Technical Tip: FortiManager Event Logs for Address Group (device mapping modification)

In this example, it is necessary to configure as below:

1. Firewall Address: dummyIP_1, dummyIP_2, dummyIP_3, dummyIP_4.
2. Firewall Address Group: dummyGroup.
3. dummyGroup will configure device mapping as below:

• FGT_A, device mapping added dummyIP_1, dummyIP_2.
• FGT_B, device mapping added dummyIP_3, dummyIP_4.

Inside FortiManager Event Logs will record the firewall addresses and firewall address group information.

After downloading the FortiManager Event Logs (download in normal format), then it shows the below detail information.

Note: It is possible to filter FortiManager Event Logs by description: cdb event log for object changed.

Information:

1. For those created firewall objects (address, address group...), inside the downloaded log information is shown below:

• user- = admin, which means user admin is created it.
• operation = add, which means it is created as a new object.
• type = fw_addr, which means it is a firewall address.
• name = firewall objects name. Eg: dummyIP_1.
• subnet = 1.2.3.4 255.255.255.255. Eg: dummyIP_1 is created and assigned IP address value as 1.2.3.4/32.
  
  

For device mapping inside the address group, the downloaded log information is shown below:

• user = admin, which means user admin is created it.
• operation = add, which means it is created as a new object.
• type = fw_addrgrp, which means it is a firewall address group.
• name = firewall objects name. Eg: dummyGroup.
• performed_on = "dev=FGT_A,vdom=root", which means 'FGT_A' FortiGate is used for device mapping.
• changes = "type=fw_addrgrp_dynamic_mapping, which means that the address group have device mapping information.
• member = dummyIP_2 dummyIP_1, which means dummyIP_2 dummyIP_1 mapped to 'FGT_A' FortiGate.
  
  

Now it is performed a modification inside this address group:

1. Removed 1 member (dummyIP_2) from device mapping 'FGT_A' FortiGate.
2. Deleted all members from device mapping 'FGT_B' FortiGate.
   
   

Inside FortiManager Event Logs will record the changes of firewall address group information.  Download the FortiManager Event Logs in normal format for more detailed information.

After downloading the FortiManager Event Logs (download in normal format), then it is possible to see the below detailed information.

Note: It is possible to filter FortiManager Event Logs by description: cdb event log for object changed.

• user = admin.
• operation = delete.
• performed_on = "dev=FGT_B,vdom=root".
• type = fw_addrgrp_dynamic_mapping.
• key = dummyGroup(dynamic).
• member=(dummyIP_4 dummyIP_3).

The user admin has deleted the 'FGT_B' FortiGate device mapping from dummyGroup.
Previously 'FGT_B' FortiGate is added device mapping at dummyGroup, and members are: dummyIP_3, dummyIP_4.

• user = admin.
• operation = delete.
• performed_on = "dev=FGT_A,vdom=root".
• type = fw_addrgrp_dynamic_mapping.
• key = dummyGroup(dynamic).
• member=dummyIP_1(dummyIP_2 dummyIP_1)".

The user admin has removed a member (dummyIP_2) from the 'FGT_A' FortiGate device mapping from dummyGroup. The current member is only left dummyIP_1.
Previously 'FGT_A' FortiGate has added device mapping at dummyGroup, and members are: dummyIP_1, dummyIP_2.

FortiManager Event Logs are important to trace back the modification on the address group (device mapping) so that it will get back the lost information.