Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
karnack
New Contributor

Issue from loadbalancing server and source address

Hi Everyone,

 

Indeed, I try to set up load balancing for syslog servers.

The load balancing itself works well but the syslog server does not receive the addresses of the remote equipments, there is a NAT realized by the forti, so we do not know what equipment comes from the logs ( i see fort address).

I thought of port forwarding to keep the source address but I will not be able to forward the logs to my server pool but to a single server.

Do you know if there is possibility to realize this load sharing by keeping the source addresses of the customers?

9 REPLIES 9
ericli_FTNT
Staff
Staff

karnack wrote:

Hi Everyone,

 

Indeed, I try to set up load balancing for syslog servers.

The load balancing itself works well but the syslog server does not receive the addresses of the remote equipments, there is a NAT realized by the forti, so we do not know what equipment comes from the logs ( i see fort address).

I thought of port forwarding to keep the source address but I will not be able to forward the logs to my server pool but to a single server.

Do you know if there is possibility to realize this load sharing by keeping the source addresses of the customers?

Hi, can you provide an example of your issue?

emnoc
Esteemed Contributor III

What device is  doing the SNAT ? Can you  eliminate the SNAT so the original  SRC is presented in the syslog files?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
karnack
New Contributor

The snat is realized by the forti whereas I have no rule of implementation for the network equipments. Forti presents the address of the interface of the incoming flow to my servers syslog that is why all my syslog servers only see the address of the forti.

karnack

My equipment is a forti 1500D, typically, my network equipment (10.10.20.x) sends syslog (UDP 514) to the configured syslog vip (10.10.10.1), the real syslog servers 10.10.10.2 and 10.10.10.3, receive well the network logs but NATtes with my interface forti side network equipment (10.10.20.1)

Markus
Valued Contributor

Have you tried to enable "Preserve Client IP" ?


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
karnack
New Contributor

 " Preserve Ip client" it's only available for HTTP/HTTPS loadbalancing.

 

Preserve Client IP Select to preserve the IP address of the client in the X-Forwarded-For HTTP header. This can be useful if you want log messages on the real servers to the client’s original IP address. If this option is not selected, the header will contain the IP address of the FortiGate unit. This option appears only if HTTP or HTTS are selected for Type, and is available only if HTTP Multiplexing is selected.

Markus
Valued Contributor

Good to know, I did not know that. "Normal" Loadbalancers, like F5, will preseve the client IP, no matter what a loadbalancing is used. Thanks for sharing.


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
aguerriero

This appears to still be a limitation with 6.2.8. If I do a whole IP load balance it appears to work but port forwarding UDP keeps the IP of the ingress interface. The only problem with that is now I have to do port forwarding/masquerade on the servers to do any type of port translation..

karnack
New Contributor

up because no answer

Top Kudoed Authors