Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Report of config changes
Hi,
we have an FortiAnalyzer 400B running FortiOS 5.0.7 and want to create reports off configuration changes on our FortiGates (e.g. add/delete/edit firewall rules).
The problem I have is that I can' t select events with subtype ' config' on the Analyzer. In general: I can' t see any events of subtype ' config' on the FortiAnalyzer. And yes, we have activated the Event Logging of " Configuration change event" on the FortiGate and see those events in the event log of the FortiGate.
Any ideas on how to resolve this problem?
Regards,
Olav
FCNSP, FCESP
AirITSystems
FCNSP, FCESP AirITSystems
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
-
- 1
- 2
- Next »
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
please run code CLI screen
execute sql-query-dataset root event-Config-Changes_3 All_FortiGates faz " 2014-08-01 00:00:00" " 2014-08-30 23:59:59"
I think the error will be written to the screen
Tuncay BAS
RZK Muhendislik Turkey
FCA,FCP,FCF,FCSS
RZK Muhendislik Turkey
FCA,FCP,FCF,FCSS
Tuncay BASRZK Muhendislik TurkeyFCA,FCP,FCF,FCSS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
will test it on monday. Have to leave now for weekend :-)
Thanks and nice weekend!!!
FCNSP, FCESP
AirITSystems
FCNSP, FCESP AirITSystems
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok. nice weekend
Tuncay BAS
RZK Muhendislik Turkey
FCA,FCP,FCF,FCSS
RZK Muhendislik Turkey
FCA,FCP,FCF,FCSS
Tuncay BASRZK Muhendislik TurkeyFCA,FCP,FCF,FCSS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Olav,
As you are not able to see config logs in the files under Log browse I suggest the following:
Using Putty or SecureCRT etc. connect to the FAZ and log all the outputs from CLI to a file and try to log the log packets like:
FortiAnalyzer-VM # diagnose sniffer packet any ' host FG-IP-address'
<verbose> 1: print header of packets
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
choose 2:
1) diagnose sniffer packet any ' host FG-IP-address' 2
2) do some changes for example on the fireall policy
3) stop the sniffer with CTRL+C
4) logout from FAZ CLI
5) search config messages in the file like this:
73.224726 193.86.250.182.2474 -> 193.85.199.90.514: psh 3083017352 ack 1113124487
0x0000 4500 0124 ffcd 4000 3d06 f848 c156 fab6 E..$..@.=..H.V..
0x0010 c155 c75a 09aa 0202 b7c3 1c88 4258 ee87 .U.Z........BX..
0x0020 8018 1f68 f868 0000 0101 080a 0a45 09c6 ...h.h.......E..
0x0030 1179 024b 1700 0100 000d 65a1 0000 00f0 .y.K......e.....
0x0040 0700 0000 0000 00e4 ef07 00dc 000a c446 ...............F
0x0050 4754 3830 4333 3931 3036 3135 3639 3201 GT80C39106xxxxx.
0x0060 4c41 425f 4c55 5804 726f 6f74 0454 0425 LAB_LUX.root.T.%
0x0070 4a00 b301 0006 0000 0000 ae03 0100 7573 J.............us
0x0080 6572 3d22 746f 7468 6122 2075 693d 2247 er=" totha" .ui=" G
0x0090 5549 2836 322e 3136 382e 3330 2e34 3329 UI(x.x.x.x)
0x00a0 2220 6163 7469 6f6e 3d45 6469 7420 6366 " .action=Edit.cf
0x00b0 6774 6964 3d32 3033 3138 3637 2063 6667 gtid=2031867.cfg
0x00c0 7061 7468 3d22 6669 7265 7761 6c6c 2e70 path=" firewall.p
0x00d0 6f6c 6963 7922 2063 6667 6f62 6a3d 2233 olicy" .cfgobj=" 3
0x00e0 3322 2063 6667 6174 7472 3d22 6170 706c 3" .cfgattr=" appl
0x00f0 6963 6174 696f 6e2d 6c69 7374 5b41 432d ication-list[AC-
0x0100 3e4e 4153 5d22 206d 7367 3d22 4564 6974 >NAS]" .msg=" Edit
0x0110 2066 6972 6577 616c 6c2e 706f 6c69 6379 .firewall.policy
0x0120 2033 3322 .33"
This way cou can check whether the config messages are sent to FAZ or not.
Probably there is a better way to check it.
AtiT
AtiT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Tuncay, I' ve tested the sql-query-dataset on the CLI and there was no data as well.
Hello AtiT,
I have also tested with sniffing the trsffic FGT --> FAZ
I can' t find anything in the log from my config change, which I made while sniffing.
Will reboot my Fortigate as soon as possible...
I will post the result here when done.
FCNSP, FCESP
AirITSystems
FCNSP, FCESP AirITSystems
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After rebooting the cluster the behaviour is the same as before - no log entries about config changes on the FAZ.
Now I have opened a support ticket at Fortinet...
FCNSP, FCESP
AirITSystems
FCNSP, FCESP AirITSystems
- « Previous
-
- 1
- 2
- Next »