Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yw2023
New Contributor II

Connecting Fortigate(Multi VDOM) and Fortianalyzer

 

Hi All,

 

FortiGate600E (HA) and FortiAnalyzer200F are connected.
The FG has a 2 VDOM. (I don't use "root".)
VDOM1 is the main network and is also used for management.
VDOM2 has a separate network.

Both are connected to the Internet by separate lines.

 

FA is on the VDOM1 side and is logged by VDOM1.
I want to get this with FA for VDOM2 logs as well.
However, VDOM2 cannot access VDOM1's network.

 

What solutions are possible?

 

 

- The way I come up with it.
1. Set up connection to FA with Global, not VDOM1.
2. Enable "set use-management-vdom" in "config log fortianalyzer override-setting" in VDOM2
(This also sends the VDOM2 logs to the FA via the VDOM1 interface, am I correct?)
3. Enable communication from VDOM2 to VDOM1 using VDOM link

 

- Proposals claimed by others.
4. Physically wire and connect from Switches connected to VDOM2 to FA
(In this case, the second port of FA needs to be connected)


Plan 3 has been confirmed to be doable.
I think plan 2 is a reasonable one.
However, since there is only one FA, I think the original form would be to set it up in Global of Plan 1, not in each VDOM.

 

I think plan 4 is wrong.
The person who proposed this plan says that Plans 2 and 3 are a last resort, to be done when there is no other way.
(For me, this is the last resort).

 

What is the most appropriate means?

2 Solutions
gfleming

If you change to global it's a very minor change. You'll possibly lose a few logs as things switch over on the FAZ side. That's about it. I would suggest you just enable FAZ on the global setting that would be easiest for you.

 

You can also try the "use-management-vdom" setting which sounds like it will accomplish something similar.

 

You don't need to add any interfaces to the FGT. You already have all of your physical connectivity. We are talking about logical connections now. (Unless you are thinking about the option to add an interface to FAZ for connectivity into VDOM 2. But that doesn't need a new intf on the FGT).

 

 

Cheers,
Graham

View solution in original post

yw2023
New Contributor II

Thank you.
I was able to solve the problem by setting global successfully.
It was very easy to set up.

View solution in original post

10 REPLIES 10
gfleming
Staff
Staff

Definitely use VDOM links. This will be easiest and most secure way of doing it.

Or put an second interface of the FAZ into VDOM 2 network and go direct to it.

 

EDIT: @funkylicious has the right answer below

Cheers,
Graham
yw2023
New Contributor II

Thanks Graham.

 

Why is VDOM Link definitively?
Is there an overall setting or "use-management-vdom" that should not be used or is it a different feature?
I am having a hard time finding documentation that explains these.

 

 

gfleming

Sorry I was misinterpreting your question. @funkylicious has the right answer. You don't need to do anything special. The FortiGate will send all VDOM logs to FortiAnalyzer from the main link.

Cheers,
Graham
yw2023
New Contributor II

No problem.
Just for reference, I would like to ask.
If we just can't make it to the global setting, is it a VDOM Link (Plan 3) or a physical connection (Plan 4)?

Is use-management-vom(Plan2) misplaced?

 

Also, would the order of priority for consideration be Plan 1 through Plan 4?

gfleming

I'm confused can you not just use the global setting? https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/712303/configuring-fortianal...

 

If you must use per-VDOM configuration then I would suggest either adding an interface on FAZ that exists in VDOM 2 and sending logs there or using the VDOM link.

 

I'm not familiar with use-management-vdom setting. You can try it and see if it works!

Cheers,
Graham
yw2023
New Contributor II

The intent is to keep changes to a minimum.


Do we communicate to FAZ via management VDOMs in some way (VDOM Link or use-management-vom?)?
We believe that if we communicate through another interface, the impact will be minimal.


However, the FG is an HA configuration.
If we add more interfaces, we would be required to put a switch in between.
Or we would have to add tagged VLANs to the existing lines. We want to keep the impact as small as possible.

 


If we configure globally, can we assume that the network where we put the FAZ is in the management network (set management-vdom VDOM1)?

gfleming

If you change to global it's a very minor change. You'll possibly lose a few logs as things switch over on the FAZ side. That's about it. I would suggest you just enable FAZ on the global setting that would be easiest for you.

 

You can also try the "use-management-vdom" setting which sounds like it will accomplish something similar.

 

You don't need to add any interfaces to the FGT. You already have all of your physical connectivity. We are talking about logical connections now. (Unless you are thinking about the option to add an interface to FAZ for connectivity into VDOM 2. But that doesn't need a new intf on the FGT).

 

 

Cheers,
Graham
yw2023
New Contributor II

Thank you.
I was able to solve the problem by setting global successfully.
It was very easy to set up.

funkylicious
Contributor III

You could enable FAZ globally which means that you will send all the VDOM logs through your management VDOM, then in FAZ you can move to ADOMs the VDOMs if you want.

There is no need to do an override if this is what you want to achieve.

geek
geek
Labels
Top Kudoed Authors