Find who did something on fortigate Firewall

You know how it is when you are working in IT. Suddently, something goes wrong and nobody has touch nothing on any equipment.
It appears, sometimes, you can have some bug, equipment failure or heavy load leading to some issues on network.

But usually, someone did something wrong somewhere.
I will only focus on the Fortigate box, showing how you can find who and what was done on these box.

We will start by the GUI of the fortigate. Go the Log and Report -> Events  section. You have apply a filter if you wanna see only the config changes.
If you click on the event, you have the detailled modification done on the rule.

I have also a FortiAnalyser which is much easy to find something. Already seems to be indexed, so when when you are looking for something, that’s much faster than the FGT.
Go to SOC-> FortiView then System -> Admin Logins
Here you can find configuration login and configuration sorted by login admin. That’s usefull if you know who was changing something on the fw.

User events

You can also find what you are looking for in the log view section. Then Go the Event -> System menu. You can search for Edit* in the search field.
You have all the config changes logged for the time slot configured

Searching for config change in FAZ

By default, you don’t have the username and the config change columns, add them, that’s really usefull.
Funny things : you can see that a line is created for each modification done to the second Firewall in high availibility. The user is still the same, but the user interface change from GUI to ha_daemon.

You can also create a custom view to keep your personnalised research and view:

Custom view in FAZ

Author: Kévin SAS

I am Kévin SAS and live in France. I am an engineer in network and security. I worked for a lot of customers in these domains : Wireless, LAN, Datacenter, VoIP with several brands like Cisco, HPE, Aruba, Palo Alto amongst others. Previously working for a service provider. I currently work for an integrator while giving me lots of opportunity to learn. This blog stores some technicals notes I wanted to share.

Leave a Reply

Your email address will not be published. Required fields are marked *