Technical Tip: Configure FortiGate to send FortiSwitch event logs MAC_ADD, MAC_DEL, and MAC_MOVE SYSLOG messages to FortiNAC
| Description | This article describes how to configure FortiGate to forward SYSLOG messages to FortiNAC so that FortiNAC can detect new devices connected to a FortiSwitch, using FortiSwitch event logs MAC_ADD, MAC_DEL, and MAC_MOVE. |
| Scope | FortiGate, FortiSwitch, FortiNAC. |
| Solution | On FortiGate, configure the FortiNAC IP address as a SYSLOG server.
config log syslogd setting set status enable set server <FortiNAC IP> end
For more information about configuring SYSLOG on FortiGate, see the article: Technical Tip: How to configure syslog on FortiGate
To send only the required messages, a SYSLOG filter must be configured.
The required log messages are:
To configure the SYSLOG filter:
config log syslogd filter set forward-traffic disable set local-traffic disable set multicast-traffic disable set sniffer-traffic disable set ztna-traffic disable set anomaly disable set voip disable config free-style edit 1 set category event set filter "(logid 0115032615 0115032616 0115032617)" next end end
The above log messages are all information severity logs. By default, the switch-log settings are configured for FortiSwitches to send notification severity logs and higher to FortiGate.
To configure information severity logs:
config switch-controller switch-log set status enable set severity information end
For more information about managed FortiSwitch log settings, see FortiSwitch log settings.
The FortiGate will now send the MAC_ADD, MAC_DEL, and MAC_MOVE FortiSwitch event logs to the FortiNAC using SYSLOG.
For configuring SYSLOG on FortiNAC, see Syslog Settings.
Note:
If the log is not generated, make sure that following settings are enabled on FortiGate and FortiSwitch. They are enabled by default.
config switch-controller global set mac-event-logging enable end
FortiSwitch:
config switch interface edit <port> set log-mac-event enable next end
Related articles: |