I'm using Fortigate 200Es in a NSA Commercial Solutions for Classified (CSFC). It details some pretty standard requirements for the overall operation of a network (e.g. time sync, syslog, etc.). I'm not all too familiar with Fortigates (most of my experience is Sidewinders (I know, I'm dating myself)). I'm making the following assumptions based on my experience and what I've read:
1. Each port is it's own security boundary 2. The OS native services (ntp/syslog) are associated with the Management interface(s) by design
3. The Management interface(s) is/are meant for OOB management (e.g., walk up and plug a laptop into it)
I have a management network on Port 2 between two firewalls (home and forward). There is a tunnel to port 2 on each 200E (IPSEC, Phase 1 using cert auth, etc.). On the 'home' side, I have servers for syslog, file server, ntp and am trying to find the best way (the Fortigate approved way) to get the Fortigates on both sides sending syslog to the syslog server (on the home side) and NTP syncing.
Currently, the home side's management interface is plugged into a switch that port 2 is also plugged into (that's how home is working for both syslog and ntp). That doesn't seem right to me. Looking at the NTP config in the FortiOS handbook, it looks like you can set up a server on each interface that will sync will devices on those interfaces -- is that correct?
And if so, is that the general design principal for these services? ...needing to create servers on each interface that will sync to the networks they represent which will internally talk to the management services? If not, do you have a document that describes how to set up the Fortigate to get those critical network services off the Fortigate (without plugging in the management interface and Port2 in the same switch)?
TIA!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
at least with 6.0.5 we have here, you can specify the source IP for NTP.
xxx-fg1 # config sys ntp xxx-fg1 (ntp) # get ntpsync : enable type : fortiguard syncinterval : 60 source-ip : 0.0.0.0 source-ip6 : :: server-mode : disable
@OP:
all of your assumptions hold true except for #2 (that services are bound to management interface by default). And you need to differentiate precisely between a 'management port' and a 'port used for management'. The former is 'dedicated-to-management' which the latter is not. A dedicated mgmt port is not available on every FGT model, I think it starts with the 100E. You need to know that this port does not participate in routing. Any other port you just use for your mgmt VLAN is fully functionable.
There is a (complicated) selection process which interface/subnet will be chosen for FGT originating services like NTP, SNMP, DNS, ping, FAZ logging etc. The chosen source interface is not always what you expect, like choosing an interface by the destination IP address via routing table.
Therefore, FortiOS has offered more and more 'set source-ip' options for internal services. Just open the config at the corresponding part in CLI (e.g. 'conf sys fortianalyzer') and do a 'show full' to see if a source IP option is available.
Same holds true for pinging from the CLI. Quite often, you need to nail down the source IP via 'exec ping-option source 1.2.3.4' before the ping gets through.
There is no restriction what interface to use for a FGT to reach NTP servers and syslog servers. It just follows what the routing table says. Of course oubound policies need to allow the traffic though. https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-hardening/enable_auto_clock_sync.htm
Hi Toshi,
Thanks for the response. The syslog config you posted looks like I can just configure the syslog to use a particular interface (via the set source-ip command). Does that command also work for ntp (the doc posted doesn't specify). If set source-ip does work for the ntp config too, that solves my problems.
Thanks!
at least with 6.0.5 we have here, you can specify the source IP for NTP.
xxx-fg1 # config sys ntp xxx-fg1 (ntp) # get ntpsync : enable type : fortiguard syncinterval : 60 source-ip : 0.0.0.0 source-ip6 : :: server-mode : disable
@OP:
all of your assumptions hold true except for #2 (that services are bound to management interface by default). And you need to differentiate precisely between a 'management port' and a 'port used for management'. The former is 'dedicated-to-management' which the latter is not. A dedicated mgmt port is not available on every FGT model, I think it starts with the 100E. You need to know that this port does not participate in routing. Any other port you just use for your mgmt VLAN is fully functionable.
There is a (complicated) selection process which interface/subnet will be chosen for FGT originating services like NTP, SNMP, DNS, ping, FAZ logging etc. The chosen source interface is not always what you expect, like choosing an interface by the destination IP address via routing table.
Therefore, FortiOS has offered more and more 'set source-ip' options for internal services. Just open the config at the corresponding part in CLI (e.g. 'conf sys fortianalyzer') and do a 'show full' to see if a source IP option is available.
Same holds true for pinging from the CLI. Quite often, you need to nail down the source IP via 'exec ping-option source 1.2.3.4' before the ping gets through.
@toshi and @ede_pfau, thanks for the help. Both the 'source-ip' and the confirmation of my assumptions were helpful.
@Ede, thanks for the added information on the management port. I know I was conflating the two terms but they were essentially being used on a 'management network' and I was tricking the Fortigate to allow me to talk to the 'management port' by plugging it into a switch on the 'management network' -- I'm sorry for the confusion on my lack of clarity. Additionally, a HUGE thanks for the 'exec ping-option source' command. That was really throwing off my troubleshooting as once I had my IPSEC tunnel established, my pings would no longer work. I could see the Implicit Deny ACL on the remote firewall increasing in size but I couldn't find where it was being logged. I did find that it didn't log denies by default so I turned on the logging on both firewalls but still didn't see anywhere in the Logs area where those denied connections were showing up.
Where can I look to find my ACL denies? What log? ...they don't seem to be populating any visible log in the UI.
hmm, maybe you should make the implicit 'deny all' policy visible and add logging to it. System > Features should have an option for 'implicit policies'.
As denied traffic doesn't harm you would not normally log it. But still, FortiOS provides it behind a quiet corner.
Under my System tree in the web UI, I did not see a 'Features' option (I'm on 6.02 OS). I thought I'd turned on logging by going to the Policy tab and clicking on the Implicit Deny ACL itself and when it opened, I moved the slider to activate logging but I'm not seeing the logging actually show up anywhere (under any of the logs listed under the Logs... section).
do you see the traffic counter go up on that firewall rule though?
how are you log settings? do you use memory / disk / ...?
I see the data counter increasing on the Implicit Deny -- that's why I want to be able to review what's hitting it. Logging on that ACL defaults to being off. I turned it on, see the log increasing but can't find in what log those entries should be showing up.
Where is the log (disk/memory/or otherwise) that tracks what is happening with the Implicit Deny ACL?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.