Setup: 2x PAYGO Fortigate in Azure.
Front LBA and Back LBA from Azure.
Fortianalyzer VM in a VNET Behind the Back LBA.
Problem im not able to communicate with the Anayzer. i.E. 192.168.1.100
The Fortis have the Adresses 192.168.10.69 and 192.168.10.70
The LBA Backend IP 192.168.10.68
The VNET of all is 192.168.0.0/16
The Route Tables are showing to 192.168.10.69 on the VNet and Subnets.
If i do a debug on the forti i can see that SYSLOG Sessions are incomming on the 192.168.10.69 for the Forti 192.168.10.70 and they are not send through the IPSEC Autoscale Tunnel and will be dropped.
I have a Fortigate Connected to the FortiAnalyser throught a Azure VPN Gateway. So the Fortianalyzer is basicly working.
Any Suggestions?
Your help is appriciated
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi all
Thanks for your Interest and all your replys.
I had / have a wilde ride with this setup ATM.
There where some challanges with the A/A Conifguration.
But in that specific Case the solution hits for all Configurations. Standalone, A/P, A/A.
The Solution was to set an IP on the Site 2 Site VPN Interface (Virtual not the NIC)
This is required on both sites. Then you have to add this ips in the Routing and if Required in the Second Phase Selectors of the VPN.
Here the Solution LINK: Re: Azure Fortigate A/A with LBA front and back communication to Fortianalyzer
Thanks again for your help!
Hello Sanktus,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello Sanktus,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
Hey Sanktus,
I'm a little confused by your description (but I'm not terribly familiar with Azure environments and what components they consist of), but in general:
- if there is an IPSec VPN involved, ensure you have a source IP set in the FortiAnalyzer logging settings on FortiGate
config log fortianalyzer setting
set source-ip <x.x.x.x> <--- this should be an interface IP on the FortiGate; the connection to Analyzer would still be routed out of the appropriate interface based on routing table
- ensure that the configured source IP and the FortiAnalyzer destination IP match into the IPSec P2 selectors
- ensure FortiAnalyzer has a route back to the source IP
- check if you can ping FortiAnalyzer from the FortiGates in question
-> treat it as a network issue; where does the traffic originate, what interface/route should it take, does it make it, where does it get dropped, etc.
Hi all
Thanks for your Interest and all your replys.
I had / have a wilde ride with this setup ATM.
There where some challanges with the A/A Conifguration.
But in that specific Case the solution hits for all Configurations. Standalone, A/P, A/A.
The Solution was to set an IP on the Site 2 Site VPN Interface (Virtual not the NIC)
This is required on both sites. Then you have to add this ips in the Routing and if Required in the Second Phase Selectors of the VPN.
Here the Solution LINK: Re: Azure Fortigate A/A with LBA front and back communication to Fortianalyzer
Thanks again for your help!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.