Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

Nik
New Contributor II

Syslog server on fortigate

Hi,

When configuring the syslog server on a fortigate, do we need to specify the source-ip from where the traffic will be generated? In my case, we have a fortigate with lots of vlans and networks and we need to be able to generate the logs from all these networks. If we dont specify the source-ip, does this mean that we will be able to generate the traffic toward the syslog server from all the networks that are present on the fortigate?

BR
7 REPLIES 7
ShanWill
New Contributor III

Im almost 100% sure if source-ip is not set it will use whatever the egress port ip that is used to get to the syslog server. Any logs that are related to other interfaces should still be logged appropriately regardless of the source-ip since the log data will contain that.
Nik
New Contributor II

Hi Shane, 

We are still not able to sent the logs to the kiwi syslog server:

This is how our setting on fortigate looks like:

config log syslogd setting
set status enable
set server "192.168.121.5"
set mode udp
set port 514
set facility local7
set source-ip ''
set format default
set priority default
set max-log-rate 0
set interface-select-method auto
end

The kiwi server is reachable through an IPsec tunnel and it resides on azure. We can ping this server from the fortigate. On the other hand behind our fortigate there are at least 20 vlans which we want to be able to sent logs from to the syslog server. We have not defined anything on phase-2 parameter regarding local-remote subnets but we are controlling the traffic through policys.

Do I need to create a policy for every vlan in order to sent traffic to the syslog server, or does is it sufficient to only have the ipsec up and running? This is a little bit confusing since I have tested this with other firewall (meraki MX) and we did not had to create rules or specify source ip.
AndrKroh
New Contributor II

Hello Fisnik,
your problem is the outgoing IP address.
When your VPN Tunnel don't have an IP address, the Fortigate use the nearest IP to the target.
And this is your outgoing IP for the VPN Tunnel.
When this is a Tunnel over Public, then the wan ip.

You need a source IP from the Fortigate, like LAN IP or any other local IP.
Set the source-ip in syslogd to this local IP.
Then you need a policy from this network (local IP) to the Network 192.168.121.
x.
Incoming interface local network and outgoing interface vpn.

For all other traffic you need policies from incoming interface to the vpn interface.

Best Regards
Andreas
Nik
New Contributor II

Hi Andreas,

I see now so the source IP can be whatever IP that I already have behind the fortigate and this source IP should be matched to the one we configure on the syslog server. I just need to clarify something else, so through the firewall the one that is sending logs with be this source IP. This source IP collects all the logs and sent these toward the syslog server through the IPSec tunnel. If my assumption is correct than we only need one policy that allows traffic to be sent from the source-ip to the syslog server. Is this correct or am I thinking wrong?
AndrKroh
New Contributor II

Hello Fisnik,
sorry no.

The Source-ip is one of the Fortigate IP.
And this is only for the syslog from the fortigate itself.
Fortigate is no syslog proxy.

When you want to sent syslog from other devices to a syslog server through the Fortigate, then you need for this policies.

From incoming interface (syslog sent device network) to outgoing interface (syslog server network). Service Syslog.

best regards
Andreas
ShanWill
New Contributor III

Im hiring someone today from within but will most likely be looking for another in the very near future like within the next month.... I will be in touch with andre

 



ShanWill
New Contributor III

Sorry this was not meant for here.