Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
l_fiorini
New Contributor

Strange alert at strange time

Yesterday evening I got an strange alert from a Fortigate 50B I manage. Below there are some lines from the log.

What is strange is that at that time nobody ( I am ware of ) was accessing the Fortigate from http(192.168.5.6).

 

Any idea?

 

best regards,

LF

 

2014-10-30 21:19:01 log_id=0104032400 type=event subtype=admin pri=alert vd=root user="admin" ui=http(192.168.5.6) msg="Configuration is changed in the admin session" 2014-10-30 21:19:01 log_id=0104032003 type=event subtype=admin pri=information vd=root user="admin" ui=http(192.168.5.6) action=logout status=success reason=timeout msg="Administrator admin timed out on http(192.168.5.6)" 2014-10-30 21:18:59 log_id=0100020202 type=event subtype=system pri=information vd=root action=daemon-startup daemon=authd pid=811 msg="Daemon authd started" 2014-10-30 21:18:58 log_id=0100020203 type=event subtype=system pri=information vd=root action=daemon-shutdown daemon=authd pid=808 msg="Daemon authd shut down" 2014-10-30 21:18:57 log_id=0100020202 type=event subtype=system pri=information vd=root action=daemon-startup daemon=authd pid=808 msg="Daemon authd started" 2014-10-30 21:18:56 log_id=0104032301 type=event subtype=admin pri=notice vd=root user="daemon_admin" ui=init action=add-vdom msg="Virtual domain root is added" 2014-10-30 21:18:56 log_id=0100020203 type=event subtype=system pri=information vd=root action=daemon-shutdown daemon=authd pid=805 msg="Daemon authd shut down" 2014-10-30 21:18:18 log_id=0100020202 type=event subtype=system pri=information vd=root action=daemon-startup daemon=authd pid=805 msg="Daemon authd started" 2014-10-30 21:18:17 log_id=0100020203 type=event subtype=system pri=information vd=root action=daemon-shutdown daemon=authd pid=270 msg="Daemon authd shut down" 2014-10-30 21:18:09 log_id=0100020202 type=event subtype=system pri=information vd=root action=daemon-startup daemon=fdsmgmtd pid=802 msg="Daemon fdsmgmtd started" 2014-10-30 21:18:08 log_id=0100020203 type=event subtype=system pri=information vd=root action=daemon-shutdown daemon=fdsmgmtd pid=56 msg="Daemon fdsmgmtd shut down" 2014-10-30 21:18:08 log_id=0100020202 type=event subtype=system pri=information vd=root action=daemon-startup daemon=cmdbsvr pid=799 msg="Daemon cmdbsvr started" 2014-10-30 21:18:07 log_id=0100020203 type=event subtype=system pri=information vd=root action=daemon-shutdown daemon=cmdbsvr pid=22 msg="Daemon cmdbsvr shut down"

 

3 REPLIES 3
Jeff_FTNT
Staff
Staff

FGT default enable "set revision-backup-on-logout enable " with CLI:config sys global /set revision-backup-on-logout enable /end

 

So if Login  session change setting but did not back up to flash, when this admin session logout or timeout, FGT will automatically save revised  setting to flash, and you will see that event log  (logid=0100032400) for it.

Dave_Hall
Honored Contributor

I see this myself when I am working on some fgts -- forget to actually log out, but simply close browser window, session is still running.  (I have several other browser windows open as well.) 

 

I was trying to figure out all the other "Daemon...shutdown/start up" events, but it dawn on me that the Fortigate would have to shutdown those daemons if it's going to back up the config.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
l_fiorini

Jeff_FTNT wrote:

FGT default enable "set revision-backup-on-logout enable " with CLI:config sys global /set revision-backup-on-logout enable /end

 

So if Login  session change setting but did not back up to flash, when this admin session logout or timeout, FGT will automatically save revised  setting to flash, and you will see that event log  (logid=0100032400) for it.

Many thanks for your answer.

Effectively yesterday morning I started a cli session from a remote site to change a firewall rule but after I moved to an http session using an ssh tunnel so probably one of the two sessions was left opened by mistake.

Since the message came after several hours I didn't think that was related to the early morning change.

best regards, LF

 

Labels
Top Kudoed Authors