Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: Report of config changes
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Report of config changes
Hi,
we have an FortiAnalyzer 400B running FortiOS 5.0.7 and want to create reports off configuration changes on our FortiGates (e.g. add/delete/edit firewall rules).
The problem I have is that I can' t select events with subtype ' config' on the Analyzer. In general: I can' t see any events of subtype ' config' on the FortiAnalyzer. And yes, we have activated the Event Logging of " Configuration change event" on the FortiGate and see those events in the event log of the FortiGate.
Any ideas on how to resolve this problem?
Regards,
Olav
FCNSP, FCESP
AirITSystems
FCNSP, FCESP AirITSystems
- « Previous
-
- 1
- 2
- Next »
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
please run code CLI screen
execute sql-query-dataset root event-Config-Changes_3 All_FortiGates faz " 2014-08-01 00:00:00" " 2014-08-30 23:59:59"
I think the error will be written to the screen
Tuncay BAS
RZK Muhendislik Turkey
FCA,FCP,FCF,FCSS
RZK Muhendislik Turkey
FCA,FCP,FCF,FCSS
Tuncay BASRZK Muhendislik TurkeyFCA,FCP,FCF,FCSS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
will test it on monday. Have to leave now for weekend :-)
Thanks and nice weekend!!!
FCNSP, FCESP
AirITSystems
FCNSP, FCESP AirITSystems
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok. nice weekend
Tuncay BAS
RZK Muhendislik Turkey
FCA,FCP,FCF,FCSS
RZK Muhendislik Turkey
FCA,FCP,FCF,FCSS
Tuncay BASRZK Muhendislik TurkeyFCA,FCP,FCF,FCSS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Olav,
As you are not able to see config logs in the files under Log browse I suggest the following:
Using Putty or SecureCRT etc. connect to the FAZ and log all the outputs from CLI to a file and try to log the log packets like:
FortiAnalyzer-VM # diagnose sniffer packet any ' host FG-IP-address'
<verbose> 1: print header of packets
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
choose 2:
1) diagnose sniffer packet any ' host FG-IP-address' 2
2) do some changes for example on the fireall policy
3) stop the sniffer with CTRL+C
4) logout from FAZ CLI
5) search config messages in the file like this:
73.224726 193.86.250.182.2474 -> 193.85.199.90.514: psh 3083017352 ack 1113124487
0x0000 4500 0124 ffcd 4000 3d06 f848 c156 fab6 E..$..@.=..H.V..
0x0010 c155 c75a 09aa 0202 b7c3 1c88 4258 ee87 .U.Z........BX..
0x0020 8018 1f68 f868 0000 0101 080a 0a45 09c6 ...h.h.......E..
0x0030 1179 024b 1700 0100 000d 65a1 0000 00f0 .y.K......e.....
0x0040 0700 0000 0000 00e4 ef07 00dc 000a c446 ...............F
0x0050 4754 3830 4333 3931 3036 3135 3639 3201 GT80C39106xxxxx.
0x0060 4c41 425f 4c55 5804 726f 6f74 0454 0425 LAB_LUX.root.T.%
0x0070 4a00 b301 0006 0000 0000 ae03 0100 7573 J.............us
0x0080 6572 3d22 746f 7468 6122 2075 693d 2247 er=" totha" .ui=" G
0x0090 5549 2836 322e 3136 382e 3330 2e34 3329 UI(x.x.x.x)
0x00a0 2220 6163 7469 6f6e 3d45 6469 7420 6366 " .action=Edit.cf
0x00b0 6774 6964 3d32 3033 3138 3637 2063 6667 gtid=2031867.cfg
0x00c0 7061 7468 3d22 6669 7265 7761 6c6c 2e70 path=" firewall.p
0x00d0 6f6c 6963 7922 2063 6667 6f62 6a3d 2233 olicy" .cfgobj=" 3
0x00e0 3322 2063 6667 6174 7472 3d22 6170 706c 3" .cfgattr=" appl
0x00f0 6963 6174 696f 6e2d 6c69 7374 5b41 432d ication-list[AC-
0x0100 3e4e 4153 5d22 206d 7367 3d22 4564 6974 >NAS]" .msg=" Edit
0x0110 2066 6972 6577 616c 6c2e 706f 6c69 6379 .firewall.policy
0x0120 2033 3322 .33"
This way cou can check whether the config messages are sent to FAZ or not.
Probably there is a better way to check it.
AtiT
AtiT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Tuncay, I' ve tested the sql-query-dataset on the CLI and there was no data as well.
Hello AtiT,
I have also tested with sniffing the trsffic FGT --> FAZ
I can' t find anything in the log from my config change, which I made while sniffing.
Will reboot my Fortigate as soon as possible...
I will post the result here when done.
FCNSP, FCESP
AirITSystems
FCNSP, FCESP AirITSystems
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After rebooting the cluster the behaviour is the same as before - no log entries about config changes on the FAZ.
Now I have opened a support ticket at Fortinet...
FCNSP, FCESP
AirITSystems
FCNSP, FCESP AirITSystems
- « Previous
-
- 1
- 2
- Next »
Labels
-
FortiGate
10,794 -
FortiClient
2,213 -
FortiManager
905 -
FortiAnalyzer
690 -
5.2
687 -
5.4
638 -
FortiSwitch
597 -
FortiClient EMS
582 -
FortiAP
568 -
IPsec
445 -
6.0
416 -
SSL-VPN
393 -
FortiMail
380 -
5.6
362 -
FortiNAC
297 -
FortiWeb
257 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
205 -
FortiAuthenticator
185 -
FortiGuard
161 -
5.0
152 -
Firewall policy
150 -
FortiGate-VM
141 -
6.4
128 -
FortiCloud Products
118 -
FortiToken
115 -
FortiSIEM
113 -
FortiGateCloud
112 -
Wireless Controller
96 -
High Availability
93 -
Customer Service
88 -
FortiProxy
79 -
ZTNA
79 -
SAML
78 -
Routing
77 -
Fortivoice
73 -
BGP
73 -
DNS
73 -
VLAN
73 -
FortiEDR
71 -
Authentication
71 -
FortiADC
69 -
Certificate
69 -
LDAP
64 -
RADIUS
63 -
FortiLink
59 -
SSO
57 -
NAT
56 -
FortiSandbox
55 -
FortiExtender
52 -
Interface
50 -
VDOM
50 -
4.0MR3
49 -
Application control
48 -
Virtual IP
45 -
FortiDNS
43 -
Logging
42 -
SSL SSH inspection
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
Web profile
36 -
FortiConnect
35 -
Automation
35 -
FortiWAN
31 -
FortiConverter
31 -
API
29 -
FortiGate v5.2
28 -
Fortigate Cloud
26 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
21 -
OSPF
21 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
IP address management - IPAM
19 -
FortiSOAR
18 -
FortiAP profile
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Trunk
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2712 | |
| 1416 | |
| 810 | |
| 732 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.