FortiSIEM collector on the cloud with Windows Agent

gwaihir · ‎05-16-2024

Greetings

Hello guys, please give me some tip to solve this.

We deployed FortiSIEM supervisor and a collector for Windows Agents that are remotely on branch sites, they reach collector and supervisor with FQDN using public ip (port 443) no IPSec can be established.

Internally the Supervisor and Collector communicate each other with private IP, we noted that Windows Agents can register normally, but when template is applied, they (agents) try to reach the collector through private IP, not the fqdn or public IP, for us this is reasonable because collector health on supervisor shows the private IP for collector.

On windows Agent we run Wireshark, and effectively note that SYN packets are constantly sent to collector private IP.

How this can be solved? there are a way to say that Windows Agents must send data to collector public IP instead of private?, we try to re-register the agent using collector as a proxy but once the template is applied, they start to send syn packets to private IP again.

Hope some answer Thank you!

cdurkin_FTNT · ‎05-16-2024

Sounds like you need to use DNS to resolve this.

In the template association.. use the "Virtual Collectors" option to give out a FQDN for the collector, which for remote sites resolves to the required address.

View solution in original post

cdurkin_FTNT · ‎05-16-2024

Sounds like you need to use DNS to resolve this.

In the template association.. use the "Virtual Collectors" option to give out a FQDN for the collector, which for remote sites resolves to the required address.