Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 41 subscribers
  • Views 1670 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Where are Firewall Configuration changes documented in Central?

errollm

Hello,

I'm trying to find where in Central I can report on Changes made to XG firewalls over a period of time.  I found this post where the response is "if you have a CFR-A subscription, then the logs can be found in Central ":
View XG Firewall configuration changes

But, they don't indicate 'where' in Central I can find this information. I do have a CFR-A subscription and have data that goes back 90 days, but the Audit logs only show changes being made in Central Services and not Firewall changes.  It shows if I have added a firewall to Central but the actual changes made to a firewall, like policy changes, Firewall rule changes, interface changes, etc are not there.

If I go into "Manage Firewalls" and try to run a report for changes made to the firewall in the Report Generator, that log doesn't seem to be available to report on.  If I go to the firewall itself, I can see config changes in the Log viewer under the "Admin" log, but that log doesn't seem to be represented in the Central Report Generator.  for example, I added a firewall rule called "Allow from MGMT" on my firewall and I can see that change documented on the firewall in the Admin log under log comp 'GUI'.  When I go into the Report Generator, there is no "Admin" log in the list of Report templates.  I see most every other log, but not that one.  If I select "Log viewer and search" report template and click in the Query box, I'm offered all sorts of options, but none of them are "Gui" or 'CLI" or any other log component that is represented in the Admin log from the firewall.

I verified in the Log settings on the firewall that all "Admin Events" are being sent to Central reporting... at least the check box is selected.  So I have every expectation that anything showing in the Admin log, should be available to report on in the Report Generator, but I simply can not find the report that represents this data.  I have a client who needs a quarterly report on all changes made to the firewalls in their tenant, and since I am unable to generate a report in Central with this data, it is making it very difficult to fulfill this requirement.

What am I missing???  or does this report simply not exist?  I'd be happy with a table in Central that would show this data across all the firewalls that I could export to Excel, but I'm not seeing that either.  



This thread was automatically locked due to age.
Parents
  • +1

    You can try this: 

    Then add the column: Message 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for this.  This does indeed seem to be where they have hidden the GUI change log.  In my case, it appears to be empty or there is some sort of a bug with the log search because no matter what firewalls I choose or what time frame I specify, I never get more than 100, basically blank records that show so it seems my next stop will be support to figure out what is happening. 

    Thanks very much for the reply!!

  • +1 in reply to errollm

    Click the option on the right corner to add / remove columns. So you can add the Message. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks, that was the last piece of the pie I needed to get me there.

    After exploring this a bit, I found that the Query I needed to just see admin access and change events is 'Log Subtype' 'Admin', then only showing the Date, Component, Message and Firewall Device columns gave me a very concise log of exactly what I needed to see.

Reply
  • 0 in reply to LuCar Toni

    Thanks, that was the last piece of the pie I needed to get me there.

    After exploring this a bit, I found that the Query I needed to just see admin access and change events is 'Log Subtype' 'Admin', then only showing the Date, Component, Message and Firewall Device columns gave me a very concise log of exactly what I needed to see.

Children
No Data
Unfiltered HTML