- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Get firewall to use a VPN / Specific interface...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Get firewall to use a VPN / Specific interface for sending logs?
Hi Guys
I've got a curious issue, I'm trying to send logs from our Fortigate to our FortiAnalyzer through a VPN. The VPN is connected to the same Firewall which should be sending the logs.
The problem is the requests keep timing out, and checking the local traffic logs (see attached screenshot), it looks like the Firewall is using our WAN (as source IP is our public IP) but the Src interface is "known-0". But I need the Firewall to use the LAN interface -> OFFICE-VPN.
I'm not sure if its relevant, the VPN is working fine (Its a Fortigate 200D at each end, configured using the built in wizard), I can ping devices on each side - but if I use the Firewall CLI, I can't ping devices. So it looks like and interface routing issue.
Is there anyway of forcing a specific interface? or any suggestions to get round this.
Many Thank
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For anybody who may suffer from a similar issue - Basically when configuring a FAZ or FMG you need to do it via the CLI, there is a source-ip setting which you set to the same address as the interface you want to send from. This then ensures the traffic is routed correctly.
It appears to work at least.. Fortigates are frustrating!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pretty much every service (syslog/monitor/tacacs/radius etc) will have the option to choose source-ip from CLI.
The gui is there to fit basic day to day needs. I find it right that advanced things are CLI (Job security hmmm hmm).
On thing I hate that I can't modify its source-ip is the SSLVPN Web application source IP (when you add VPN to the party)
//Chura CCIE, NSE7, CCSE+
//Chura CCIE, NSE7, CCSE+
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Chura, thats good to know for future reference.
I've just swapped us from Palo Alto where 95% of functionality is available in the UI, so still finding my way around (hence the frustrations). Out of interest I've noticed Fortinet do make substantial UI changes (removing, changing layout, moving to CLI etc). Does this not drive you guys nuts?
I don't mind the CLI, its probably the simplest and most logical I've worked with for a while.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the command I had to use in FortiOS 5.2
config log fortianalyzer setting
set source-ip x.x.x.x
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it really helped me!
i was facing the same problem because we´re changing from MPLS to a VPN connection, so, we need to configure faz to use the VPN insted local LAN1 port, b ut even routes being properly configured, no connection.
Ping was working only with source-ip option, but thre is no similar for tarceroute, then, the idea, maybe the FAZ has the same problem as some 60c models where the source is weirdly automagically configured as an interface you don´t want to use...
---
---
Related Posts
- FortiGate 61F Blocked Web access after... 49 Views
- TRAFFIC SHAPPING TO IPSEC TUNNEL 39 Views
- Webfilter license won't work despite having... 101 Views
- 2FA SSL VPN with LDAP authentication 134 Views
- Traffic is not forwards to another... 109 Views
Labels
-
FortiGate
6,741 -
FortiClient
1,341 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
345 -
FortiAP
344 -
FortiClient EMS
274 -
FortiMail
262 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
92 -
FortiGateCloud
88 -
FortiCloud Products
85 -
IPsec
83 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
68 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
32 -
SD-WAN
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
22 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Logging
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.