i am trying to connect the FG50F in my remote office to the FAZ300G in my data centre.
Currently the remote office is connecte via IPsec site-to-site VPN.
what are the ports i need to open up in order for the FG50F to send logs to the FG300G ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Port 514 TCP and UDP.
OFTP uses TCP/514 for connectivity, health check, file transfer and log display from FortiGate.
Log communication happens over either TCP OR UDP 514:
- TCP/514 is used for log transmission with the reliable option enabled.
- UDP/514 is used for log transmission with the reliable option disabled.
i am getting this error when i connect to the FAZ
are you able to ping the FortiAnalyzer IP? If ping works, please try telnet on port 514. We need to make sure the connectivity is fine.
Below article explains the step by step procedure to check the connectivity.
# get log fortianalyzer setting
status : disable
certificate :
FGT50E # execute log fortianalyzer test-connectivity
No FAZ is enabled.
# config log fortianalyzer setting
(setting) # set status enable ===> Here
(setting) # set server x.x.x.x
(setting) # end
Hello Yeowkm99
May I know if you are able to ping fortianalyzer IP from Fortigate?
If you are able to ping then please try to check if the communication port is open on Fortianalyzer. Trying doing telnet from fortigate to fortianalyzer.
Regards
Nagaraju.
Hello Yeowkm99
Please check the routing-table entry for fortianalyzer IP address.
Also please check that the traffic is going via correct outgoing interface.
If the fortigate is in HA then make sure that HA direct is enabled.
Regards
Nagaraju.
my remote office housing the FG50F is now completely setup.
my servers there can reach back to data centre and vice versa.
But the strange thing is my FG50F at the remote office still cannot reach my FAZ in DC.
ping from DC servers to remote FG50F is working, but i cannot ping direct from my FG401E at DC to FG50F.
servers at remote office can ping FAZ in DC, only the FG50F cannot. traceroute also fails.
FGT50F # execute traceroute 172.16.0.71
traceroute to 172.16.0.71 (172.16.0.71), 32 hops max, 3 probe packets per hop, 84 byte packets
1 * * *
2 * * *
3 * * *
trace route from remote office server
>tracert 172.16.0.71
Tracing route to 172.16.0.71 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 172.32.0.1
2 4 ms 4 ms 4 ms 192.168.1.99
3 4 ms 4 ms 4 ms 172.16.0.71
Dear yeowkm99,
Whenever you are trying to ping is directly from FGT, it is recommended to use source Ip and source interface.
For example.
execute ping-options source x.x.x.x >> one of the lan IP which is allowed in ipsec
execute ping-options interface <int_name> >> one of the lan int
exec ping x.x.x.x >> dst ip
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.