This article explains that TACACS+ accounting is supported from version 7.0.2. System log entries for login events, configuration change events, and CLI command audits can be forwarded to the external TACACS+ server.
FortiGate.
Configuration:
config log tacacs+accounting setting
set status enable
set server <server IP>
set server-key ************
end
config log tacacs+accounting filter
set login-audit enable
set config-change-audit enable
set cli-cmd-audit enable
end
Refer to this link to view the sample server logs obtained:
Support TACACS+ accounting 7.0.2
Consider an example of the config change event received in the Aruba clearpass server.
System event logs:
Config Path firewall.policy
Config Object 3
Config Attributes status[enable->disable]
User Interface GUI(10.100.5.25)
Message Edit firewall.policy 3
Accounting messages received in Aruba clear pass the TACACS+ server.
event sys_acct
reason "Edit firewall.policy 3"
service fortigate
stop_time 1693551643920131101
Changes done on 'Config attribute status' can only be viewed in System event logs on FortiGate and is not received in the TACACS+ server.
In this example you will receive the reason 'Edit firewall.policy 3'.
Verify on taking a packet capture below:
diag sniffer packet any 'host x.x.x.x and port 49' 6 0 l <----- Here x would be server IP.
It requires a secret key to decode and view the accounting message sent from FortiGate.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.