Description | This article describes the steps that should be taken when changing OnSight’s IP range for its Docker containers. This may be a requirement for the network environment due to internal IP addressing conflict with Docker’s default IP range. |
Scope | FortiMonitor. |
Solution |
Overview. The modern OnSight infrastructure is composed of a collection of Docker containers. As a result, the network space defined by Docker is 172.17.0.0/12—with Docker using 172.17.0.1/16 for the bridge connection (docker0). The subsequent IP address, 172.17.0.2/16, is designated for the first container.
With this default IP addressing scheme, the Docker IP space may conflict with the internal network environment and cause OnSight to not be able to communicate with other devices. The following sections will explain what steps should be taken in two different contexts: 1) Changing the Docker IP range prior to OnSight Install 2) Changing the Docker IP range for an existing OnSight.
It should be noted that the examples will designate the IP address 192.168.0.0/16 for Docker.
If changes are performed on an OnSight that is monitoring instances, it is highly recommended to create a maintenance schedule to not trigger alerts.
Changing Docker IP Range Prior to OnSight Install . To alter the Docker IP range for an upcoming OnSight install, follow the below steps.
1) Add the file (or modify): /etc/docker/daemon.json 2) Write the following into the file and save.
3) Restart the Docker service with the command systemctl restart docker. 4) Configure the Docker service, iptables, and NAT rules accordingly.
It is highly recommended to perform a full reboot. To change the Docker IP range for an existing OnSight, perform the below steps and commands.
Notes: Changing the docker networking configuration after installation is not recommended or supported, but here are some steps possible to follow to attempt such a change on a running system. This is a bad idea as it could create more issues and troubleshooting of the onsight installation.
Step 1: Verify the OnSight Containers & Docker Network. Run the following three commands to verify that the OnSight containers are running:
Step 2: Adding or Modifying /etc/docker/daemon.json Follow the same procedure in the other scenario to create the /etc/docker/daemon.json file for a new network.
1) Add the file (or modify): /etc/docker/daemon.json 2) Write the following into the file and save.
3) Restart the Docker service with the command systemctl restart docker. 4) Configure the Docker service, iptables, and NAT rules accordingly.
It is highly recommended to perform a full reboot.
Step 3: Create the New Network. To create the new network in Docker, issue the command:
Verify that the new network was created with two commands:
Step 4: Connecting the Container to the New Network To connect the OnSight containers to the new networks, issue the following command:
Verify that the OnSight collector has two to three networks available:
Step 5: Disconnecting the Container from Old Network. To remove the conflicting 172.17.0.0/12 network:
Verify that the network was removed:
Step 6: Remove All Unused Networks (Optional). To remove all unused networks for the OnSight:
Verify that the unused networks were pruned:
Additional Info: If OnSight is also running NCM, attach the new network in this order: (1) onsight-ncm-db, (2) onsight-ncm-web, (3) onsight-ncm, and (4) onsight. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.