How to enable Auditing on Active Directory. One of my customers was implementing web filtering using Active Directory with Fortigate firewall appliances. The solution requires a couple of Event IDs to be generated on the Domain Controllres (4768, 4769 and 4776).
One of my customers is enabling FortiGate for web filtering using integration with Active Directory, and the request to the Active Directory Team was to enable the Event IDs 4768, 4769 and 4776 on all Domain Controllers.
The first step was to search the actual Event ID requested and find out which policies were required to change. Here is a list of the IDs and the technical information from Microsoft.
- Event ID 4768 https://technet.microsoft.com/en-us/library/dd772702(v=ws.10).aspx
- Event ID 4769 https://technet.microsoft.com/en-us/library/dd772667(v=ws.10).aspx
- Event ID 4776 https://technet.microsoft.com/en-us/library/dd772679(v=ws.10).aspx
After that my next step was to change the Defautl Domain Controllers Policy to enable the proper Audit setting. Based on the documentation we need to work on the item Audit logon events. In order to find it, expand the settings the same way that is shown in the image below.
In the first page of the policy the administrator can define which action will be logged.
It seems that FortiGate also requires Kerberos authentication logging information, and for that reason we are going to enable these items as well.
The second tab (explain) gives details of the default values for servers and workstations, and the administrator can use that to identify if the setting is enabling what is required from the third-party application.
In this Tutorial, we went over the process of enabling auditing on the Domain Controllers, and those specific ones can be used with FortiGate to enable the web filtering based on Active Directory integration.