Skip to main content
Anthony_E
Staff
Anthony_E
Staff
October 27, 2021

Technical Tip: FortiGate connectivity with FortiAnalyzer via IPsec tunnel

  • October 27, 2021
  • 0 replies
  • 3073 views

Description


This article describes FortiAnalyzer connectivity with FortiGate via IPsec tunnel which can be achieved by specifying the tunnel name in FortiAnalyzer log setting.

 

Scope

 

FortiGate.

 

Solution

 

In the FortiAnalyzer log setting, it is possible to specify the outgoing interface via 3 methods.
 
auto    <----- Set outgoing interface automatically.
sdwan   <----- Set outgoing interface by SD-WAN or policy routing rules.
specify <----- Set outgoing interface manually.
 
The reliable method to have connectivity via IPsec Tunnel can be achieved by specifying outgoing interface as tunnel interface manually. When using this method, it is recommended to assign an IP address to the IPsec tunnel interface and include that IP address in the phase2 selectors. 
 
This Configuration is only supported by CLI.
 
  1.  To Forti-analyze setting using below command:
 
tau-kvm28 # config log fortianalyzer setting 
 
  1. Enable FortiAnalyzer logs using the below command:

 

tau-kvm28 (setting) # set status enable  

tau-kvm28 (setting) # show full

config log fortianalyzer setting
    set status enable
    set ips-archive enable
    set server ''
    set certificate-verification enable
    set preshared-key ''
    set access-config enable
    set enc-algorithm high
    set ssl-min-proto-version default
    set conn-timeout 10
    set monitor-keepalive-period 5
    set monitor-failure-retry-period 5
    set certificate ''
    set source-ip ''
    set interface-select-method specify
    set interface ''                    <----- Mention the tunnel interface name.
    set upload-option 5-minute
    set reliable disable
    set priority default
    set max-log-rate 0
end
tau-kvm28 (setting) #


Or it is also possible to set source-ip instead of defining the interface, as shown below:

 

config log fortianalyzer setting
    set source-ip x.x.x.x 
end

 

The source IP should be the IP of one of the internal interfaces of FortiGate and be allowed in the IPSec phase 2 selector of the tunnel that connects to the FortiAnalyzer.


Related articles

Technical Tip: FortiAnalyzer connectivity with FortiGate using SD-WAN

Technical Tip: How to control/change the FortiGate source IP for self-generated traffic

Terms & ConditionsAccessibility statement