I'm using Fortigate 200Es in a NSA Commercial Solutions for Classified (CSFC). It details some pretty standard requirements for the overall operation of a network (e.g. time sync, syslog, etc.). I'm not all too familiar with Fortigates (most of my experience is Sidewinders (I know, I'm dating myself)). I'm making the following assumptions based on my experience and what I've read:
1. Each port is it's own security boundary 2. The OS native services (ntp/syslog) are associated with the Management interface(s) by design
3. The Management interface(s) is/are meant for OOB management (e.g., walk up and plug a laptop into it)
I have a management network on Port 2 between two firewalls (home and forward). There is a tunnel to port 2 on each 200E (IPSEC, Phase 1 using cert auth, etc.). On the 'home' side, I have servers for syslog, file server, ntp and am trying to find the best way (the Fortigate approved way) to get the Fortigates on both sides sending syslog to the syslog server (on the home side) and NTP syncing.
Currently, the home side's management interface is plugged into a switch that port 2 is also plugged into (that's how home is working for both syslog and ntp). That doesn't seem right to me. Looking at the NTP config in the FortiOS handbook, it looks like you can set up a server on each interface that will sync will devices on those interfaces -- is that correct?
And if so, is that the general design principal for these services? ...needing to create servers on each interface that will sync to the networks they represent which will internally talk to the management services? If not, do you have a document that describes how to set up the Fortigate to get those critical network services off the Fortigate (without plugging in the management interface and Port2 in the same switch)?
TIA!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
at least with 6.0.5 we have here, you can specify the source IP for NTP.
xxx-fg1 # config sys ntp xxx-fg1 (ntp) # get ntpsync : enable type : fortiguard syncinterval : 60 source-ip : 0.0.0.0 source-ip6 : :: server-mode : disable
@OP:
all of your assumptions hold true except for #2 (that services are bound to management interface by default). And you need to differentiate precisely between a 'management port' and a 'port used for management'. The former is 'dedicated-to-management' which the latter is not. A dedicated mgmt port is not available on every FGT model, I think it starts with the 100E. You need to know that this port does not participate in routing. Any other port you just use for your mgmt VLAN is fully functionable.
There is a (complicated) selection process which interface/subnet will be chosen for FGT originating services like NTP, SNMP, DNS, ping, FAZ logging etc. The chosen source interface is not always what you expect, like choosing an interface by the destination IP address via routing table.
Therefore, FortiOS has offered more and more 'set source-ip' options for internal services. Just open the config at the corresponding part in CLI (e.g. 'conf sys fortianalyzer') and do a 'show full' to see if a source IP option is available.
Same holds true for pinging from the CLI. Quite often, you need to nail down the source IP via 'exec ping-option source 1.2.3.4' before the ping gets through.
in your GUI you have a logging section, at the bottom there are logging settings to determine what devices are used to store logs on.
in the different sections like forward traffic or events you have a button somewhere right on the top where you can select the logging source.
I run v6.0.6:
config system settingsthen, in Policy>IPv4 Policy, search the policy named 'Implicit Deny' in section 'Implicit'.
set gui-implicit-policy enable
Edit to be able to switch 'Log Violation Traffic' on, at the bottom.
Then, in 'Log&Report', 'Log Settings', set 'Local Traffic Log' either to 'All', or enable 'Log Denied Unicast Traffic'.
Violation traffic will be logged in the traffic log.
It might take more, depending on your previous settings (or the defaults).
All of the following in the CLI, with logging to memory as an example:
conf log mem glob
set max 2000000
conf log mem sett
set status ena
conf log mem filter
set sev info
set forw ena
The most important setting is 'severity' which needs to be 'information' or less.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.