
New Contributor

Track which Administrator made changes to Policy

Hi All, going thru all the event logs and posts I am still unsure, how do I track which of our admin made changes

to the policy.

 

This is one basic requirement to track changes and find a culprit, as once the changes are caught, no one will accept without proof.

We have multiple administrators with their own user ID's

Fortigate 1000D in HA running OS 6.0

Fortianalyzer running 5.6

 

Any help ?

3 REPLIES 3
ede_pfau
Esteemed Contributor III

config system global

...

    set revision-backup-on-logout enable
    set revision-image-auto-backup enable
end

This will save the config (and the firmware) after changes to the internal flash disk. Revisions are stored along with the username, and you can use the built-in 'diff' tool to see which changes were made.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
live89

Hi

 

You can do it by this way:

 

FGT notification (Log&Report > Alert E-mail > enable Configuration changes)

* you need to enable mail server on you FGT first at : config system email-server

 

Then you'll get this kind of message:

Message meets Alert condition

date=2018-08-29 time=13:43:18 devname=FGT1 devid=FG800D1234567890 logid="0100044545" type="event" subtype="system" level="information" vd="root" eventtime=1535539398 logdesc="Object configured" user="blablauser" ui="GUI(1.2.3.4)" action="Delete" cfgtid=10552034 cfgpath="firewall.policy" cfgobj="696" msg="Delete firewall.policy 696

 

and of course you can always see at Log&Report > System Events what has been changed in the fw settings

Thanks

emnoc
Esteemed Contributor III

You can do this easy from the cli and use the  log and firewall.policy.xxx  for  the message  value.

 

Ken

 

PCNSE 

NSE 

StrongSwan