The FortiGate firewall must allow authorized users to record a packet-capture-based IP, traffic type (TCP, UDP, or ICMP), or protocol.

An XCCDF Rule

Description

<VulnDiscussion>Without the ability to capture, record, and log content related to a user session, investigations into suspicious user activity would be hampered. This configuration ensures the ability to select specific sessions to capture in order to support general auditing/incident investigation or to validate suspected misuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-234159r611477_rule
Severity: Medium
References: CCI-001462
Updated: about 1 year ago

Log in to the FortiGate GUI with Super-Admin privilege.

Create a Packet Capture Filter 
1. Click Network.
2. Click Packet Capture.
3. Click +Create New.4. Select an interface from the drop down menu.
5. Specify the maximum number of packets to capture.
6. Enable Filters to configure filtering based upon Host (addresses), Port, VLAN, or Protocol.
7. Click OK.

Then, 
1. Select a packet filter from the list of packet capture filters.
2. Right-click on the selected filter.
3. Click Start.
4. Click OK.
The packet capture continues until either the configured number of packets is reached, or the administrator stops the packet capture. The administrator must download the packet capture for viewing with an external application, like Wireshark or tcpdump.

The FortiGate firewall must allow authorized users to record a packet-capture-based IP, traffic type (TCP, UDP, or ICMP), or protocol.

Description

Remediation - Manual Procedure