'Fortinet' proper design for syslog/ntp/etc.

Question

I'm using Fortigate 200Es in a NSA Commercial Solutions for Classified (CSFC). It details some pretty standard requirements for the overall operation of a network (e.g. time sync, syslog, etc.). I'm not all too familiar with Fortigates (most of my experience is Sidewinders (I know, I'm dating myself)). I'm making the following assumptions based on my experience and what I've read:

1. Each port is it's own security boundary 2. The OS native services (ntp/syslog) are associated with the Management interface(s) by design

3. The Management interface(s) is/are meant for OOB management (e.g., walk up and plug a laptop into it)

I have a management network on Port 2 between two firewalls (home and forward). There is a tunnel to port 2 on each 200E (IPSEC, Phase 1 using cert auth, etc.). On the 'home' side, I have servers for syslog, file server, ntp and am trying to find the best way (the Fortigate approved way) to get the Fortigates on both sides sending syslog to the syslog server (on the home side) and NTP syncing.

Currently, the home side's management interface is plugged into a switch that port 2 is also plugged into (that's how home is working for both syslog and ntp). That doesn't seem right to me. Looking at the NTP config in the FortiOS handbook, it looks like you can set up a server on each interface that will sync will devices on those interfaces -- is that correct?

And if so, is that the general design principal for these services? ...needing to create servers on each interface that will sync to the networks they represent which will internally talk to the management services? If not, do you have a document that describes how to set up the Fortigate to get those critical network services off the Fortigate (without plugging in the management interface and Port2 in the same switch)?

TIA!

ede_pfau · Accepted Answer

@OP:all of your assumptions hold true except for #2 (that services are bound to management interface by default). And you need to differentiate precisely between a 'management port' and a 'port used for management'. The former is 'dedicated-to-management' which the latter is not. A dedicated mgmt port is not available on every FGT model, I think it starts with the 100E. You need to know that this port does not participate in routing. Any other port you just use for your mgmt VLAN is fully functionable. There is a (complicated) selection process which interface/subnet will be chosen for FGT originating services like NTP, SNMP, DNS, ping, FAZ logging etc. The chosen source interface is not always what you expect, like choosing an interface by the destination IP address via routing table. Therefore, FortiOS has offered more and more 'set source-ip' options for internal services. Just open the config at the corresponding part in CLI (e.g. 'conf sys fortianalyzer') and do a 'show full' to see if a source IP option is available. Same holds true for pinging from the CLI. Quite often, you need to nail down the source IP via 'exec ping-option source 1.2.3.4' before the ping gets through.

Toshi_Esumi · Answer

There is no restriction what interface to use for a FGT to reach NTP servers and syslog servers. It just follows what the routing table says. Of course oubound policies need to allow the traffic though. https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-hardening/enable_auto_clock_sync.htm

https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-system-administration/Monitoring/Logging.htm?Highlight=syslog

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded