Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
thepip3r
New Contributor

'Fortinet' proper design for syslog/ntp/etc.

I'm using Fortigate 200Es in a NSA Commercial Solutions for Classified (CSFC).  It details some pretty standard requirements for the overall operation of a network (e.g. time sync, syslog, etc.).  I'm not all too familiar with Fortigates (most of my experience is Sidewinders (I know, I'm dating myself)).  I'm making the following assumptions based on my experience and what I've read:

 

1.  Each port is it's own security boundary 2.  The OS native services (ntp/syslog) are associated with the Management interface(s) by design

3.  The Management interface(s) is/are meant for OOB management (e.g., walk up and plug a laptop into it)

 

I have a management network on Port 2 between two firewalls (home and forward).  There is a tunnel to port 2 on each 200E (IPSEC, Phase 1 using cert auth, etc.).  On the 'home' side, I have servers for syslog, file server, ntp and am trying to find the best way (the Fortigate approved way) to get the Fortigates on both sides sending syslog to the syslog server (on the home side) and NTP syncing.

 

Currently, the home side's management interface is plugged into a switch that port 2 is also plugged into (that's how home is working for both syslog and ntp).  That doesn't seem right to me.  Looking at the NTP config in the FortiOS handbook, it looks like you can set up a server on each interface that will sync will devices on those interfaces -- is that correct?

 

And if so, is that the general design principal for these services?  ...needing to create servers on each interface that will sync to the networks they represent which will internally talk to the management services?  If not, do you have a document that describes how to set up the Fortigate to get those critical network services off the Fortigate (without plugging in the management interface and Port2 in the same switch)?

 

TIA!

2 Solutions
Toshi_Esumi

at least with 6.0.5 we have here, you can specify the source IP for NTP.

xxx-fg1 # config sys ntp xxx-fg1 (ntp) # get ntpsync             : enable type                : fortiguard syncinterval        : 60 source-ip           : 0.0.0.0 source-ip6          : :: server-mode         : disable

View solution in original post

ede_pfau

@OP:

all of your assumptions hold true except for #2 (that services are bound to management interface by default). And you need to differentiate precisely between a 'management port' and a 'port used for management'. The former is 'dedicated-to-management' which the latter is not. A dedicated mgmt port is not available on every FGT model, I think it starts with the 100E. You need to know that this port does not participate in routing. Any other port you just use for your mgmt VLAN is fully functionable.

 

There is a (complicated) selection process which interface/subnet will be chosen for FGT originating services like NTP, SNMP, DNS, ping, FAZ logging etc. The chosen source interface is not always what you expect, like choosing an interface by the destination IP address via routing table.

 

Therefore, FortiOS has offered more and more 'set source-ip' options for internal services. Just open the config at the corresponding part in CLI (e.g. 'conf sys fortianalyzer') and do a 'show full' to see if a source IP option is available.

 

Same holds true for pinging from the CLI. Quite often, you need to nail down the source IP via 'exec ping-option source 1.2.3.4' before the ping gets through.

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

Ede Kernel panic: Aiee, killing interrupt handler!
11 REPLIES 11
boneyard
Valued Contributor

in your GUI you have a logging section, at the bottom there are logging settings to determine what devices are used to store logs on.

 

in the different sections like forward traffic or events you have a button somewhere right on the top where you can select the logging source.

ede_pfau

I run v6.0.6:

config system settings
   set gui-implicit-policy enable
then, in Policy>IPv4 Policy, search the policy named 'Implicit Deny' in section 'Implicit'.

Edit to be able to switch 'Log Violation Traffic' on, at the bottom.

 

Then, in 'Log&Report', 'Log Settings', set 'Local Traffic Log' either to 'All', or enable 'Log Denied Unicast Traffic'.

Violation traffic will be logged in the traffic log.

 

It might take more, depending on your previous settings (or the defaults).

All of the following in the CLI, with logging to memory as an example:

conf log mem glob

   set max 2000000

 

conf log mem sett

   set status ena

 

conf log mem filter

   set sev info

   set forw ena

 

The most important setting is 'severity' which needs to be 'information' or less.

 

 

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors