Fortigate logging Issues

IrabAkon · ‎02-29-2016

I am using a fortigate 3810A with firmware 5.2.5. i am trying to send logs to syslog and fortianalyzer. But when i use the managment IP as the source-ip it gives me errors.

NG-IKY-FGT3810A-01 (setting) # set source-ip 10.206.1.19
10.206.1.19 is not valid source ip.
node_check_object fail! for source-ip 10.206.1.19

value parse error before '10.206.1.19'
Command fail. Return code -8

config log syslogd setting
set status enable
set server "10.206.2.44"
set reliable disable
set port 514
set csv enable
set facility local0
set source-ip 0.0.0.0
end

please can anyone help with this.

mansar_FTNT · ‎03-01-2016

From the output, it does not seem like there are any VDOMs but a copy of relevant config would be helpful.

[cid:] Mamoon Ansar
Sr. Systems Engineer - Major Accounts
Mobile: +1.513.703.3735
[cid:storage_emulated_0_Download_image005]

-------- Original message --------
From: "Irabor Akonoman via cent.mgt.rpt.pub"
Date: 3/1/2016 04:50 (GMT-05:00)
To: cent.mgt.rpt.pub@fuse-lists.fortinet.com
Subject: [cent.mgt.rpt.pub] - Fortigate logging Issues

I am using a fortigate 3810A with firmware 5.2.5. i am trying to send logs to syslog and fortianalyzer. But when i use the managment IP it gives me errors.

NG-IKY-FGT3810A-01 (setting) # set source-ip 10.206.1.19
10.206.1.19 is not valid source ip.
node_check_object fail! for source-ip 10.206.1.19

value parse error before '10.206.1.19'
Command fail. Return code -8

please can anyone help with this.

-----End Original Message-----

View solution in original post

mansar_FTNT · ‎03-01-2016

From the output, it does not seem like there are any VDOMs but a copy of relevant config would be helpful.

[cid:] Mamoon Ansar
Sr. Systems Engineer - Major Accounts
Mobile: +1.513.703.3735
[cid:storage_emulated_0_Download_image005]

-------- Original message --------
From: "Irabor Akonoman via cent.mgt.rpt.pub"
Date: 3/1/2016 04:50 (GMT-05:00)
To: cent.mgt.rpt.pub@fuse-lists.fortinet.com
Subject: [cent.mgt.rpt.pub] - Fortigate logging Issues

I am using a fortigate 3810A with firmware 5.2.5. i am trying to send logs to syslog and fortianalyzer. But when i use the managment IP it gives me errors.

NG-IKY-FGT3810A-01 (setting) # set source-ip 10.206.1.19
10.206.1.19 is not valid source ip.
node_check_object fail! for source-ip 10.206.1.19

value parse error before '10.206.1.19'
Command fail. Return code -8

please can anyone help with this.

-----End Original Message-----

IrabAkon · ‎03-01-2016

Thank you so much Mamoon, the fortigate is an ISP firewall and there are a lot of vdoms on it.

Some sampling is shown below:

NG-IKY-FGT3810A-01 (vdom) # edit
Virtual Domain Name
BBA_UTM_PRI
BBA_UTM_PUB
CAMAC
CommVault
EFCP
Guest_WLAN
HONGDIAN_M2
HOUSE_TARA
MERAKI-POC
MOBAN
OfficeLAN
PALSHIPINNE

I was able to do syslog logging through the VDOM, but i want to enable it globally to a single fortianalyzer and syslog

mansar_FTNT · ‎03-01-2016

The management VDOM (VDOM flagged as management is root by default) sends logs for all the configured VDOM. You can override within a VDOM to send logs to a different syslog server but default value/configuration should be able to accomplish what you are doing. I figured there were VDOMs configured and the management IP belonged to a different VDOM for you to get the error.

[cid:] Mamoon Ansar
Sr. Systems Engineer - Major Accounts
Mobile: +1.513.703.3735
[cid:storage_emulated_0_Download_image005]

-------- Original message --------
From: "Irabor Akonoman via cent.mgt.rpt.pub"
Date: 3/1/2016 10:44 (GMT-05:00)
To: cent.mgt.rpt.pub@fuse-lists.fortinet.com
Subject: [cent.mgt.rpt.pub] - RE: Fortigate logging Issues

Thank you so much Mamoon, the fortigate is an ISP firewall and there are a lot of vdoms on it.

Some sampling is shown below:

NG-IKY-FGT3810A-01 (vdom) # edit
Virtual Domain Name
BBA_UTM_PRI
BBA_UTM_PUB
CAMAC
CommVault
EFCP
Guest_WLAN
HONGDIAN_M2
HOUSE_TARA
MERAKI-POC
MOBAN
OfficeLAN
PALSHIPINNE

I was able to do syslog logging through the VDOM, but i want to enable it globally to a single fortianalyzer and syslog

-----End Original Message-----

IrabAkon · ‎03-01-2016

I just checked again, the ip address is associated with the root vdom and not any other vdom and it is manually assigned.

mansar_FTNT · ‎03-01-2016

So you can set source ip for root vdom which will send logs to your choice of syslog server using that source ip from all the VDOMs configured. You can call me if that helps.

[cid:] Mamoon Ansar
Sr. Systems Engineer - Major Accounts
Mobile: +1.513.703.3735
[cid:storage_emulated_0_Download_image005]

-------- Original message --------
From: "Irabor Akonoman via cent.mgt.rpt.pub"
Date: 3/1/2016 11:04 (GMT-05:00)
To: cent.mgt.rpt.pub@fuse-lists.fortinet.com
Subject: [cent.mgt.rpt.pub] - RE: Fortigate logging Issues

I just checked again, the ip address is associated with the root vdom and not any other vdom and it is manually assigned.

-----End Original Message-----

IrabAkon · ‎03-03-2016

Thanks Mamoon for your help.

I was able to use the source-ip 'managment ip' for the root vdom, but i am able to see the root vdom on the fortianalyzer and also another vdom, i cant see the remaining vdoms on the fortigate. Also testing connectivity to the FAZ from fortigate still shows unable to retrieve faz status

mansar_FTNT · ‎03-03-2016

Irabor,

Do you have FAZ settings enabled in the Global VDOM?

Mamoon Ansar
Sr. Systems Engineer, Central Region

[Fortinet]
________________________________
E: mansar@fortinet.com<mailto:mansar@fortinet.com>
M: +1 513.703.3735
Skype: mansar3
899 Kifer Road | Sunnyvale, CA 94086
________________________________

www.fortinet.com<http://www.fortinet.com> [Twitter] <http://www.twitter.com/fortinet> [LinkedIn] <http://www.linkedin.com/company/fortinet> [Facebook] <http://www.facebook.com/fortinet> [YouTube] <http://www.youtube.com/user/SecureNetworks> [Google+] <https://plus.google.com/+fortinet>

From: "Irabor Akonoman via cent.mgt.rpt.pub" >">mailto:cent.mgt.rpt.pub@fuse-lists.fortinet.com>>
Reply-To: "cent.mgt.rpt.pub@fuse-lists.fortinet.com<mailto:cent.mgt.rpt.pub@fuse-lists.fortinet.com>" >">mailto:cent.mgt.rpt.pub@fuse-lists.fortinet.com>>
Date: Thursday, March 3, 2016 at 9:07 AM
To: "cent.mgt.rpt.pub@fuse-lists.fortinet.com<mailto:cent.mgt.rpt.pub@fuse-lists.fortinet.com>" >">mailto:cent.mgt.rpt.pub@fuse-lists.fortinet.com>>
Subject: [cent.mgt.rpt.pub] - RE: Fortigate logging Issues
Resent-From: >">mailto:cent.mgt.rpt.pub@fuse-lists.fortinet.com>>
Resent-Date: Thursday, March 3, 2016 at 9:07 AM

Thanks Mamoon for your help.

I was able to use the source-ip 'managment ip' for the root vdom, but i am able to see the root vdom on the fortianalyzer and also another vdom, i cant see the remaining vdoms on the fortigate. Also testing connectivity to the FAZ from fortigate still shows unable to retrieve faz status

-----End Original Message-----

IrabAkon · ‎03-03-2016

Yes still enabled in global vdom.