FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Hasnatriad
Staff
Staff
Article Id 336439
Description

 

This article describes the configuration scenario of multiple Syslog servers in the FortiGate and cloud FortiGate VM when the source IP cannot be defined as falling over to a secondary FortiGate VM with a different interface IP.  

 

Scope

 

FortiGate.

 

Solution

 

The traffic scenario would be FortiGate --> IPsec --> Cloud Fortigate VM (in HA) --> Syslog server 2.

 

syslog.png

 

In this scenario, the Syslog server configuration with a defined source IP or interface-select-method with a specific interface sends logs to only one server.  

 

Also, in cloud setup, the interface IP is changed when failover happens, and the only way to send the log is to manually change the configuration for the defined source IP. 

 

Sample config with an interface selected for Syslog server 1.

 

FGT-A # sh log syslogd setting

config log syslogd setting
    set status enable
    set server "192.168.100.103"
    set interface-select-method specify
    set interface "port2"
end

 

Sample config with an interface selected for Syslog server 2.

 

FGT-A # sh log syslogd2 setting
config log syslogd2 setting
    set status enable
    set server "192.168.200.104"
    set interface-select-method specify
    set interface "port2"
end

 

With this setup, traffic is only forwarded to only on-prem Syslog server. No logs were forwarded to the 2nd Syslog server over the IPsec tunnel.

 

FGT-A # di sniffer packet any "port 514" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[port 514]
2024-08-26 14:41:36.169579 port2 out 192.168.100.101.9860 -> 192.168.100.103.514: udp 565
2024-08-26 14:41:41.170147 port2 out 192.168.100.101.9860 -> 192.168.100.103.514: udp 621
2024-08-26 14:41:41.170617 port2 out 192.168.100.101.9860 -> 192.168.100.103.514: udp 622
2024-08-26 14:41:44.171480 port2 out 192.168.100.101.9860 -> 192.168.100.103.514: udp 621
2024-08-26 14:41:54.180369 port2 out 192.168.100.101.9860 -> 192.168.100.103.514: udp 565

 

Defining the source IP under the Syslog server will address the issue and send the traffic over the IPsec tunnel, but after HA failover, it will not work as the source interface IP will be different. 

 

To resolve this issue, configure the 2nd Syslog server with the interface as IPsec tunnel interface. Also, configure the syslog server IP in phase2 of the tunnel.

 

FGT-A # sh log syslogd setting
config log syslogd setting
    set status enable
    set server "192.168.100.103"
    set interface-select-method specify
    set interface "port2"

end

 

FFGT-A # sh log syslogd2 setting
config log syslogd2 setting
    set status enable
    set server "192.168.200.104"
    set interface-select-method specify

    set interface "Azure_test"
end

 

FGT-A # di sniffer packet any "port 514" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[port 514]
2024-08-26 14:49:29.440462 port2 out 192.168.100.101.19113 -> 192.168.100.103.514: udp 621
2024-08-26 14:49:29.440537 Azure_test out 10.191.20.114.13255 -> 192.168.200.104.514: udp 621
2024-08-26 14:49:39.439824 port2 out 192.168.100.101.19113 -> 192.168.100.103.514: udp 565
2024-08-26 14:49:39.439914 Azure_test out 10.191.20.114.13255 -> 192.168.200.104.514: udp 565
2024-08-26 14:49:52.439921 port2 out 192.168.100.101.19113 -> 192.168.100.103.514: udp 692
2024-08-26 14:49:52.440000 Azure_test out 10.191.20.114.13255 -> 192.168.200.104.514: udp 692
2024-08-26 14:49:52.440108 port2 out 192.168.100.101.19113 -> 192.168.100.103.514: udp 621
2024-08-26 14:49:52.440127 Azure_test out 10.191.20.114.13255 -> 192.168.200.104.514: udp 621
2024-08-26 14:49:52.440203 port2 out 192.168.100.101.19113 -> 192.168.100.103.514: udp 622
2024-08-26 14:49:52.440222 Azure_test out 10.191.20.114.13255 -> 192.168.200.104.514: udp 622
2024-08-26 14:49:52.440355 port2 out 192.168.100.101.19113 -> 192.168.100.103.514: udp 565
2024-08-26 14:49:52.440376 Azure_test out 10.191.20.114.13255 -> 192.168.200.104.514: udp 565

 

Related articles:

Technical Tip: Configuring multiple SYSLOG servers

Technical Tip: Syslog server over IPSEC VPN and sending VPN logs