Forti SIEM Collector and Supervisor Communication

Environment:

• Cluster (Supervisor & Workers): Residing in VDC-A using private IPs. A Public IP pool is assigned to the VDC with NAT and Firewall rules mapping to the Supervisor and Workers.

• Collector: Residing in VDC-B. It has a Public IP associated via NAT and is intended to communicate with the cluster over the internet.

• Connectivity Status: Initial connectivity (Telnet/Curl) is verified and functional between the Collector and the Supervisor's Public IP.

The Problem: Although the Collector was provisioned successfully, it failed to appear in the Supervisor's Collector Health tab. Investigation of the logs revealed that during the registration handshake, the Supervisor provided its internal private IP (and the workers' private IPs) to the Collector. Consequently, the Collector attempted to establish a heartbeat using the unreachable private IP.

Current Progress & Obstacles:

1. Partial Fix: I manually updated /opt/phoenix/config/phoenix_super.txt on the Collector, replacing the private IP with the Supervisor’s Public IP.

2. Result: The Collector successfully reached the Supervisor, and its details now appear in the Health tab.

3. Remaining Issue: The Collector still cannot communicate with the Worker nodes. Because it is still attempting to reach them via their private IPs, services such as phDiscover and phPerfMonitor remain in a Down state. As a result, the Supervisor is not receiving any files or performance data from this Collector.

Constraint: While an IPsec tunnel between the two VDCs is a possibility, the requirement is to achieve full functionality using the assigned Public IPs via NAT.