Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
giuliab
New Contributor

prevent cancellation of logs - Fortigate 60E

Hello,

 

is it possible to prevent anyone from deleting logs on a Fortigate 60E? If not, what will be the more similar solution?

Thank You and kind regards

6 REPLIES 6
jhussain_FTNT

Hi,

Kindly let us known if the device has the disk, if not the memory logging will display only the current logs, it will be not be possible to store the logs.

 

Regards

Jamal

giuliab

At the moment I don't know, but in any case the goal will be to prevent that someone goens on the firewall and erases the logs manually
Thank You

Regards

ntaneja
Staff
Staff

Hi,

Another way to store log is to use an external location like forticloud, fortianalyzer.

In forticloud you get free and licensed service for log storage.

 

Thanks

pminarik
Staff
Staff

If this is about the ability to delete logs via "execute log delete" or "[...] delete-all" command, then the permissions to use it are controlled by the "Log & Report" permission in admin access profiles (loggrp in CLI). If you set it to "none" or "read", an admin with this access profile will not be able to delete the logs.

 

"execute formatlogdisk" is also controlled by the Log & Report permission.

pminarik_0-1653573994198.png

 

I'm not aware of any other commands to delete logs. If anybody knows, let me know and I can test those as well.

[ test signature, please ignore ]
seshuganesh
Staff
Staff

Hi Team

 

The only way is to restrict profile to them and give read only access for that admin profile.

System >> admin profiles >> create admin profile withlog and report read only access

Then assign that profile to the one who you want to restrict.

Please check and keep us posted

Debbie_FTNT
Staff
Staff

Hey giuliab,

to compile the answers above:

- there is no way to completely prevent logs being deleted on the FortiGate

-> if it does not have a disk and thus logs to memory, then a reboot will wipe those logs

-> if the unit does have a disk there are several CLI commands that can delete the logs, but these are controlled by specific admin permissions; anyone logging into the FortiGate WITHOUT those permissions can't delete logs

-> there is no fine-tuning; either all logs or no logs get deleted (so there is no option of removing only specific logs to hide some activity without being obvious)

- to be safe, it is always a good idea to also store logs at a secondary location (have FortiGate send logs to syslog or FortiAnalyzer, for example)

-> even if logs are deleted on FortiGate, they would still exist somewhere else and could be checked there

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++