Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
qqh452821000
New Contributor

fortigate fortianalyzer setting source-ip error

Hi all,

 

I am using two fortigate 500E(HA) with firmware 6.2.  when I setting fortianalyzer. I want to use a specified IP as source-ip, but it didn't work.

 

FGT(setting) # set source-ip 192.168.1.1 192.168.1.1 is not valid source ip. node_check_object fail! for source-ip 192.168.1.1

 

value parse error before '192.168.1.1 Command fail. Return code -8

 

How to set fortianalyzer source-ip with fortigate-HA???

 

Anyone had any ideas?

 

thanks

7 REPLIES 7
ede_pfau
Esteemed Contributor III

There are restrictions which address can be specified here - it needs to be a valid address assigned to an interface of the FGT. Is that true for 192.168.1.1 on your FGT?


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
qqh452821000
New Contributor

No,192.168.1.1 is not on FGT. FGT is a seperate vdom, there are two IP on it(one for master and one for slave).

So we must use the common IP as fortianalyzer source-ip. and that's where I get confused

ede_pfau
Esteemed Contributor III

I'm not sure that I wholly understand your problem.

When you configure a cluster to report to an FAZ, and authorize this on the FAZ, you will see 2 devices reporting. Each is identified by it's serial number. But, in general, a cluster will only use one IP address. This makes sense as only the master unit will communicate with the FAZ, regardless of the HA mode (a-p or a-a).

I thought you were talking about how to substitute the cluster IP address for another address (for whatever reasons). For local-out traffic a FGT usually chooses the interface address of the interface it uses to connect to the FAZ as source address.

If that doesn't answer your question then please explain a bit further what you want to achieve.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
qqh452821000

the configuration show as below:

 

FGT_Master(global) # config system global FGT_Master(global) # set management-vdom MGMT

FGT_Master:

config system interface     edit "mgmt"         set vdom "MGMT"         set ip 192.168.91.21 255.255.255.0         set allowaccess ping https ssh http         set type physical         set alias "HA_Dedicated_MGMT"         set role lan         set snmp-index 2     next config router static     edit 1         set gateway 192.168.91.254         set device "mgmt"     next   FGT_Slave: config system interface     edit "mgmt"         set vdom "MGMT"         set ip 192.168.91.22 255.255.255.0         set allowaccess ping https ssh http         set type physical         set alias "HA_Dedicated_MGMT"         set role lan         set snmp-index 2     next config router static     edit 1         set gateway 192.168.91.254         set device "mgmt"     next ------------------------------------------------------------------------------------------------------------------------- The MGMT vdom is only for management traffic. In other words, a cluster will have two IP address for management

For fortianalyzer setting , can only allow IP in MGMT vdom as the source address?

It is works When I use 192.168.91.21 or 192.168.91.22 as source-ip 

 

FGT(setting) # set source-ip 192.168.91.21

 

So FAZ only can record 192.168.91.21 or 192.168.91.22 logging at the same time

 

So I can't use the management-vdom 's IP as FAZ source-ip...

 

I have to use the IP shared by master and slave  

ede_pfau
Esteemed Contributor III

For local-out traffic, the FGT will use the MGMT VDOM. If you only have one interface defined in it, this will be the source address for logging traffic.

 

I haven't used this before but maybe this will work:

in the VDOM "MGMT", create a loopback address (network / interface / create / type: loopback). Assign a valid IP address to it, like 192.168.91.30/24 so that the route matches. You should then be able to specify this address as source address on both members, in fact, after setting it on the master it should be synchronized to the slave immediately.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
qqh452821000

FGT_Master(global) # set management-vdom MGMT

 

I don't quite understand. if set vdom "MGMT" as management-vdom.  loopback address  will not synchronize to slave?

 

I have tried to create a loopback address like 192.168.91.30/24,but it fail..It is conflicts with 'mgmt' subnet..

SankaraNarayanan_S
New Contributor

Hi All ,

Please Peform Pre-Check for Fortigate to Forti analyzer connectivity the below

[ol]
  • Firmware Version of FGT and FGA should be same.
  • Ensure the port are open between the FGT &  FGA TCP/514.
  •  Check If there any NAT applied to reach the FortiAnalyzer Unit.
  •  Please perform a sniffer packet debug on the Fortigate using the source interface ip address.[/ol]

    Also Refer the KB Article from Troubleshooting Tip from FortiGate to FortiAnalyzer connectivity

    https://kb.fortinet.com/k....do?externalID=FD41272

     

    To be specific there is no special requirement on setting up a fort analyzer with Fortigate-HA .

    Once Fortigate Firewall HA configured on the primary unit, secondary unit should be in sync automatically and then configure the Forti analyzer logs settings on the primary firewall which will be replicated to the secondary unit as well .

    You can check it using get Forti analyzer log-settings command on the primary unit:

    *get fortianalyzer log-settings*

    login to the secondary HA unit using command from the primary unit to secondary unit .

    *get system ha status*

    *execute ha  manage <HA ID>*

    *get fortianalyzer log-settings*

     

    Hope this helps .

    Thanks

     

  • Labels
    Top Kudoed Authors