Actually you can name your policies. You can even make the policy name a required field within the Feature Select section. 

System -> Feature Select -> Additional Features -> Allow Unnamed Policies

 

I'll take a look in the reports to see if I am able to display the tags. I don't recall seeing it listed as an available log field, but since I wasn't specifically looking for it, I may have overlooked it.

 

Thank you for your post.

True that's anew feature in  v5.4 or higher, I don't that will help him in  what he wants but he can give it a try.

 

 

Ken

@mec313, what version of FortiOS are you running?  Are you only asking about CLI commands or are you using the GUI?  And are you using a FortiAnalyzer?

 

If running 5.4.x and looking at Forward/Local Traffic Logs in the FGT GUI you can see the policy id with its name in parenthesis if you've added the "Policy" column.  Clicking on the name jumps you to that policy.  Without the Policy column, right click on the log entry and choose "Show Policy in Policy List" to jump to the policy.

 

I'm not aware of a way to do that from the FortiAnalyzer view of the logs, though maybe it would allow it if I felt safe putting an admin username and password into the FAZ for the FGT, which I don't.  If anyone knows how to get the FAZ to display the policy name or the policy tags let us know!

 

We are running on version 5.4 and are using FortiAnalyzer version 5.4.3. I've seen the policy name listed in the forward traffic and FortiView, however in the event.system logs it doesn't list anything. I created a custom report in FortiAnalyzer to list config changes so that we can log all firewall config changes for compliance reasons. The issue however is that the only reference to which policy got changed is the policy ID number (That I could find anyway). For example, it lists that firewall.policy object 254 had services change from HTTP->HTTP, HTTPS. Given that data, it could be referring to a good number of policies. I've about given up on getting the name of the policy into my report. I would however at least like to have a way to search for the policy in question within the FortiGate.

 

Hopefully that wasn't too long-winded.

 

Thanks

I just looked at the fields in the system event log coming from the FGT to the FAZ when a policy is changed.  You're correct that it doesn't include the policy name; it doesn't even include the uuid for the policy (which you would think would be the most useful on the FAZ side).

 

However, along with the msg, which includes the policy id, the event does include the comments field.  So one messy way to generate your reports would be to have a unique section in your policies' comments which equals the policy name, then use that to generate reports.  Not very pretty or enforceable, though.

 

This really seems like a bad oversight.  Such events should include the policy uuid at a minimum, and including the policy name just seems like an obvious thing to do.

 

Can anybody with a FGT on 5.6.x confirm if security policy UUID's or names are coming through to the FAZ in system events?

Do you have UUID  enable for log output

reference one of my older  threads here

   https://forum.fortinet.com/tm.aspx?m=142604

 

You probably have it disable ;)

 

What I had (in 5.4.x) was:

 

config sys global

  set log-uuid policy-only

 

But changing log-uuid to extended (options are {disable | policy-only | extended}) still doesn't show a uuid at the FAZ for events that edit policies. I'm not doing disk logging at the FGT itself right now, so if the FAZ doesn't have it I don't have it.  

 

I haven't checked what gets passed out through syslog yet, maybe I'll see the UUID there...

You mentioned seeing the comments in FAZ. I looked through all of the available fields, but didn't notice comments anywhere. If the comment was altered, it shows up, but not otherwise. Am I missing something somewhere, or was that what you were referring to? It sounds like a start to a solution though, even if a little clumsy. Hopefully they will put a better solution in soon. Thanks