Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    New Features

    8.0.0
    8.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Enhanced TACACS+ accounting log detail

    Enhanced TACACS+ accounting log detail

    TACACS+ accounting logs are improved with full CLI change details to the reason field, providing more complete event log entries for external audit systems.

    To test the new logs:

    1. Configure the FortiGate and TACACS+ accounting server.

    2. Verify that audit logging is enabled:

      config system global
    set cli-audit-log enable
end
config log tacacs+accounting filter
    set login-audit enable
    set config-change-audit enable
    set cli-cmd-audit enable
end

    3. Log on to the FortiGate using remote TACACS+ authentication.

    4. Execute some tasks, such as adding a local user and changing port settings, then compare the information from the FortiGate log files with information collected in a PCAP file and from the external TACACS+accounting server.

      Adding a local user:

      • FortiOS log:

        # execute log display
14 logs found.
10 logs returned.

1: date=2026-01-16 time=07:04:38 eventtime=1768575878906101594 tz="-0800" logid="0100032102" type="event" subtype="system" level="alert" vd="vdom1" logdesc="Configuration changed" user="tac1" ui="https(172.16.200.254)" msg="Configuration is changed in the admin session"
...
9: date=2026-01-16 time=07:03:01 eventtime=1768575781267058847 tz="-0800" logid="0100032132" type="event" subtype="system" level="notice" vd="vdom1" logdesc="Local user added" user="tac1" ui="https(172.16.200.254)" name="test101" status="enable" msg="User tac1 added local user test101 from https(172.16.200.254)"

      • Message extracted from PCAP file:

        Frame 195: 210 bytes on wire (1680 bits), 210 bytes captured (1680 bits)
Ethernet II, Src: Fortinet_a3:50:f3 (80:80:2c:a3:50:f3), Dst: VMware_e2:b1:02 (00:0c:29:e2:b1:02)
Internet Protocol Version 4, Src: 10.1.100.8, Dst: 10.1.100.142
Transmission Control Protocol, Src Port: 6188, Dst Port: 49, Seq: 1, Ack: 1, Len: 144
TACACS+
    Major version: TACACS+
    Minor version: 0
    Type: Accounting (3)
    Sequence number: 1
    Flags: 0x00 (Encrypted payload, Multiple Connections)
    Session ID: 3656374799
    Packet length: 132
    Encrypted Request
    Decrypted Request
        Flags: 0x04
        Auth Method: NOT_SET (0x00)
        Privilege Level: 0
        Authentication type: Unknown (0)
        Service: Login (1)
        User len: 4
        User: tac1
        Port len: 0
        Remaddr len: 0
        Arg count: 4
        Arg[0] length: 17
        Arg[0] value: service=fortigate
        Arg[1] length: 14
        Arg[1] value: event=sys_acct
        Arg[2] length: 29
        Arg[2] value: stop_time=1768575783514241967
        Arg[3] length: 55
        Arg[3] value: reason="Add user.local test101 type[password]passwd[*]"

      Changing port settings:

      • Old message sent to TACACS+ accounting server:

        Frame 28: 192 bytes on wire (1536 bits), 192 bytes captured (1536 bits)
...
        Arg count: 4
        Arg[0] length: 17
        Arg[0] value: service=fortigate
        Arg[1] length: 14
        Arg[1] value: event=sys_acct
        Arg[2] length: 29
        Arg[2] value: stop_time=1768578897378248400
        Arg[3] length: 36
        Arg[3] value: reason="Edit system.interface port5"

      • New message sent to TACACS+ accounting server:

        Frame 4: 300 bytes on wire (2400 bits), 300 bytes captured (2400 bits)
...
        Arg count: 4
        Arg[0] length: 17
        Arg[0] value: service=fortigate
        Arg[1] length: 14
        Arg[1] value: event=sys_acct
        Arg[2] length: 29
        Arg[2] value: stop_time=1768579536565487819
        Arg[3] length: 144
        Arg[3] value: reason="Edit system.interface port10 allowaccess[ping https ssh snmp http telnet radius-acct->ping https ssh snmp http telnet radius-acct scim]"
    Previous
    Next

    Enhanced TACACS+ accounting log detail

    Enhanced TACACS+ accounting log detail

    TACACS+ accounting logs are improved with full CLI change details to the reason field, providing more complete event log entries for external audit systems.

    To test the new logs:

    1. Configure the FortiGate and TACACS+ accounting server.

    2. Verify that audit logging is enabled:

      config system global
    set cli-audit-log enable
end
config log tacacs+accounting filter
    set login-audit enable
    set config-change-audit enable
    set cli-cmd-audit enable
end

    3. Log on to the FortiGate using remote TACACS+ authentication.

    4. Execute some tasks, such as adding a local user and changing port settings, then compare the information from the FortiGate log files with information collected in a PCAP file and from the external TACACS+accounting server.

      Adding a local user:

      • FortiOS log:

        # execute log display
14 logs found.
10 logs returned.

1: date=2026-01-16 time=07:04:38 eventtime=1768575878906101594 tz="-0800" logid="0100032102" type="event" subtype="system" level="alert" vd="vdom1" logdesc="Configuration changed" user="tac1" ui="https(172.16.200.254)" msg="Configuration is changed in the admin session"
...
9: date=2026-01-16 time=07:03:01 eventtime=1768575781267058847 tz="-0800" logid="0100032132" type="event" subtype="system" level="notice" vd="vdom1" logdesc="Local user added" user="tac1" ui="https(172.16.200.254)" name="test101" status="enable" msg="User tac1 added local user test101 from https(172.16.200.254)"

      • Message extracted from PCAP file:

        Frame 195: 210 bytes on wire (1680 bits), 210 bytes captured (1680 bits)
Ethernet II, Src: Fortinet_a3:50:f3 (80:80:2c:a3:50:f3), Dst: VMware_e2:b1:02 (00:0c:29:e2:b1:02)
Internet Protocol Version 4, Src: 10.1.100.8, Dst: 10.1.100.142
Transmission Control Protocol, Src Port: 6188, Dst Port: 49, Seq: 1, Ack: 1, Len: 144
TACACS+
    Major version: TACACS+
    Minor version: 0
    Type: Accounting (3)
    Sequence number: 1
    Flags: 0x00 (Encrypted payload, Multiple Connections)
    Session ID: 3656374799
    Packet length: 132
    Encrypted Request
    Decrypted Request
        Flags: 0x04
        Auth Method: NOT_SET (0x00)
        Privilege Level: 0
        Authentication type: Unknown (0)
        Service: Login (1)
        User len: 4
        User: tac1
        Port len: 0
        Remaddr len: 0
        Arg count: 4
        Arg[0] length: 17
        Arg[0] value: service=fortigate
        Arg[1] length: 14
        Arg[1] value: event=sys_acct
        Arg[2] length: 29
        Arg[2] value: stop_time=1768575783514241967
        Arg[3] length: 55
        Arg[3] value: reason="Add user.local test101 type[password]passwd[*]"

      Changing port settings:

      • Old message sent to TACACS+ accounting server:

        Frame 28: 192 bytes on wire (1536 bits), 192 bytes captured (1536 bits)
...
        Arg count: 4
        Arg[0] length: 17
        Arg[0] value: service=fortigate
        Arg[1] length: 14
        Arg[1] value: event=sys_acct
        Arg[2] length: 29
        Arg[2] value: stop_time=1768578897378248400
        Arg[3] length: 36
        Arg[3] value: reason="Edit system.interface port5"

      • New message sent to TACACS+ accounting server:

        Frame 4: 300 bytes on wire (2400 bits), 300 bytes captured (2400 bits)
...
        Arg count: 4
        Arg[0] length: 17
        Arg[0] value: service=fortigate
        Arg[1] length: 14
        Arg[1] value: event=sys_acct
        Arg[2] length: 29
        Arg[2] value: stop_time=1768579536565487819
        Arg[3] length: 144
        Arg[3] value: reason="Edit system.interface port10 allowaccess[ping https ssh snmp http telnet radius-acct->ping https ssh snmp http telnet radius-acct scim]"
    Previous
    Next