Why do you ask? Want drove you to  this speculation? As far as logs are you looging anything on the fortigate? What's fw.policy for the remote-access? What network/server resource do you allow for the "remote users" ( SMB/CIFS, RDP,FTP, etc...) ? I would  be more incline to review the logs on the server resource if any than the firewall, since the logs at the firewall will just show you traffic and not failed logins,logins, etc....

 

YMMV

ede_pfau wrote:

hi,

 

there is no way to establish the tunnel from remote. But, if the tunnel already is up while you're working, you've essentially got a direct connection between your PC and the remote LAN.

FC has a built-in firewall and maybe you've got other security software on your PC like Kaspersky which features one. If that is active you can control access from remote.

If access from remote to your PC is allowed then one could create a connection to a local share ('net use x: \\myPC\share') and copy files from and to. That is independent of the VPN though.

Logging: there is no valuable log info from the FC regarding file copies. You may find these in the Windows logs if configured (file or folder monitoring).

Hi ede,

I dont have any other security software. So will the Fc's built in firewall prevent anyone in the remote LAN to access the files on my PC? I just checked, my PC has "Don't allow remote connections to this computer" checked.

Where are these windows logs for file and folder monitoring?

 

 

emnoc wrote:

Why do you ask? Want drove you to  this speculation? As far as logs are you looging anything on the fortigate? What's fw.policy for the remote-access? What network/server resource do you allow for the "remote users" ( SMB/CIFS, RDP,FTP, etc...) ? I would  be more incline to review the logs on the server resource if any than the firewall, since the logs at the firewall will just show you traffic and not failed logins,logins, etc....

 

YMMV

I have a strong suspicion someone in the remote LAN or someone connected to the remote LAN was spying on me. I think its a group effort of 2 or more people, with one having admin access. Can this admin delete the logs on the fortigate or will the logs be secure? Can they tamper with the server side logs?

Where can i view the firewall logs?

I've been trying desperately to find out what really happened. I really need help on this, please!

Anyone...?

Can this admin delete the logs on the fortigate or will the logs be secure? Can they tamper with the server side logs? Where can i view the firewall logs?

 

To answer the questions;

 

YES

YES

 

 and

 

execute log  filter  category 1

execute log   display 

 

The real question tho, if they have  access  they could  delete , tamper,remove, files and do you even having logging enabled? and  yes was it memory/disk or did  you enable remote-syslog?

 

This is way it's 100% preachable to have have off appliance logging ( FortiCloud, FAZ, Syslog )

 

Ken

 

emnoc wrote:

 

To answer the questions;

 

YES

YES

 

Not good.

 

 

The real question tho, if they have  access  they could  delete , tamper,remove, files and do you even having logging enabled? and  yes was it memory/disk or did  you enable remote-syslog?

 

This is way it's 100% preachable to have have off appliance logging ( FortiCloud, FAZ, Syslog )

 

Ken

I have no idea. Basically I want to resolve this without going to the admin and asking for the server logs. I want to resolve this with some logs within my PC itself. Because the worst case scenario is the admin himself is compromised and will not co-operate or will have tampered with the logs. If my PC does not have those logs, then I guess I'll go and ask them of those off appliance logging you have mentioned.

So, does my PC contain any worthwhile logs I should be looking at?

 

execute log  filter  category 1

execute log   display 

 

 

This is on the server side? Like I mentioned, I do not have access to the server. Will the Forticlient on my PC have these logs? If yes then how do I execute those commands?