Technical Tip: Sending messages (logs, SNMP) directly from the HA management interface
Description
This article describes that when HA-direct is enabled, FortiGate uses the HA management interface to send log messages to FortiAnalyzer and remote syslog servers, sending SNMP traps or connecting to FortiSandbox or FortiCloud.
Scope
FortiGate: Logging, management interface.
Solution
HA management interface is required before enabling HA-direct:
config system ha
set ha-mgmt-status enable
set ha-mgmt-status enable
config ha-mgmt-interface
edit <x>
set interface <interface name>
set gateway <xxx.xxx.xxx.xxx>
next
end
Related article:
Afterwards, enable HA-direct globally:
config system ha
set ha-direct enable
end
Note:
When HA-Direct is enabled under HA settings, the management traffic, such as logs, SNMP, and remote authentication (RADIUS, TACACS+), is routed through the reserved HA management interface instead of the regular service interfaces.
Below is a debug message when enabling or disabling HA-Direct:
diagnose debug application syslogd -1
diagnose debug enable
diagnose debug enable
Enabling:
<2007> __ha_changed()-113: HA ha-direct changed. Now log is sent via dedicated ha-mgmt-intf? Yes
Disabling:
<2007> __ha_changed()-113: HA ha-direct changed. Now log is sent via dedicated ha-mgmt-intf? No
Starting v7.4.9 and v7.6.4, setting 'interface-select-method' on the authentication setting (ex., LDAP) will override the ha-direct configuration.
The default value of the 'ha-direct' is set to 'disable' under the HA system configuration in the CLI. In many cases, HA-direct can also be enabled only for appropriate features. For example, in SNMPv3:
config system snmp user
edit snmpv3-user
set ha-direct enable
next
end
Ha-direct can also be enabled for SNMPv2.
config system snmp community
edit 1
config hosts
edit 1
set ha-direct enable
end
end
Notes:
- This setting alters the traffic flow. Enabling it may cause timeouts to occur due to an unresponsive FortiGate. This occurs because the response to a request is sent on a different interface, where the packet may not be routed back to the requester, resulting in a request timeout.
- If the ha-direct is enabled for the Syslogs Server, the FortiGate will use the MGMT interface to communicate with the Syslog Server, and in the FortiGate, it is not possible to specify the Source IP in the Syslog configuration.
- When ha-direct is disabled, FortiGate uses the routing table to determine the source interface and source IP to send log to FortiAnalyzer; when ha-direct is enabled, FortiGate uses the reserved management interface and associated IP to send the log. For this to work after changing the setting from 'disable' to 'enable', it requires both routes to the firewall policy to be in place.
See this article: Technical Tip: When 'ha-direct' is enabled, the 'source-ip' setting will not work on the syslog configuration.
If the Firewall is set to run SNMP from the MGMT interface but should also send logs to the Syslog server, HA-direct must be enabled under the SNMP community configuration, but disabled under the HA settings. Otherwise, syslog traffic might not work.