You know how it is when you are working in IT. Suddently, something goes wrong and nobody has touch nothing on any equipment.
It appears, sometimes, you can have some bug, equipment failure or heavy load leading to some issues on network.
But usually, someone did something wrong somewhere.
I will only focus on the Fortigate box, showing how you can find who and what was done on these box.
We will start by the GUI of the fortigate. Go the Log and Report -> Events section. You have apply a filter if you wanna see only the config changes.
If you click on the event, you have the detailled modification done on the rule.
I have also a FortiAnalyser which is much easy to find something. Already seems to be indexed, so when when you are looking for something, that’s much faster than the FGT.
Go to SOC-> FortiView then System -> Admin Logins
Here you can find configuration login and configuration sorted by login admin. That’s usefull if you know who was changing something on the fw.
You can also find what you are looking for in the log view section. Then Go the Event -> System menu. You can search for Edit* in the search field.
You have all the config changes logged for the time slot configured
By default, you don’t have the username and the config change columns, add them, that’s really usefull.
Funny things : you can see that a line is created for each modification done to the second Firewall in high availibility. The user is still the same, but the user interface change from GUI to ha_daemon.
You can also create a custom view to keep your personnalised research and view: