Hi there
I have several FGs already sending logs to a FAZ, over ipsec connections, but I am having issues adding a new FW.
The logging is configured using the correct source-ip address, I have successfully checked sending pings from the FG to the FAZ using the source-ip option, and diag sniffer shows the flow of packets, albeit with RSTs in the flow. The FG definition is added to the FAZ, still, the FG reports it can't communicate with the FAZ.
config log fortianalyzer setting set status enable set source-ip 192.168.24.1 set server 192.168.40.15 set reliable enable end
MIN-FW-001 # exec log fortianalyzer test-connectivity Failed to get FAZ's status.
The sniffer flow from the test-connectivity command:
MIN-FW-001 # diag sniffer packet any "host 192.168.40.15" 4 interfaces=[any] filters=[host 192.168.40.15] 1303.708288 ipsec_CT out 192.168.24.1.1364 -> 192.168.40.15.514: syn 4266655446 1303.724212 ipsec_CT in 192.168.40.15.514 -> 192.168.24.1.1364: syn 1201754132 ack 4266655447 1303.724493 ipsec_CT out 192.168.24.1.1364 -> 192.168.40.15.514: ack 1201754133 1303.726584 ipsec_CT out 192.168.24.1.1364 -> 192.168.40.15.514: psh 4266655447 ack 1201754133 1303.742509 ipsec_CT in 192.168.40.15.514 -> 192.168.24.1.1364: ack 4266655740 1303.745975 ipsec_CT in 192.168.40.15.514 -> 192.168.24.1.1364: psh 1201756905 ack 4266655740 1303.746874 ipsec_CT out 192.168.24.1.1364 -> 192.168.40.15.514: ack 1201754133 1313.722355 ipsec_CT out 192.168.24.1.1364 -> 192.168.40.15.514: fin 4266655740 ack 1201754133 1313.738176 ipsec_CT in 192.168.40.15.514 -> 192.168.24.1.1364: fin 1201756914 ack 4266655741 1313.738539 ipsec_CT out 192.168.24.1.1364 -> 192.168.40.15.514: rst 4266655741
Any ideas? Why the RST packets?
As the RST breaks the session, diag debug flow shows 'no session matched' messages after the RSTs appear.
Thanks
Things to check
1: Are you going out the right interface ( check route, route-table )
2: Any FAZ limits or capacity ( review systems logs )
3: can you reboot the FAZ
4: can you run a packet capture on at the FAZ
PCNSE
NSE
StrongSwan
Thanks for the help emnoc.
[ol]
Thanks
You could try the following debugging on the fortigate to see if there are errors in the communication between the FG and the FAZ:
# diagnose debug enable # diagnose debug application miglogd -1
Thanks MrSinners, that helped. An error message appeared related to the SSL connection:
miglog_faz_connect()-371: oftp_connect(global-faz) failed: ssl_connect() failed: 5
Turns out there's an issue with the SSL certs on the FAZ, when I disabled the encryption on the FG it started to work:
set enc-algorithm disable
However, the other FGs still use SSL so I guess they use a different but valid certificate. I am not even sure where the certificate is specified for the FG logging.
Thanks, you guys are great.
You can set the local system cert from the cli
e.g
config system certificate local
but did you try setting the ssl protocol or types in the config global setup
config system global
set enc-algorithm low ( not ideal but )
ssl-low-encryption enable
end
PCNSE
NSE
StrongSwan
Hello JaapHoetmer,
Could you post here the FAZ and the FGT version? In your first post you wrote: "I have several FGs already sending logs to a FAZ, over ipsec connections,..." This FortiGate should also send logs over IPSec? If yes, your settings in the first post is for SSL.
For IPSec you need to disable enc-alogrithm: # config log fortianalyzer setting # set enc-algorithm disable
then you need enable IPsec encryption: # set encrypt enable
and also set the local ID and PSK according to the FortiAnalyzer settings: # set localid <set_the_ID> # set psksecret <set_the_PSK>
But probably you mean that you have IPSec connection established to somewhere and sending logs over this IPSec. Your FGT is usig default encryption for OFTP set enc-algorithm default as not shown in your config under config log fortianalyzer setting.
Could you check the FAZ settings what encryption level is allowed? Use the get sys global on the FAZ and check the encryption algorithm: enc-algorithm : low
The enc-algorithm on the FGT should be the same or higher than on the FAZ.
AtiT
Do what AtiT recommends and you should be golden. I always set mine up this way and it seems to work better than using the default algorithm settings.
Mike Pruett
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.