| Description | This article explains how to configure the FortiAnalyzer or FortiManager Fabric Connectors when there is over lapping subnets over a site-to-site VPN. |
| Scope | FortiGate. |
| Solution |
This article assumes the NATing between networks is correct and that there is connectivity between the overlapping subnets.
See the documentation to configure a site-to-site VPN with overlapping subnets.
Due to this traffic being local out traffic, the SNAT or DNAT rules in the firewall policies do not apply to this scenario. There is no way to directly apply NAT to local out traffic.
To view the Fabric Connectors, Security Fabric -> Fabric Connectors.
When configuring the Fabric Connectors, the corresponding natted IP address, from the Branch FortiGate's perspective, must be used for the FortiAnalyzer and the FortiManager, in this case, 10.1.1.100 and 10.1.1.200, respectively.
To configure FortiAnalyzer in the GUI, Security Fabric -> Fabric Connectors -> Logging & Analytics, under the Logging Settings select FortiAnalyzer and enter the server IP.
CLI configuration:
config log fortianalyzer setting set status enable set server "10.1.1.100" end
To configure FortiManager in the GUI, Security Fabric -> Fabric Connectors -> Central Management, under the Central Management Settings select Type as On-Premises and configure the IP/domain name with the IP address.
CLI configuration:
config system central-management set type fortimanager set fmg "10.1.1.200" end
The Fabric connectors are still down. This is due to the FortiGate trying to communicate with FortiAnalyzer or FortiManager with an IP address not allowed by phase2 for the VPN or not using the correct natted IP address.
The solution is to configure a secondary IP address matching the Branch’s natted network on the LAN interface and configure the source IP address on each connector.
To set the secondary IP address, Network -> Interfaces, select the interface, enable Secondary IP Address, and select Create New. In this case, the IP address will be 10.2.2.1/24. Administrative Access for FMG-Access and Security Fabric Connection must be enabled on this secondary IP address.
CLI configuration:
config system interface edit "port5" set ip 192.168.1.1 255.255.255.0 set allowaccess ping config secondaryip edit 1 set ip 10.2.2.1 255.255.255.0 set allowaccess fgfm fabric next end next end
The source-ip settings for the Fabric Connectors can only be configured on the CLI.
For FortiAnalyzer configure the 'source-ip' setting:
config log fortianalyzer setting set status enable set server "10.1.1.100" set source-ip "10.2.2.1" end
For FortiManager configure the 'fmg-source-ip' setting:
config system central-management set type fortimanager set fmg "10.1.1.200" set fmg-source-ip 10.2.2.1 end
In both cases, FortiGate will have to be authorized by the FortiAnalyzer and FortiManager. After setting the source-ip in both configurations the Fabric connectors will be able to reach each device.
Sniffer to FortiAnalyzer, using the configured source-ip:
Branch # diag sniff pack any 'host 10.1.1.100' 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[host 10.1.1.100] 2024-11-06 10:06:44.756320 BRANCHtoHQ out 10.2.2.1.10129 -> 10.1.1.100.514: psh 2814090234 ack 2240713378 2024-11-06 10:06:44.756930 BRANCHtoHQ in 10.1.1.100.514 -> 10.2.2.1.10129: psh 2240713378 ack 2814090268 2024-11-06 10:06:44.756972 BRANCHtoHQ out 10.2.2.1.10129 -> 10.1.1.100.514: ack 2240713421
Sniffer to FortiManager, using the configured source-ip:
Branch # diag sniff pack any 'host 10.1.1.200' 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[host 10.1.1.200] 2024-11-06 10:08:36.784550 BRANCHtoHQ out 10.2.2.1.10841 -> 10.1.1.200.541: psh 2978532770 ack 4044092157 2024-11-06 10:08:36.785363 BRANCHtoHQ in 10.1.1.200.541 -> 10.2.2.1.10841: ack 2978532910 2024-11-06 10:08:36.786151 BRANCHtoHQ in 10.1.1.200.541 -> 10.2.2.1.10841: psh 4044092157 ack 2978532910 2024-11-06 10:08:36.833193 BRANCHtoHQ out 10.2.2.1.10841 -> 10.1.1.200.541: ack 4044092238
The Fabric Connectors will now show as 'Connected'.
Related documents: |
