Skip to main content
qqh452821000
qqh452821000
New Member
January 23, 2021
Question

fortigate fortianalyzer setting source-ip error

  • January 23, 2021
  • 3 replies
  • 17558 views

Hi all,

 

I am using two fortigate 500E(HA) with firmware 6.2.  when I setting fortianalyzer. I want to use a specified IP as source-ip, but it didn't work.

 

FGT(setting) # set source-ip 192.168.1.1 192.168.1.1 is not valid source ip. node_check_object fail! for source-ip 192.168.1.1

 

value parse error before '192.168.1.1 Command fail. Return code -8

 

How to set fortianalyzer source-ip with fortigate-HA???

 

Anyone had any ideas?

 

thanks

    3 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    January 23, 2021

    There are restrictions which address can be specified here - it needs to be a valid address assigned to an interface of the FGT. Is that true for 192.168.1.1 on your FGT?

    qqh452821000
    qqh452821000Author
    New Member
    January 23, 2021

    No,192.168.1.1 is not on FGT. FGT is a seperate vdom, there are two IP on it(one for master and one for slave).

    So we must use the common IP as fortianalyzer source-ip. and that's where I get confused

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    January 23, 2021

    I'm not sure that I wholly understand your problem.

    When you configure a cluster to report to an FAZ, and authorize this on the FAZ, you will see 2 devices reporting. Each is identified by it's serial number. But, in general, a cluster will only use one IP address. This makes sense as only the master unit will communicate with the FAZ, regardless of the HA mode (a-p or a-a).

    I thought you were talking about how to substitute the cluster IP address for another address (for whatever reasons). For local-out traffic a FGT usually chooses the interface address of the interface it uses to connect to the FAZ as source address.

    If that doesn't answer your question then please explain a bit further what you want to achieve.

    qqh452821000
    qqh452821000Author
    New Member
    January 23, 2021

    the configuration show as below:

     

    FGT_Master(global) # config system global FGT_Master(global) # set management-vdom MGMT

    FGT_Master:

    config system interface     edit "mgmt"         set vdom "MGMT"         set ip 192.168.91.21 255.255.255.0         set allowaccess ping https ssh http         set type physical         set alias "HA_Dedicated_MGMT"         set role lan         set snmp-index 2     next config router static     edit 1         set gateway 192.168.91.254         set device "mgmt"     next   FGT_Slave: config system interface     edit "mgmt"         set vdom "MGMT"         set ip 192.168.91.22 255.255.255.0         set allowaccess ping https ssh http         set type physical         set alias "HA_Dedicated_MGMT"         set role lan         set snmp-index 2     next config router static     edit 1         set gateway 192.168.91.254         set device "mgmt"     next ------------------------------------------------------------------------------------------------------------------------- The MGMT vdom is only for management traffic. In other words, a cluster will have two IP address for management

    For fortianalyzer setting , can only allow IP in MGMT vdom as the source address?

    It is works When I use 192.168.91.21 or 192.168.91.22 as source-ip 

     

    FGT(setting) # set source-ip 192.168.91.21

     

    So FAZ only can record 192.168.91.21 or 192.168.91.22 logging at the same time

     

    So I can't use the management-vdom 's IP as FAZ source-ip...

     

    I have to use the IP shared by master and slave  

    SankaraNarayanan_S
    SankaraNarayanan_S
    New Member
    April 3, 2021

    Hi All ,

    Please Peform Pre-Check for Fortigate to Forti analyzer connectivity the below

    [ol]
  • Firmware Version of FGT and FGA should be same.
  • Ensure the port are open between the FGT &  FGA TCP/514.
  •  Check If there any NAT applied to reach the FortiAnalyzer Unit.
  •  Please perform a sniffer packet debug on the Fortigate using the source interface ip address.[/ol]

    Also Refer the KB Article from Troubleshooting Tip from FortiGate to FortiAnalyzer connectivity

    https://kb.fortinet.com/k....do?externalID=FD41272

     

    To be specific there is no special requirement on setting up a fort analyzer with Fortigate-HA .

    Once Fortigate Firewall HA configured on the primary unit, secondary unit should be in sync automatically and then configure the Forti analyzer logs settings on the primary firewall which will be replicated to the secondary unit as well .

    You can check it using get Forti analyzer log-settings command on the primary unit:

    *get fortianalyzer log-settings*

    login to the secondary HA unit using command from the primary unit to secondary unit .

    *get system ha status*

    *execute ha  manage <HA ID>*

    *get fortianalyzer log-settings*

     

    Hope this helps .

    Thanks

     

    • Terms & ConditionsAccessibility statement