This has been really confusing me the past several days. I have IPSEC tunnels setup between my units and those work fine. If I use a device connected behind a subnet on device 'a' I can get to subnet 'b'. Therefore the VPN component is working. However, if I am at the CLI of a Fortigate I cannot ping or traceroute over the tunnel to the other subnet. The only way I can is if I specify in 'ping-options' to use the internal address of 'x' fortigate device, if done this way pinging works.
Problem being I think this is causing issues with my Fortigates being able to send logs, etc, up to my Fortimanager as it's over a VPN tunnel. Also, I really can't fathom why the unit wouldn't look in it's routing table and realize where it needs to send traffic it generates because there is a static route to the subnet I am attempting to access.
The more confusing part is that this appears to work fine for 40c/60d units. It does not on anything bigger such as 80d, 100d, or 300c.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The only way I can is if I specify in 'ping-options' to use the internal address of 'x' fortigate device, if done this way pinging works.
That's correct and the correct way. So pings are working if you source it correctly.
Are you sourcing the log via that same interface? Is that even a option in your unit(s)?
PCNSE
NSE
StrongSwan
emnoc wrote:The only way I can is if I specify in 'ping-options' to use the internal address of 'x' fortigate device, if done this way pinging works.
That's correct and the correct way. So pings are working if you source it correctly.
Are you sourcing the log via that same interface? Is that even a option in your unit(s)?
I see, strange it works on the lower end units with internal switch interfaces. Is there any valid reason it acts this way?
Not sure exactly what you are asking, but whatever is my internal interface is my management interface. So lets say my fortimanager is on: 10.10.100.5, but my Fortigate is at: 10.10.101.1. Fortimanager sees and connects to the unit at: 10.10.101.1. That works fine sending configs from Fortimanager, or retrieving information. However logs are not being transmitted from the unit up to the manager even though there is a valid tunnel. If I am in the GUI and try to 'test connectivity' it fails each time, and I can only assume it's because the unit is generating traffic and it doesn't go out the right interface. Is there anyway I can force traffic like this to go out 'x' interface?
However logs are not being transmitted from the unit up to the manager even though there is a valid tunnel.
Have you looked at the "set source-ip x.x.x.x" option in the config syslogd settings? You can specify the source and in your case it would be a interface in the src-subnet range for the vpn.
I be you in your case the logs are being sent using the egress interface address and not a address routed thru the vpn.
Another option is to set layer3 address on the vpn-interface ( assuming you are using routed-based-vpn ) and use that as a source. You will need to ensure firewall policies allow the traffic.
Last option is to use the native ipsec encryption within FortiOS. This is depending on FortiOs versiob but if your in a FortiOS 5.x it should be supported.
PCNSE
NSE
StrongSwan
emnoc wrote:However logs are not being transmitted from the unit up to the manager even though there is a valid tunnel.
Have you looked at the "set source-ip x.x.x.x" option in the config syslogd settings? You can specify the source and in your case it would be a interface in the src-subnet range for the vpn.
I be you in your case the logs are being sent using the egress interface address and not a address routed thru the vpn.
Another option is to set layer3 address on the vpn-interface ( assuming you are using routed-based-vpn ) and use that as a source. You will need to ensure firewall policies allow the traffic.
Last option is to use the native ipsec encryption within FortiOS. This is depending on FortiOs versiob but if your in a FortiOS 5.x it should be supported.
Thank you, setting the syslog config worked! Kind of annoying that I have to dive down into the CLI commands for this, especially for all my units but it's easy enough to solve. I am confused as to why I set it for 'syslogd' and not for 'Fortianalyzer'.
However, would it be more of a recommended practice to enable FMG access on my 'wan' link and then secure the connection using FMG? Meaning if I were in device manager I'd right click on 'x' unit and there's 'secure connection' to create an IPSEC tunnel from FMG to the unit. Obviously I've not enabled that because it's currently all going internal so it's unnecessary.
One last question about the 'layer 3' option you mentioned above. I'm not entirely sure how I would do that (networking is not my strongest suit) and would it also take care of my CLI ping "issue"?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.