Fortinet FortiGate Firewall NDM STIG Version Comparison

There are 4 differences between versions v1 r2 (July 27, 2022) (the "left" version) and v1 r4 (July 26, 2023) (the "right" version).

Check FGFW-ND-000110 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

The FortiGate device must off-load audit records on to a different system or media than the system being audited.

Check Content

Log in to Verify remote logging is configured. Via the GUI: Login via the FortiGate GUI with Super-Admin super-admin privilege. 1. privileges. - Click Navigate to Log and Report. 2. Report. - Click Navigate to Log Settings. 3. Settings. - Verify the Scroll down to Remote Logging and Archiving. 4. Archiving settings. or Via the CLI: Open Verify FortiAnalyzer/FortiManager is configured with appropriate IP address. 5. Verify Send logs to syslog is configured with appropriate IP address. If FortiGate is not logging to disk and at least two central audit servers, this is a finding. or Open a CLI console, console via SSH or available from the GUI.: 1. Run "CLI Console" button in the GUI. Run the following commands: commands # to verify which logging settings are enabled: # show full-configuration log fortianalyzer setting | grep -i 'status\|server' # server # show full-configuration log fortianalyzer2 setting | grep -i 'status\|server' # server # show full-configuration log fortianalyzer3 setting | grep -i 'status\|server' # server # show full-configuration log syslogd setting | grep -i 'status\|server' # server # show full-configuration log syslogd2 setting | grep -i 'status\|server' # server # show full-configuration log syslogd3 setting | grep -i 'status\|server' # server # show full-configuration log syslogd4 setting | grep server If -i 'status\|server' - The output should indicate enabled and an IP address. If the FortiGate is not logging to a fortianalyzer or syslog disk and at least two central audit servers, server, this is a finding.

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity.

Fix

Login via For audit log resilience, it is recommended to log to the local FortiGate disk, and two central audit servers. To configure this, log in to the FortiGate GUI with Super-Admin super-admin privilege. 1. privileges. 1. Click Log and Report. 2. Click Log Settings. To add a FortiAnalyzer FortiAnalyzer: - In the server: 3. Scroll to Remote Logging and Archiving, toggle enable logging to FortiAnalyzer and provide the Send logs to FortiAnalyzer/FortiManager setting and enter the appropriate IP address. To add a syslog Syslog server: 4. server: - Scroll to In the Remote Logging and Archiving, enable toggle the Send logs to syslog Syslog setting, and enter provide the appropriate IP address. 5. address. 3. Click Apply changes. or 1. to save the settings. or 1. Open a CLI console, console via SSH or available from the "CLI Console" button in the GUI. 2. GUI. 2. Run Configure a fortianalyzer or syslog server with the following commands: FortiAnalyzer: # command: # config log fortianalyzer setting setting # # set status enable enable # # set server {IP Address} Address} # # set upload-option realtime realtime # end Syslog: # # end # config log syslogd setting setting # # set status enable enable # # set server {IP Address} Address} # # set mode reliable reliable # end # end Note: The central audit server can be a FortiAnalyzer, a syslog server, or one of each.