Hi All,
FortiGate600E (HA) and FortiAnalyzer200F are connected.
The FG has a 2 VDOM. (I don't use "root".)
VDOM1 is the main network and is also used for management.
VDOM2 has a separate network.
Both are connected to the Internet by separate lines.
FA is on the VDOM1 side and is logged by VDOM1.
I want to get this with FA for VDOM2 logs as well.
However, VDOM2 cannot access VDOM1's network.
What solutions are possible?
- The way I come up with it.
1. Set up connection to FA with Global, not VDOM1.
2. Enable "set use-management-vdom" in "config log fortianalyzer override-setting" in VDOM2
(This also sends the VDOM2 logs to the FA via the VDOM1 interface, am I correct?)
3. Enable communication from VDOM2 to VDOM1 using VDOM link
- Proposals claimed by others.
4. Physically wire and connect from Switches connected to VDOM2 to FA
(In this case, the second port of FA needs to be connected)
Plan 3 has been confirmed to be doable.
I think plan 2 is a reasonable one.
However, since there is only one FA, I think the original form would be to set it up in Global of Plan 1, not in each VDOM.
I think plan 4 is wrong.
The person who proposed this plan says that Plans 2 and 3 are a last resort, to be done when there is no other way.
(For me, this is the last resort).
What is the most appropriate means?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you change to global it's a very minor change. You'll possibly lose a few logs as things switch over on the FAZ side. That's about it. I would suggest you just enable FAZ on the global setting that would be easiest for you.
You can also try the "use-management-vdom" setting which sounds like it will accomplish something similar.
You don't need to add any interfaces to the FGT. You already have all of your physical connectivity. We are talking about logical connections now. (Unless you are thinking about the option to add an interface to FAZ for connectivity into VDOM 2. But that doesn't need a new intf on the FGT).
Thank you.
I was able to solve the problem by setting global successfully.
It was very easy to set up.
Definitely use VDOM links. This will be easiest and most secure way of doing it.
Or put an second interface of the FAZ into VDOM 2 network and go direct to it.
EDIT: @funkylicious has the right answer below
Thanks Graham.
Why is VDOM Link definitively?
Is there an overall setting or "use-management-vdom" that should not be used or is it a different feature?
I am having a hard time finding documentation that explains these.
Sorry I was misinterpreting your question. @funkylicious has the right answer. You don't need to do anything special. The FortiGate will send all VDOM logs to FortiAnalyzer from the main link.
No problem.
Just for reference, I would like to ask.
If we just can't make it to the global setting, is it a VDOM Link (Plan 3) or a physical connection (Plan 4)?
Is use-management-vom(Plan2) misplaced?
Also, would the order of priority for consideration be Plan 1 through Plan 4?
I'm confused can you not just use the global setting? https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/712303/configuring-fortianal...
If you must use per-VDOM configuration then I would suggest either adding an interface on FAZ that exists in VDOM 2 and sending logs there or using the VDOM link.
I'm not familiar with use-management-vdom setting. You can try it and see if it works!
The intent is to keep changes to a minimum.
Do we communicate to FAZ via management VDOMs in some way (VDOM Link or use-management-vom?)?
We believe that if we communicate through another interface, the impact will be minimal.
However, the FG is an HA configuration.
If we add more interfaces, we would be required to put a switch in between.
Or we would have to add tagged VLANs to the existing lines. We want to keep the impact as small as possible.
If we configure globally, can we assume that the network where we put the FAZ is in the management network (set management-vdom VDOM1)?
If you change to global it's a very minor change. You'll possibly lose a few logs as things switch over on the FAZ side. That's about it. I would suggest you just enable FAZ on the global setting that would be easiest for you.
You can also try the "use-management-vdom" setting which sounds like it will accomplish something similar.
You don't need to add any interfaces to the FGT. You already have all of your physical connectivity. We are talking about logical connections now. (Unless you are thinking about the option to add an interface to FAZ for connectivity into VDOM 2. But that doesn't need a new intf on the FGT).
Thank you.
I was able to solve the problem by setting global successfully.
It was very easy to set up.
You could enable FAZ globally which means that you will send all the VDOM logs through your management VDOM, then in FAZ you can move to ADOMs the VDOMs if you want.
There is no need to do an override if this is what you want to achieve.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1679 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.