Skip to main content
Levi_Li
Levi_Li
Visitor III
November 14, 2024
Solved

Can Supervisor, collectors and Agents connect by Internet?

  • November 14, 2024
  • 1 reply
  • 1793 views

We are in POC state and what my expect framework is supervisor, collectors and agents all communicate via Internet, because the VMs and network devices we managed seperate in different physical location and they can only reach each other through the Internet, but it seems not working if I just NAT them to make sure they can ping and telnet :443 to each other. So I am wondering if there is any further configure requirement we have to do?

    Best answer by Secusaurus

    Hello @Levi_Li,

     

    We are MSSP and managing multiple customers with our supervisor being on the other side of the internet. So yes, this is a very common setup.

     

    Note, that in a PoC, an SE should probably be the right person to speak to for deeper questions. 

     

    If it is not working for you, you probably missed configuring the cluster setup settings (Admin - Settings - Cluster Setup). Here, you define the public (not internal) IPs, or better, FQDNs of the Supervisor and Workers (or, if no workers, the public one of the Supervisor again). After you initially set up a Collector or Agent, they will receive this value and connect to these IPs/FQDNs, regardless of what you used for the initial connection (reason is, that you are able to change that in future without having to SSH to the Collectors). If it is unset, at the onboarding process, the private IP will be submitted for this purpose.

    You obviously need to set this before connecting Collectors or Agents.

     

    Hope that helps.

     

    Best,

    Christian

    1 reply

    premchanderr
    Staff & Editor
    premchanderr
    Staff & Editor
    November 14, 2024

    Hi Levi,

    You can configure agents to send logs to collector and then collector to supervisor. This is feasible via internet and recommended approach.

    Ensure that all ports are open for required traffic:
    https://docs.fortinet.com/document/fortisiem/7.2.4/external-systems-configuration-guide/824175/fortisiem-port-usage

    Levi_Li
    Levi_LiAuthor
    Visitor III
    November 15, 2024

    Hi,
    Thanks for the replay,
    Let me try to describe more about my question.
    What I have done :
    1. set supervisor ip(eth0) as 10.1.111.110
    2. set collector ip(eth0) as 192.168.3.111
    3. nat superviser and collector with public IPs
    4. allow service port to 'any' for any of them connect to each other
    5. PING and TELNET 443 port is success from both side to the other

    6. New a collector in supervisor named : Collector_V3

    7. Use "phProvisionCollector --add admin '<password>' <Supervisor public IP> super Collector_V3" on collector and it says "Register success, waiting for reboot."

    What I encountered :

    1. Always shows 'No Connection' on Health in Supervisor

    2. Collector stick in "Register success, waiting for reboot." but never reboot.

    3. I can see Collector keep start connection with supervisor's public IP on firewall

    What I want to confirm :

    Is there any configuration I missed? Tf so, please give me further advice or guides. Or it's a funcation limitation?

    Thank you!!

    Secusaurus
    SecusaurusAnswer
    Contributor III
    November 15, 2024

    Hello @Levi_Li,

     

    We are MSSP and managing multiple customers with our supervisor being on the other side of the internet. So yes, this is a very common setup.

     

    Note, that in a PoC, an SE should probably be the right person to speak to for deeper questions. 

     

    If it is not working for you, you probably missed configuring the cluster setup settings (Admin - Settings - Cluster Setup). Here, you define the public (not internal) IPs, or better, FQDNs of the Supervisor and Workers (or, if no workers, the public one of the Supervisor again). After you initially set up a Collector or Agent, they will receive this value and connect to these IPs/FQDNs, regardless of what you used for the initial connection (reason is, that you are able to change that in future without having to SSH to the Collectors). If it is unset, at the onboarding process, the private IP will be submitted for this purpose.

    You obviously need to set this before connecting Collectors or Agents.

     

    Hope that helps.

     

    Best,

    Christian

    NSE8 | Fortinet Advanced MSSP Partner
      Terms & ConditionsAccessibility statement