FortiGate vs FortiAnalyzer User Anonymize

The Fortinets products "FortiGate" (firewall) and the "FortiAnalyzer" (log-management-system) both have an option to anonymize user names in their logs. However they are not the same thing.

FortiGate

config log setting 
  set user-anonymize enable
end


Will result in changing all usernames to "anonymous":


FortiAnalyzer

Using „Privacy masking“ in the FortiAnalyzer will change the username as follows:

Using "Obfuscate User" in Advanced Settings of a Report will hide user information the report.

Syslog

When enabling "user-anonymize" the FortiGate will also send to all syslog destinations and FortiAnalyzers the username as "anonymous". Therefore also using "Privacy masking" from FortiAnalyzer might not be necessary anymore when "user-anonymize" is already enabled on the FGT.

More information can be found here: https://kb.fortinet.com/kb/documentLink.do?externalID=FD36317 and https://docs.fortinet.com/document/fortianalyzer/6.2.5/administration-guide/227385/reports-settings-tab and https://docs.fortinet.com

No comments:

Post a Comment

Cribl - Change values to lowerCase

Some logs (e.g. Microsoft Azure) sometimes are not fully normalized to all lowercase characters. You can use Cribl to adjust those values by...