Hi Guys
I've got a curious issue, I'm trying to send logs from our Fortigate to our FortiAnalyzer through a VPN. The VPN is connected to the same Firewall which should be sending the logs.
The problem is the requests keep timing out, and checking the local traffic logs (see attached screenshot), it looks like the Firewall is using our WAN (as source IP is our public IP) but the Src interface is "known-0". But I need the Firewall to use the LAN interface -> OFFICE-VPN.
I'm not sure if its relevant, the VPN is working fine (Its a Fortigate 200D at each end, configured using the built in wizard), I can ping devices on each side - but if I use the Firewall CLI, I can't ping devices. So it looks like and interface routing issue.
Is there anyway of forcing a specific interface? or any suggestions to get round this.
Many Thank
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
For anybody who may suffer from a similar issue - Basically when configuring a FAZ or FMG you need to do it via the CLI, there is a source-ip setting which you set to the same address as the interface you want to send from. This then ensures the traffic is routed correctly.
It appears to work at least.. Fortigates are frustrating!
Pretty much every service (syslog/monitor/tacacs/radius etc) will have the option to choose source-ip from CLI.
The gui is there to fit basic day to day needs. I find it right that advanced things are CLI (Job security hmmm hmm).
On thing I hate that I can't modify its source-ip is the SSLVPN Web application source IP (when you add VPN to the party)
//Chura CCIE, NSE7, CCSE+
Thanks Chura, thats good to know for future reference.
I've just swapped us from Palo Alto where 95% of functionality is available in the UI, so still finding my way around (hence the frustrations). Out of interest I've noticed Fortinet do make substantial UI changes (removing, changing layout, moving to CLI etc). Does this not drive you guys nuts?
I don't mind the CLI, its probably the simplest and most logical I've worked with for a while.
Here is the command I had to use in FortiOS 5.2
config log fortianalyzer setting
set source-ip x.x.x.x
it really helped me!
i was facing the same problem because we´re changing from MPLS to a VPN connection, so, we need to configure faz to use the VPN insted local LAN1 port, b ut even routes being properly configured, no connection.
Ping was working only with source-ip option, but thre is no similar for tarceroute, then, the idea, maybe the FAZ has the same problem as some 60c models where the source is weirdly automagically configured as an interface you don´t want to use...
---
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.