I've recently migrated our primary firewall from an ASA to a FortiGate 600. Don't get me wrong, I love Cisco but the FortiGate firewall has been a HUGE improvement and I don't regret the change for a moment! However, there was one thing about the ASA that I loved and has saved my butt more than once. With every "commit" I made, I had the ASA spit out a CLI of what change I just made. So like if I made some new service ports in the ASDM, when I hit "apply" I'd get an out put like so:
object service TCP-7046
service tcp destination eq 7046
description Nav Client Services
object service TCP-7047
service tcp destination eq 7047
description Nav SOAP Services
Then I would copy that info and place it into my own personal change log with a little note of what I was doing, so I've got my own personal change log of every change made. An example entry:
4/30/2024
1. Create the NAV ports on the ASA
object service TCP-7046
service tcp destination eq 7046
description Nav Client Services
object service TCP-7047
service tcp destination eq 7047
description Nav SOAP Services
So now the question is, How do I log changes like this in the FortiGate? I know there are settings within the FortiGate itself to do some logging but I like my own little log. I've got kind of a "basic" skeleton of logging that I could use like so
Name:, Source:, Destination:, Schedule:always, Service:, Action:, NAT:, Security Profile:, Log:UTM
and I just manually fill out the info, but that is a bit time consuming... but may be my only option. Anyone have thoughts?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @IrbkOrrum ,
Thank you for contacting the Fortinet Forum portal.
Please refer to the article below which shows what changes are being made on GUI will be showing as cli configuration the https://community.fortinet.com/t5/FortiGate/Technical-Tip-Verify-applied-configuration-change-in-CLI...
diagnose debug reset
diagnose debug cli 8
diagnose debug enable
Additionally, you could get the script if you are managing Fortigate using Fortimanager.
Best regards,
Manasa.
If you feel the above steps helped resolve the issue, mark the reply as solved so that other customers can get it easily while searching for similar scenarios.
Hello,
FortiGate does not have a built-in feature that provides CLI output of every change like Cisco ASA does with its "commit" commands. However, you can enable admin activity logging to capture configuration changes in FortiGate’s logs. This will allow you to track who made changes and what they were, though it won’t give you CLI-style output.
While FortiGate does not offer the same "commit" style output, you can use FortiManager to manage changes across FortiGates, which can log changes in a more structured way.
Hello @IrbkOrrum ,
Thank you for contacting the Fortinet Forum portal.
Please refer to the article below which shows what changes are being made on GUI will be showing as cli configuration the https://community.fortinet.com/t5/FortiGate/Technical-Tip-Verify-applied-configuration-change-in-CLI...
diagnose debug reset
diagnose debug cli 8
diagnose debug enable
Additionally, you could get the script if you are managing Fortigate using Fortimanager.
Best regards,
Manasa.
If you feel the above steps helped resolve the issue, mark the reply as solved so that other customers can get it easily while searching for similar scenarios.
Not as easy to use as the ASA was, however pretty much exactly what I want. Kind of a pain to turn that on and off for every change your going to make but definitely gives you a good CLI log of exactly what you did.
Is there a way to keep stuff like
cidc276-da2-fwc0 # 0: config firewall policy
0: move 761 after 766
0: end
but not have the background stuff like this
0: get system status
0: diagnose ip address list
0: config system admin
0: show full-configuration
0: end
0: config system global
0: show full-configuration
0: end
0: get system csf
0: get system sdwan
0: diagnose autoupdate versions
0: get system fortiguard
0: get system ha
Created on 10-24-2024 07:32 AM Edited on 10-24-2024 07:33 AM
The command that I provided earlier will record all the configuration changes on the GUI but unfortunately, it doesn't give any option to cut the text we just have to remove the extra information which we don't need after downloading the console log, article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-download-or-save-FortiGate-CLI-GUI-...
the data which you provided might be recorded if anyone on GUI creating any script to run.
You can play with the debug levels, try maybe "7" or "6" instead of "8", you might find a level that is less verbose and more aligned with what you're looking for.
Yeah, 7 is a little bit better than 8. If I go much lower than 7, then it's not recording the changes I made (I was testing by just moving 1 rule above the other) but even without anyone making changes I'm getting these
0: get system status
0: diagnose ip address list
0: config system admin
0: show full-configuration
0: end
0: config system global
0: show full-configuration
0: end
0: get system csf
0: get system sdwan
0: diagnose autoupdate versions
0: get system fortiguard
0: get system ha
Messages so I'm guessing that's some kind of 'background' stuff that's going on. Not the end of the world but figure I'd float the question.
Yep, various status checks, "background noise".
Anything starting with "get", "diagnose", "show" you can safely ignore, those don't perform any changes to the configuration.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.