Hi Everyone,
Indeed, I try to set up load balancing for syslog servers.
The load balancing itself works well but the syslog server does not receive the addresses of the remote equipments, there is a NAT realized by the forti, so we do not know what equipment comes from the logs ( i see fort address).
I thought of port forwarding to keep the source address but I will not be able to forward the logs to my server pool but to a single server.
Do you know if there is possibility to realize this load sharing by keeping the source addresses of the customers?
karnack wrote:Hi Everyone,
Indeed, I try to set up load balancing for syslog servers.
The load balancing itself works well but the syslog server does not receive the addresses of the remote equipments, there is a NAT realized by the forti, so we do not know what equipment comes from the logs ( i see fort address).
I thought of port forwarding to keep the source address but I will not be able to forward the logs to my server pool but to a single server.
Do you know if there is possibility to realize this load sharing by keeping the source addresses of the customers?
Hi, can you provide an example of your issue?
What device is doing the SNAT ? Can you eliminate the SNAT so the original SRC is presented in the syslog files?
PCNSE
NSE
StrongSwan
The snat is realized by the forti whereas I have no rule of implementation for the network equipments. Forti presents the address of the interface of the incoming flow to my servers syslog that is why all my syslog servers only see the address of the forti.
My equipment is a forti 1500D, typically, my network equipment (10.10.20.x) sends syslog (UDP 514) to the configured syslog vip (10.10.10.1), the real syslog servers 10.10.10.2 and 10.10.10.3, receive well the network logs but NATtes with my interface forti side network equipment (10.10.20.1)
Have you tried to enable "Preserve Client IP" ?
________________________________________________________
--- NSE 4 ---
________________________________________________________
" Preserve Ip client" it's only available for HTTP/HTTPS loadbalancing.
Preserve Client IP Select to preserve the IP address of the client in the X-Forwarded-For HTTP header. This can be useful if you want log messages on the real servers to the client’s original IP address. If this option is not selected, the header will contain the IP address of the FortiGate unit. This option appears only if HTTP or HTTS are selected for Type, and is available only if HTTP Multiplexing is selected.
Good to know, I did not know that. "Normal" Loadbalancers, like F5, will preseve the client IP, no matter what a loadbalancing is used. Thanks for sharing.
________________________________________________________
--- NSE 4 ---
________________________________________________________
This appears to still be a limitation with 6.2.8. If I do a whole IP load balance it appears to work but port forwarding UDP keeps the IP of the ingress interface. The only problem with that is now I have to do port forwarding/masquerade on the servers to do any type of port translation..
up because no answer
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.