Fortinet black logo

New Features

7.0.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0

Support TACACS+ accounting 7.0.2

Support TACACS+ accounting 7.0.2

Customers can send system log entries to external TACACS+ accounting servers. Up to three external TACACS+ servers can be configured with different filters for log events. These filters include TACACS+ accounting for login events, configuration change events, and CLI command audits.

In the following example, one remote TACACS+ accounting server is configured and administrators log in to the FortiGate with SSH and HTTPS sessions to modify existing configurations. All events are sent to the TACACS+ accounting server.

To configure remote TACACS+ accounting:
  1. Enable TACACS+ accounting and enter the server access information:
    config log tacacs+accounting setting
    set status enable
    set server "10.1.100.34"
    set server-key ************
end
  2. Configure the log message filters:
    config log tacacs+accounting filter
    set login-audit enable
    set config-change-audit enable
    set cli-cmd-audit enable
end
  3. Log in to the FortiGate with SSH and HTTPS sessions, and rename a local user.
  4. Log off from the FortiGate and check the logs on the remote TACACS+ server:

    • System events logs for SSH administrator session:

      <102> 2021-09-10 08:35:52 [10.1.100.9:20537] 09/10/2021 08:35:52 NAS_IP=10.1.100.9 Port=ssh rem_addr=172.16.200.254 User=test1 Flags=Start service=fortigate event=sys_acct start_time=1631288152644311549 reason="Administrator test1 logged in successfully from ssh(172.16.200.254)" task_id=1631288152
<102> 2021-09-10 08:36:27 [10.1.100.9:20573] 09/10/2021 08:36:27 NAS_IP=10.1.100.9 Port= User=test1 Flags=Stop service=fortigate event=sys_acct stop_time=1631288186895709341 reason="Rename user.local local-101 to local-102"
<102> 2021-09-10 08:37:09 [10.1.100.9:20625] 09/10/2021 08:37:09 NAS_IP=10.1.100.9 Port=ssh rem_addr=172.16.200.254 User=test1 Flags=Stop service=fortigate event=sys_acct stop_time=1631288229650641602 reason="Administrator test1 logged out from ssh(172.16.200.254)" task_id=1631288152

    • System events logs for HTTPS administrator session:

      <102> 2021-09-10 08:43:54 [10.1.100.9:20871] 09/10/2021 08:43:54 NAS_IP=10.1.100.9 Port=https rem_addr=172.16.200.254 User=admin Flags=Start service=fortigate event=sys_acct start_time=1631288634531042178 reason="Administrator admin logged in successfully from https(172.16.200.254)" task_id=1631288634
<102> 2021-09-10 08:44:21 [10.1.100.9:21020] 09/10/2021 08:44:21 NAS_IP=10.1.100.9 Port= User=admin Flags=Stop service=fortigate event=sys_acct stop_time=1631288661938560301 reason="Rename user.local local-new to local-new-1"
<102> 2021-09-10 08:45:49 [10.1.100.9:21093] 09/10/2021 08:45:49 NAS_IP=10.1.100.9 Port=https rem_addr=172.16.200.254 User=admin Flags=Stop service=fortigate event=sys_acct stop_time=1631288749504281964 reason="Administrator admin logged out from https(172.16.200.254)" task_id=1631288634

By default, the system event logs sent to the TACACS+ server contain configuration modifications. To include execute, show, get, and diagnose commands in the system event logs, enable cli-audit-log.

To enable the CLI audit log option:
config system global 
    set cli-audit-log enable 
end
Sample TACACS+ server logs for diagnose and execute commands:
<102> 2021-09-27 14:19:11 [10.1.100.5:5568] 09/27/2021 14:19:11 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777550865151332 reason="dia sniffer packet any icmp" cmd=Diagnose
<102> 2021-09-27 14:19:33 [10.1.100.5:5583] 09/27/2021 14:19:33 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777572609260119 reason="dia test authserver ldap FORTINET-FSSO test2 test2" cmd=Diagnose
<102> 2021-09-27 14:19:38 [10.1.100.5:5587] 09/27/2021 14:19:38 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777577591769970 reason="exec log display" cmd=Execute
<102> 2021-09-27 14:20:22 [10.1.100.5:5615] 09/27/2021 14:20:22 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777621524026363 reason="exec log delete-all" cmd=Execute
<102> 2021-09-27 14:20:38 [10.1.100.5:5627] 09/27/2021 14:20:38 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777637777273617 reason="exec log filter category event" cmd=Execute
<102> 2021-09-27 14:20:42 [10.1.100.5:5633] 09/27/2021 14:20:42 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777641616751047 reason="exec log display" cmd=Execute
<102> 2021-09-27 14:20:53 [10.1.100.5:5639] 09/27/2021 14:20:53 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777652516689886 reason="dia test authserver ldap FORTINET-FSSO test2 test2" cmd=Diagnose
<102> 2021-09-27 14:20:56 [10.1.100.5:5642] 09/27/2021 14:20:56 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777656330649349 reason="exec log display" cmd=Execute
Previous
Next

Support TACACS+ accounting 7.0.2

Customers can send system log entries to external TACACS+ accounting servers. Up to three external TACACS+ servers can be configured with different filters for log events. These filters include TACACS+ accounting for login events, configuration change events, and CLI command audits.

In the following example, one remote TACACS+ accounting server is configured and administrators log in to the FortiGate with SSH and HTTPS sessions to modify existing configurations. All events are sent to the TACACS+ accounting server.

To configure remote TACACS+ accounting:
  1. Enable TACACS+ accounting and enter the server access information:
    config log tacacs+accounting setting
    set status enable
    set server "10.1.100.34"
    set server-key ************
end
  2. Configure the log message filters:
    config log tacacs+accounting filter
    set login-audit enable
    set config-change-audit enable
    set cli-cmd-audit enable
end
  3. Log in to the FortiGate with SSH and HTTPS sessions, and rename a local user.
  4. Log off from the FortiGate and check the logs on the remote TACACS+ server:

    • System events logs for SSH administrator session:

      <102> 2021-09-10 08:35:52 [10.1.100.9:20537] 09/10/2021 08:35:52 NAS_IP=10.1.100.9 Port=ssh rem_addr=172.16.200.254 User=test1 Flags=Start service=fortigate event=sys_acct start_time=1631288152644311549 reason="Administrator test1 logged in successfully from ssh(172.16.200.254)" task_id=1631288152
<102> 2021-09-10 08:36:27 [10.1.100.9:20573] 09/10/2021 08:36:27 NAS_IP=10.1.100.9 Port= User=test1 Flags=Stop service=fortigate event=sys_acct stop_time=1631288186895709341 reason="Rename user.local local-101 to local-102"
<102> 2021-09-10 08:37:09 [10.1.100.9:20625] 09/10/2021 08:37:09 NAS_IP=10.1.100.9 Port=ssh rem_addr=172.16.200.254 User=test1 Flags=Stop service=fortigate event=sys_acct stop_time=1631288229650641602 reason="Administrator test1 logged out from ssh(172.16.200.254)" task_id=1631288152

    • System events logs for HTTPS administrator session:

      <102> 2021-09-10 08:43:54 [10.1.100.9:20871] 09/10/2021 08:43:54 NAS_IP=10.1.100.9 Port=https rem_addr=172.16.200.254 User=admin Flags=Start service=fortigate event=sys_acct start_time=1631288634531042178 reason="Administrator admin logged in successfully from https(172.16.200.254)" task_id=1631288634
<102> 2021-09-10 08:44:21 [10.1.100.9:21020] 09/10/2021 08:44:21 NAS_IP=10.1.100.9 Port= User=admin Flags=Stop service=fortigate event=sys_acct stop_time=1631288661938560301 reason="Rename user.local local-new to local-new-1"
<102> 2021-09-10 08:45:49 [10.1.100.9:21093] 09/10/2021 08:45:49 NAS_IP=10.1.100.9 Port=https rem_addr=172.16.200.254 User=admin Flags=Stop service=fortigate event=sys_acct stop_time=1631288749504281964 reason="Administrator admin logged out from https(172.16.200.254)" task_id=1631288634

By default, the system event logs sent to the TACACS+ server contain configuration modifications. To include execute, show, get, and diagnose commands in the system event logs, enable cli-audit-log.

To enable the CLI audit log option:
config system global 
    set cli-audit-log enable 
end
Sample TACACS+ server logs for diagnose and execute commands:
<102> 2021-09-27 14:19:11 [10.1.100.5:5568] 09/27/2021 14:19:11 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777550865151332 reason="dia sniffer packet any icmp" cmd=Diagnose
<102> 2021-09-27 14:19:33 [10.1.100.5:5583] 09/27/2021 14:19:33 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777572609260119 reason="dia test authserver ldap FORTINET-FSSO test2 test2" cmd=Diagnose
<102> 2021-09-27 14:19:38 [10.1.100.5:5587] 09/27/2021 14:19:38 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777577591769970 reason="exec log display" cmd=Execute
<102> 2021-09-27 14:20:22 [10.1.100.5:5615] 09/27/2021 14:20:22 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777621524026363 reason="exec log delete-all" cmd=Execute
<102> 2021-09-27 14:20:38 [10.1.100.5:5627] 09/27/2021 14:20:38 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777637777273617 reason="exec log filter category event" cmd=Execute
<102> 2021-09-27 14:20:42 [10.1.100.5:5633] 09/27/2021 14:20:42 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777641616751047 reason="exec log display" cmd=Execute
<102> 2021-09-27 14:20:53 [10.1.100.5:5639] 09/27/2021 14:20:53 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777652516689886 reason="dia test authserver ldap FORTINET-FSSO test2 test2" cmd=Diagnose
<102> 2021-09-27 14:20:56 [10.1.100.5:5642] 09/27/2021 14:20:56 NAS_IP=10.1.100.5 Port= User=admin Flags=Stop service=fortigate event=cmd_acct stop_time=1632777656330649349 reason="exec log display" cmd=Execute
Previous
Next