Just ran into something strange which took me a while to trace back. This is all 5.4.5 FGT's and a 5.4.3 FAZ 200D. Issue is resolved, but as I'm not sure what caused the problem in the first place it's a bit unsettling.
I was tweaking the config of a FortiGate at our second location. It's got an always on VPN connection back to the main office, which is used for, among other things, sending logs to a central FortiAnalyzer.
After my changes I went through some verification, which was when I noticed that it was failing to connect to the FAZ.
I looked over the FGT and FAZ configs trying to figure out what was failing. Finally noticed that the FAZ had received 0 logs, starting late yesterday. So went and checked the connection between the main office FGT and the FAZ, which was also failing to connect.
When checking the FAZ config again, I noticed that over half the time it wasn't accepting my FortiToken. So checked the time on the FAZ and the main FGT, and saw the FAZ was running almost a minute fast.
So, for some reason NTP requests from the FAZ to the FGT (its set up as a local NTP) weren't getting through. Checked the FGT config again. The FGT's network interface that matched the IP I had set on the FAZ as its NTP server was enabled and fine. However, then I saw that the FGT's interface for logging (separate subnet) was disabled. I had not disabled it myself.
I enabled the logging interface on the FGT. Shortly after the FAZ got the correct time from the FGT, then all the logs started going through again.
So my questions are:
1. If on the FAZ I specify an NTP server that is in a different subnet than the IP the FAZ uses to receive logging, shouldn't it use its interface that matches that subnet for NTP?
2. If the time on the FAZ gets out of sync with the FGT, will that stop it accepting logs? Could that somehow cause the FGT to disable its interface used for logging? Anything else that would make the FGT change the intf state to disabled?
3. Any ideas how the FAZ 200D gained about an extra minute of time, when it should have been syncing its time every 60 minutes or so?
4. There is probably some simple event on the FAZ I can setup to email me if it hasn't received logs for a couple hours. Anybody have something like this set up?
Thanks for any thoughts on this.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1707 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.