Troubleshooting Tip: FortiGate and FortiNAC integration in FortiLink mode using syslog messages

Description

This article describes that to integrate FortiSwitch with FortiGate and FortiNAC, syslog logs might not be properly transmitted from FortiGate to FortiNAC. This can result in missing MAC address events, such as Add, Delete, and Move, in FortiNAC.

Scope

FortiGate, FortiNAC, and FortiSwitch.

Solution

How FortiNAC Works:

1. Visibility: FortiNAC learns where devices are connected through:

• SNMP Link State traps from switches.

• Syslog messages for adding, removing, or moving MAC addresses (only available when FortiSwitch is in FortiLink mode).

• RADIUS communication.

• Polling of MAC address tables (L2 Poll).

• Polling of ARP caches (L3 Poll).

2. Control: FortiNAC manages VLAN assignments based on the switch model, network policies, and the device's status. The method used to change VLAN settings depends on the switch model.

FortiSwitch Modes:

1. FortiLink Mode:

• Management: FortiSwitches in FortiLink mode are managed by FortiGate.

• VLAN Assignment: FortiNAC manages the VLAN assignments for clients connected to FortiSwitches based on their status in the FortiNAC system.

2. Standalone Mode:

• Operation: In standalone mode, FortiSwitches operate like regular network switches.

• VLAN management: FortiNAC manages the VLAN assignments for devices connected to the switches, with communication through SNMP Traps or RADIUS, and all other communication handled through HTTPS (REST API).

Solution:

Utilizing Syslog on FortiGate For FortiLink Managed FortiGates:

This method involves configuring the FortiSwitch to generate MAC events and send them via FortiLink to the FortiGate, which then forwards the logs to the FortiNAC using syslog. Below are the steps to implement this solution:

To configure FortiLink Mode using syslog messages, see the FortiNAC & FortiSwitch Integration Guide.

Troubleshooting steps:

1. Verify MAC Event Logging on FortiGate: Ensure that MAC event logging is enabled on the FortiGate. This is essential for the FortiSwitch to send MAC-related events such as Add, Delete, and Move.

config switch-controller global
    set mac-event-logging enable
end

2. Check syslog filters on FortiGate: Ensure that the syslog filters are correctly configured to capture the relevant MAC event types. Confirm the following filters are set:

• MAC Add: (0100032615).

• MAC Delete: (0100032616).

• MAC Move: (0100032617).

Review the syslog filter settings under:

config log syslogd filter
    config free-style
        edit 1 set category event
            set filter "(logid 0115032615 0115032616 0115032617)"
            set filter-type include
        end

Ensure they match the required MAC event types. Verify that the filter settings are correctly applied and review any filter syntax errors.

3. Check Syslog Filter Severity: Ensure the syslog filter's severity level is set correctly. The default setting is 'information'.

To adjust the severity level, run the following commands:

config log syslogd filter
    set severity ?
    emergency       Emergency level.
    alert           Alert level.
    critical        Critical level.
    error           Error level.
    warning         Warning level.
    notification    Notification level.
    information     Information level.
    debug           Debug level.
    set serverity emergency
end

4. Verify mac-aging-interval and mac-retention-period: MAC Aging Interval: This is the period after which the switch will age out and remove MAC addresses that haven't been seen. The default mac-aging-interval is 300 seconds (5 minutes).

• MAC Retention Period: This is how long a MAC address remains in the cache even if it hasn’t been seen. For instance, if mac-retention-period is set to 10 hours, a MAC address will stay in the cache for up to 10 hours even if the device is no longer active.

• MAC-retention-period 0: 0 indicates no caching, meaning the entry is removed from the FortiGate simultaneously with its removal from the FortiSwitch.

Use the following commands to configure:

config switch-controller global
    set mac-aging-interval 300
    set mac-retention-period 0
end

To verify, use:

diagnose switch-controller mac-cache show

Note: Using the default mac-aging-interval for devices that generate network traffic infrequently (such as IoT or OT devices, badge readers, or even some computers) may cause frequent port resets to the default VLAN and negatively affect the user experience as FortiNAC re-evaluates the port when traffic is present, and the port is re-added to the MAC address table.

5. Verify Remote Logging Configuration on FortiGate: Verify the remote logging configuration to ensure logs are correctly forwarded to the FortiNAC syslog server. Use the following configuration to set up a FortiSwitch, managed by a FortiGate, to forward its log messages to a remote syslog server.

config switch-controller remote-log
    edit "syslogd"
        set status enable
        set server " 10.21.0.18"  # Primary syslog server IP
    next
    edit "syslogd2"
        set status enable
        set server "x.x.x.x"  # Secondary syslog server IP
    next
end

If logs are not reaching FortiNAC, confirm that the IP addresses of the syslog servers are correct and reachable.

6. Verify firewall policy allows traffic from the LAN/FortiLink to be forwarded to the Syslog server.

7. Run a sniffer and debug the flow for UDP port 514 to conduct further troubleshooting.

diagnose sniffer packet any "port 514" 4 0 l
interfaces=[any]
filters=[port 514]
2024-12-03 18:28:23.436531 port1 in 10.255.1.2.49072 -> 10.21.0.18.514: udp 288
2024-12-03 18:28:23.436550 fortilink in 10.255.1.2.49072 -> 10.21.0.18.514: udp 288
2024-12-03 18:28:23.436593 wan1 out 10.255.1.2.49072 -> 10.21.0.18.514: udp 288
2024-12-03 18:28:23.487565 port1 in 10.255.1.2.49072 -> 10.21.0.18.514: udp 419
2024-12-03 18:28:23.487585 fortilink in 10.255.1.2.49072 -> 10.21.0.18.514: udp 419
2024-12-03 18:28:23.487626 wan1 out 10.255.1.2.49072 -> 10.21.0.18.514: udp 419

Press Ctrl + C to stop this:

diagnose debug flow filter dport 514
diagnose debug flow trace start 99
diagnose debug enable
FortiGate-81E-POE (root) # id=65308 trace_id=4 func=print_pkt_detail line=5880 msg="vd-root:0 received a packet(proto=17, 10.255.1.2:49072->10.21.0.18:514) tun_id=0.0.0.0 from fortilink. "
id=65308 trace_id=4 func=init_ip_session_common line=6062 msg="allocate a new session-000082f7"
id=65308 trace_id=4 func=vf_ip_route_input_common line=2613 msg="find a route: flag=04000000 gw-10.128.202.1 via wan1"
id=65308 trace_id=4 func=__iprope_tree_check line=529 msg="gnum-100004, use int hash, slot=85, len=3"
id=65308 trace_id=4 func=fw_forward_handler line=992 msg="Allowed by Policy-9:"
id=65308 trace_id=5 func=print_pkt_detail line=5880 msg="vd-root:0 received a packet(proto=17, 10.255.1.2:49072->10.21.0.18:514) tun_id=0.0.0.0 from fortilink. "
id=65308 trace_id=5 func=resolve_ip_tuple_fast line=5968 msg="Find an existing session, id-000082f7, original direction"
id=65308 trace_id=5 func=npu_handle_session44 line=1226 msg="Trying to offloading session from fortilink to wan1, skb.npu_flag=00000400 ses.state=00000204 ses.npu_state=0x00000001"
id=65308 trace_id=5 func=fw_forward_dirty_handler line=443 msg="state=00000204, state2=00000001, npu_state=00000001"

To stop the debugging, run the following commands:

diagnose debug disable
diagnose debug reset