Description | This article describes that to integrate FortiSwitch with FortiGate and FortiNAC, syslog logs might not be properly transmitted from FortiGate to FortiNAC. This can result in missing MAC address events, such as Add, Delete, and Move, in FortiNAC. |
Scope | FortiGate, FortiNAC, and FortiSwitch. |
Solution |
How FortiNAC Works:
FortiSwitch Modes:
Solution. Utilizing Syslog on FortiGate For FortiLink Managed FortiGates: This method involves configuring the FortiSwitch to generate MAC events and send them via FortiLink to the FortiGate, which then forwards the logs to the FortiNAC using syslog. Below are the steps to implement this solution:
To configure FortiLink Mode using syslog messages:
Troubleshooting Steps:
config switch-controller global set mac-event-logging enable end
Review the syslog filter settings under:
config log syslogd filter config free-style edit 1 set category event set filter "(logid 0115032615 0115032616 0115032617)" set filter-type include end
Ensure they match the required MAC event types. Verify that the filter settings are correctly applied and review any filter syntax errors.
To adjust the severity level, run the following commands:
config log syslogd filter
FortiGate-81E-POE (filter) # set severity emergency Emergency level. alert Alert level. critical Critical level. error Error level. warning Warning level. notification Notification level. information Information level. debug Debug level. end
Use the following commands to configure:
config switch-controller global set mac-aging-interval 300 set mac-retention-period 0 end
To verify, use:
diag switch-controller mac-cache show
config switch-controller remote-log edit "syslogd" set status enable set server " 10.21.0.18" # Primary syslog server IP next
edit "syslogd2" set status enable set server "x.x.x.x" # Secondary syslog server IP next end
If logs are not reaching FortiNAC, confirm that the IP addresses of the syslog servers are correct and reachable.
FortiGate-81E-POE (root) # dia sniffer packet any "port 514" 4 0 l interfaces=[any] filters=[port 514] 2024-12-03 18:28:23.436531 port1 in 10.255.1.2.49072 -> 10.21.0.18.514: udp 288 2024-12-03 18:28:23.436550 fortilink in 10.255.1.2.49072 -> 10.21.0.18.514: udp 288 2024-12-03 18:28:23.436593 wan1 out 10.255.1.2.49072 -> 10.21.0.18.514: udp 288 2024-12-03 18:28:23.487565 port1 in 10.255.1.2.49072 -> 10.21.0.18.514: udp 419 2024-12-03 18:28:23.487585 fortilink in 10.255.1.2.49072 -> 10.21.0.18.514: udp 419 2024-12-03 18:28:23.487626 wan1 out 10.255.1.2.49072 -> 10.21.0.18.514: udp 419
FortiGate-81E-POE (root) # di de flow filter dport 514 FortiGate-81E-POE (root) # di de flow trace start 99 FortiGate-81E-POE (root) # di de en FortiGate-81E-POE (root) # id=65308 trace_id=4 func=print_pkt_detail line=5880 msg="vd-root:0 received a packet(proto=17, 10.255.1.2:49072->10.21.0.18:514) tun_id=0.0.0.0 from fortilink. " id=65308 trace_id=4 func=init_ip_session_common line=6062 msg="allocate a new session-000082f7" id=65308 trace_id=4 func=vf_ip_route_input_common line=2613 msg="find a route: flag=04000000 gw-10.128.202.1 via wan1" id=65308 trace_id=4 func=__iprope_tree_check line=529 msg="gnum-100004, use int hash, slot=85, len=3" id=65308 trace_id=4 func=fw_forward_handler line=992 msg="Allowed by Policy-9:" id=65308 trace_id=5 func=print_pkt_detail line=5880 msg="vd-root:0 received a packet(proto=17, 10.255.1.2:49072->10.21.0.18:514) tun_id=0.0.0.0 from fortilink. " id=65308 trace_id=5 func=resolve_ip_tuple_fast line=5968 msg="Find an existing session, id-000082f7, original direction" id=65308 trace_id=5 func=npu_handle_session44 line=1226 msg="Trying to offloading session from fortilink to wan1, skb.npu_flag=00000400 ses.state=00000204 ses.npu_state=0x00000001" id=65308 trace_id=5 func=fw_forward_dirty_handler line=443 msg="state=00000204, state2=00000001, npu_state=00000001" |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.