FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
majid23
Staff
Staff
Article Id 362196
Description This article describes that to integrate FortiSwitch with FortiGate and FortiNAC, syslog logs might not be properly transmitted from FortiGate to FortiNAC. This can result in missing MAC address events, such as Add, Delete, and Move, in FortiNAC.
Scope FortiGate, FortiNAC, and FortiSwitch.
Solution

How FortiNAC Works:

 

  1. Visibility: FortiNAC learns where devices are connected through:
  • SNMP Link State traps from switches.
  • Syslog messages for adding, removing, or moving MAC addresses (only available when FortiSwitch is in FortiLink mode).
  • RADIUS communication.
  • Polling of MAC address tables (L2 Poll).
  • Polling of ARP caches (L3 Poll).

 

  1. Control: FortiNAC manages VLAN assignments based on the switch model, network policies, and the device's status. The method used to change VLAN settings depends on the switch model.

 

FortiSwitch Modes:

  1. FortiLink Mode:
  • Management: FortiSwitches in FortiLink mode are managed by FortiGate.
  • VLAN Assignment: FortiNAC manages the VLAN assignments for clients connected to FortiSwitches based on their status in the FortiNAC system.

 

  1. Standalone Mode:
  • Operation: In standalone mode, FortiSwitches operate like regular network switches.
  • VLAN Management: FortiNAC manages the VLAN assignments for devices connected to the switches, with communication through SNMP Traps or RADIUS, and all other communication handled through HTTPS (REST API).

 

Solution.

Utilizing Syslog on FortiGate For FortiLink Managed FortiGates:

This method involves configuring the FortiSwitch to generate MAC events and send them via FortiLink to the FortiGate, which then forwards the logs to the FortiNAC using syslog. Below are the steps to implement this solution:

 

To configure FortiLink Mode using syslog messages:

 

Troubleshooting Steps:

  1. Verify MAC Event Logging on FortiGate: Ensure that MAC event logging is enabled on the FortiGate. This is essential for the FortiSwitch to send MAC-related events such as Add, Delete, and Move.

 

config switch-controller global

    set mac-event-logging enable

end

 

  1. Check Syslog Filters on FortiGate: Ensure that the syslog filters are correctly configured to capture the relevant MAC event types. Confirm the following filters are set:
  • MAC Add: (0100032615).
  • MAC Delete: (0100032616).
  • MAC Move: (0100032617).

 

Review the syslog filter settings under:

 

config log syslogd filter

    config free-style

        edit 1 set category event

            set filter "(logid 0115032615 0115032616 0115032617)"

            set filter-type include

        end

 

Ensure they match the required MAC event types. Verify that the filter settings are correctly applied and review any filter syntax errors.

 

  1. Check Syslog Filter Severity: Ensure the syslog filter's severity level is set correctly. The default setting is 'information'.

To adjust the severity level, run the following commands:

 

config log syslogd filter

 

FortiGate-81E-POE (filter) # set severity

emergency       Emergency level.

alert           Alert level.

critical        Critical level.

error           Error level.

warning         Warning level.

notification    Notification level.

information     Information level.

debug           Debug level.

end

 

  1. Verify mac-aging-interval and mac-retention-period: MAC Aging Interval: This is the period after which the switch will age out and remove MAC addresses that haven't been seen. The default mac-aging-interval is 300 seconds (5 minutes).
  • MAC Retention Period: This is how long a MAC address remains in the cache even if it hasn’t been seen. For instance, if mac-retention-period is set to 10 hours, a MAC address will stay in the cache for up to 10 hours even if the device is no longer active.
  • MAC-retention-period 0: 0 indicates no caching, meaning the entry is removed from the FortiGate simultaneously with its removal from the FortiSwitch.

 

Use the following commands to configure:

 

config switch-controller global

    set mac-aging-interval 300

    set mac-retention-period 0

end

 

To verify, use:

 

diag switch-controller mac-cache show

 

  1. Verify Remote Logging Configuration on FortiGate: Verify the remote logging configuration to ensure logs are correctly forwarded to the FortiNAC syslog server. Use the following configuration to set up a FortiSwitch, managed by a FortiGate, to forward its log messages to a remote syslog server.

 

config switch-controller remote-log

    edit "syslogd"

        set status enable

        set server " 10.21.0.18"  # Primary syslog server IP

    next

 

edit "syslogd2"

    set status enable

    set server "x.x.x.x"  # Secondary syslog server IP

next

end

 

If logs are not reaching FortiNAC, confirm that the IP addresses of the syslog servers are correct and reachable.

 

  1. Verify firewall policy allows traffic from the LAN/FortiLink to be forwarded to the Syslog server.
  2. Run a sniffer and debug flow for UDP port 514 to conduct further troubleshooting.

 

FortiGate-81E-POE (root) # dia sniffer packet any "port 514" 4 0 l

interfaces=[any]

filters=[port 514]

2024-12-03 18:28:23.436531 port1 in 10.255.1.2.49072 -> 10.21.0.18.514: udp 288

2024-12-03 18:28:23.436550 fortilink in 10.255.1.2.49072 -> 10.21.0.18.514: udp 288

2024-12-03 18:28:23.436593 wan1 out 10.255.1.2.49072 -> 10.21.0.18.514: udp 288

2024-12-03 18:28:23.487565 port1 in 10.255.1.2.49072 -> 10.21.0.18.514: udp 419

2024-12-03 18:28:23.487585 fortilink in 10.255.1.2.49072 -> 10.21.0.18.514: udp 419

2024-12-03 18:28:23.487626 wan1 out 10.255.1.2.49072 -> 10.21.0.18.514: udp 419

 

FortiGate-81E-POE (root) # di de flow  filter dport 514

FortiGate-81E-POE (root) # di de flow  trace start 99

FortiGate-81E-POE (root) # di de en

FortiGate-81E-POE (root) # id=65308 trace_id=4 func=print_pkt_detail line=5880 msg="vd-root:0 received a packet(proto=17, 10.255.1.2:49072->10.21.0.18:514) tun_id=0.0.0.0 from fortilink. "

id=65308 trace_id=4 func=init_ip_session_common line=6062 msg="allocate a new session-000082f7"

id=65308 trace_id=4 func=vf_ip_route_input_common line=2613 msg="find a route: flag=04000000 gw-10.128.202.1 via wan1"

id=65308 trace_id=4 func=__iprope_tree_check line=529 msg="gnum-100004, use int hash, slot=85, len=3"

id=65308 trace_id=4 func=fw_forward_handler line=992 msg="Allowed by Policy-9:"

id=65308 trace_id=5 func=print_pkt_detail line=5880 msg="vd-root:0 received a packet(proto=17, 10.255.1.2:49072->10.21.0.18:514) tun_id=0.0.0.0 from fortilink. "

id=65308 trace_id=5 func=resolve_ip_tuple_fast line=5968 msg="Find an existing session, id-000082f7, original direction"

id=65308 trace_id=5 func=npu_handle_session44 line=1226 msg="Trying to offloading session from fortilink to wan1, skb.npu_flag=00000400 ses.state=00000204 ses.npu_state=0x00000001"

id=65308 trace_id=5 func=fw_forward_dirty_handler line=443 msg="state=00000204, state2=00000001, npu_state=00000001"

Contributors