Auditing logon events with FortiGate

Share this:

How to enable Auditing on Active Directory. One of my customers was implementing web filtering using Active Directory with Fortigate firewall appliances. The solution requires a couple of Event IDs to be generated on the Domain Controllres (4768, 4769 and 4776).

Solution


One of my customers is enabling FortiGate for web filtering using integration with Active Directory, and the request to the Active Directory Team was to enable the Event IDs 4768, 4769 and 4776 on all Domain Controllers.

The first step was to search the actual Event ID requested and find out which policies were required to change. Here is a list of the IDs and the technical information from Microsoft.

image

After that my next step was to change the Defautl Domain Controllers Policy to enable the proper Audit setting. Based on the documentation we need to work on the item Audit logon events. In order to find it, expand the settings the same way that is shown in the image below.

image

In the first page of the policy the administrator can define which action will be logged.

image

It seems that FortiGate also requires Kerberos authentication logging information, and for that reason we are going to enable these items as well.

image

The second tab (explain) gives details of the default values for servers and workstations, and the administrator can use that to identify if the setting is enabling what is required from the third-party application.

image

In this Tutorial, we went over the process of enabling auditing on the Domain Controllers, and those specific ones can be used with FortiGate to enable the web filtering based on Active Directory integration.

Written by Anderson Patricio

Anderson Patricio

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange and several other certifications. Anderson has been contributing to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at ITPROCentral.com, MSExchange.org, Techgenix.com and Anderson Patricio.org (Portuguese).

Related Post

Configuring Tombstone Lifetime (TSL) period By default a tombstone lifetime is 180  days (it used to be 60 days on Windows Server 2003 R2), however we can change for any number that we like or m...
How to define an OU as default location for new Co... By default all computer objects are created under the Computers container and in this Tutorial we are going change (redirect) this default location to...
How to configure an OU as default for new objects ... In this Tutorial we will configure an Organization Unit as new default location for new users. By default, all new objects created by Exchange for exa...
How to add the Active Directory Domain Services ro... In this Tutorial we are going over the process to add the Active Directory Domain Services role on a Windows Server 2012 R2. This procedure will be th...