Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
anhdungle
New Contributor

Local log encrypted ?

Hello everybody,

I would like to know if the log stored locally on the FG is encrypted ?

I know that there's an option to encrypte logs sending to the FortiAnalyzer but how about the local logs ?

 

Thank you for your inputs.

Have a great day all.

6 REPLIES 6
emnoc
Esteemed Contributor III

None that I know of encrypt logs locally.

 

The logs are stored in a local file such as tlog and are simple text-fles. If you need encryption you need to export the logs and encrypt at rest but seriously for traffic/config/system/vpn logs nothing should be sensitive by nature of those logs types if basic logs are used. When you start logging details of user/filename/usernames/dpi etc....maybe a small case could be made but that the information shadows the border line of sensitive.

 

I haven't read the release notes for fortios 7 but maybe a anonymizer is coming within fortios ( i hope ) . A lot of gov agency are mandating random ip/user/file details in logs that are export for analysis or support assistance.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
anhdungle

Hi Ken,

Thanks for replying me. Any logs could be sensitive, especially web filtering log where you have the user and his/her browsing data.

I don't think the local log is encrypted either but is the hard-drive encrypted by default ? the idea is if the device or the hard-drive get lost, the thief/attacker will not able to extract any information because the drive is encrypted.

 

Have a good day!

emnoc
Esteemed Contributor III

No the  drive is not encrypted. And yes that is why you export the logs from the device and do not log locally unless it memory and even then I rather not waste mem on log messages & surely for historical.

 

I would  be also just equally worried if the device was stolen|lost that your configuration is on the drive.That would could give details about your accounts, psk|password, and topology.

 

The traffic logs with no user details is not as sensitive but we should always be thinking about Snowden and his many campaigns telling us the big biz, gov, NSO, and such are doing this at all level. 

 

Example,  google know all of your traffic and search history and even your shopping history :)

 

Ken Felix

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Yurisk

As Ken already said - no, logs are not encrypted locally. To be honest I know of no firewall/vendor that has local logs encrypted - Checkpoint, Palo Alto, Cisco ASA. So not much you can do about this except not to store logs locally but forward them away. 

 

If you are concerned with the physical security of the Fortigate, have a look here for some recommendations:  https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/995103/building-security... 

like disabling maintainer account etc. 

Additionally, if it is relevant to you, Fortigate is FIPS compliant but you have to enable this mode and have custom image. Ken's blog describes this in detail: http://socpuppet.blogspot.com/2014/09/hardening-your-fortigate-firewall-by.html

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
anhdungle

Thank you guys for your inputs.

Why don't they just encrypt the hard-drive by default or at least as an option ?

emnoc
Esteemed Contributor III

Put a new feature request in thru your sales team. I do not know of any vendor that does that, maybe forcepoint  now I think about it. Log files are binary to some degree and cfg details are limited. So on their NGFW you can't get too much of anything from the appliance if it was stolen or lost in shipping.

 

The ( fw vendors )  need a if  electronic  tampered with "erase my drive" or as in the classic MI movies series where the message delivery device catches on fire after Tom Cruise reads the message...aka self destructed  mechanism  ;)

 

I can't think of any military or gov agency that are worried about extracting information since they normally do not ship devices with configuration and if to be deposed off the shred or do some type of local erase.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors