Skip to main content
Troubleshooter_73
Troubleshooter_73
Explorer
June 2, 2015
Solved

Don't get logs from Fortigate at IPSEC Remote Site

  • June 2, 2015
  • 3 replies
  • 7067 views

Hi to all,

 

I have a FAZ 400B with Firmware 5.0.10 at our central site deployed.

I capture logs from the Fortigate 60C at the same site successfully.

Now I have about 6 Remote Sites that are connected by IPSEC to my central site.

I configured the remote FGTs to log to FAZ in central site, by using it's private IP as target.

I added the devices in FAZ successfully, but I received no logs from Remote Sites.

 

Interesting: In one site I have a Fortimail 200D Cluster and I receive logs from this device,

but not from the Fortigates...

 

Log Settings Fortigates (all at Firmware Version 5.2.x):

-> Send Logs to FortiAnalyzer

-> IP is the the private IP of FAZ at central site (i.e. 10.1.1.253)

-> Realtime

-> Untick "Encrypt Log Transmission"

-> Event Logging all

-> Local Traffic Logging All

-> Policies from central to remote site and revert are open at all for testing purposes

-> can ping the fortigate from FAZ successfully

-> but I can't ping the FAZ from Fortigate, but from a System at remote site (also interesting)

 

Any Ideas?

    Best answer by FortiAdam

    I would suggest setting the source-ip option in the FortiAnalyzer config section of the CLI.  I'm guessing what is happening is that your remote fortigate is sending logs from a source IP that isn't allowed to go over your VPN.

     

    config log fortianalyzer settings

    set source-ip x.x.x.x

    end

     

    Let us know if that helps!

    3 replies

    FortiAdam
    FortiAdamAnswer
    New Member
    June 2, 2015

    I would suggest setting the source-ip option in the FortiAnalyzer config section of the CLI.  I'm guessing what is happening is that your remote fortigate is sending logs from a source IP that isn't allowed to go over your VPN.

     

    config log fortianalyzer settings

    set source-ip x.x.x.x

    end

     

    Let us know if that helps!

    Troubleshooter_73
    Troubleshooter_73Author
    Explorer
    June 2, 2015

    Great, that was the solution!

     

     At the remote fortigate unit:

    config log fortianalyzer Setting

    set source-ip <ip of remote fgt>

    end

     

    Thanks, you saved my day!

     

    FortiAdam
    FortiAdam
    New Member
    June 2, 2015

    You would make that change of the source-ip configuration remote FortiGate.  I would suggest setting the source-ip to the local interface IP of your remote FortiGate.  Optionally, you could create a loopback interface on your remote firewall to source the traffic from, but that could complicate things further as it might require additional routing and VPN re-config.

     

    In the Phase-2 settings of your VPN, are you allowing any source or did you specify only certain hosts or networks?

     

    You want the source-ip setting to coincide with what you have configured for your VPN.

     

    EDIT: Looks like you got it figured out.  Glad I could help!

    Terms & ConditionsAccessibility statement