The FortiGate device must off-load audit records on to a different system or media than the system being audited.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-234181	SRG-APP-000515-NDM-000325	FGFW-ND-000110	SV-234181r879886_rule	2023-06-01	1

Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity.

ℹ️ Check
Verify remote logging is configured. Via the GUI: Login via the FortiGate GUI with super-admin privileges. - Navigate to Log and Report. - Navigate to Log Settings. - Verify the Remote and Archiving settings. or Via the CLI: Open a CLI console via SSH or from the "CLI Console" button in the GUI. Run the following commands to verify which logging settings are enabled: # show full-configuration log fortianalyzer setting \| grep -i 'status\\|server' # show full-configuration log fortianalyzer2 setting \| grep -i 'status\\|server' # show full-configuration log fortianalyzer3 setting \| grep -i 'status\\|server' # show full-configuration log syslogd setting \| grep -i 'status\\|server' # show full-configuration log syslogd2 setting \| grep -i 'status\\|server' # show full-configuration log syslogd3 setting \| grep -i 'status\\|server' # show full-configuration log syslogd4 setting \| grep -i 'status\\|server' - The output should indicate enabled and an IP address. If the FortiGate is not logging to a fortianalyzer or syslog server, this is a finding.

ℹ️ Check

Verify remote logging is configured. Via the GUI: Login via the FortiGate GUI with super-admin privileges. - Navigate to Log and Report. - Navigate to Log Settings. - Verify the Remote and Archiving settings. or Via the CLI: Open a CLI console via SSH or from the "CLI Console" button in the GUI. Run the following commands to verify which logging settings are enabled: # show full-configuration log fortianalyzer setting | grep -i 'status\|server' # show full-configuration log fortianalyzer2 setting | grep -i 'status\|server' # show full-configuration log fortianalyzer3 setting | grep -i 'status\|server' # show full-configuration log syslogd setting | grep -i 'status\|server' # show full-configuration log syslogd2 setting | grep -i 'status\|server' # show full-configuration log syslogd3 setting | grep -i 'status\|server' # show full-configuration log syslogd4 setting | grep -i 'status\|server' - The output should indicate enabled and an IP address. If the FortiGate is not logging to a fortianalyzer or syslog server, this is a finding.

✔️ Fix
Login via the GUI with super-admin privileges. 1. Click Log and Report. 2. Click Log Settings. To add a FortiAnalyzer: - In the Remote Logging and Archiving, enable logging to FortiAnalyzer and provide the IP address. To add a Syslog server: - In the Remote Logging and Archiving, enable Send logs to Syslog and provide the IP address. 3. Apply changes. or 1. Open a CLI console via SSH or from the "CLI Console" button in the GUI. 2. Configure a fortianalyzer or syslog server with the following commands: FortiAnalyzer: # config log fortianalyzer setting # set status enable # set server {IP Address} # set upload-option realtime # end Syslog: # config log syslogd setting # set status enable # set server {IP Address} # set mode reliable # end

✔️ Fix

Login via the GUI with super-admin privileges. 1. Click Log and Report. 2. Click Log Settings. To add a FortiAnalyzer: - In the Remote Logging and Archiving, enable logging to FortiAnalyzer and provide the IP address. To add a Syslog server: - In the Remote Logging and Archiving, enable Send logs to Syslog and provide the IP address. 3. Apply changes. or 1. Open a CLI console via SSH or from the "CLI Console" button in the GUI. 2. Configure a fortianalyzer or syslog server with the following commands: FortiAnalyzer: # config log fortianalyzer setting # set status enable # set server {IP Address} # set upload-option realtime # end Syslog: # config log syslogd setting # set status enable # set server {IP Address} # set mode reliable # end