Hello,
is it possible to prevent anyone from deleting logs on a Fortigate 60E? If not, what will be the more similar solution?
Thank You and kind regards
Hi,
Kindly let us known if the device has the disk, if not the memory logging will display only the current logs, it will be not be possible to store the logs.
Regards
Jamal
At the moment I don't know, but in any case the goal will be to prevent that someone goens on the firewall and erases the logs manually
Thank You
Regards
Hi,
Another way to store log is to use an external location like forticloud, fortianalyzer.
In forticloud you get free and licensed service for log storage.
Thanks
If this is about the ability to delete logs via "execute log delete" or "[...] delete-all" command, then the permissions to use it are controlled by the "Log & Report" permission in admin access profiles (loggrp in CLI). If you set it to "none" or "read", an admin with this access profile will not be able to delete the logs.
"execute formatlogdisk" is also controlled by the Log & Report permission.
I'm not aware of any other commands to delete logs. If anybody knows, let me know and I can test those as well.
Hi Team
The only way is to restrict profile to them and give read only access for that admin profile.
System >> admin profiles >> create admin profile withlog and report read only access
Then assign that profile to the one who you want to restrict.
Please check and keep us posted
Hey giuliab,
to compile the answers above:
- there is no way to completely prevent logs being deleted on the FortiGate
-> if it does not have a disk and thus logs to memory, then a reboot will wipe those logs
-> if the unit does have a disk there are several CLI commands that can delete the logs, but these are controlled by specific admin permissions; anyone logging into the FortiGate WITHOUT those permissions can't delete logs
-> there is no fine-tuning; either all logs or no logs get deleted (so there is no option of removing only specific logs to hide some activity without being obvious)
- to be safe, it is always a good idea to also store logs at a secondary location (have FortiGate send logs to syslog or FortiAnalyzer, for example)
-> even if logs are deleted on FortiGate, they would still exist somewhere else and could be checked there
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.