Hi all,
Our FortiAnalyzer at our main office gets logs and syslogs from both the main office and by IPsec VPN from a second location, which has its own FortiGate. We're also sending syslogs to a secondary syslog server at the main office location. Logs and syslogs may also come from a remote travelling office setup (IPsec from portable firewall and AP), and from dialup SSL VPN FortiClient users.
To collect more syslog data from two additional distinct subnets (old/insecure devices) at our second location I just added two separate phase 2's back to the FAZ at the main office. Then I decided that was silly, especially since there's at least one more subnet that needs to send syslog data over the VPN tunnel.
Suggestions on a better way to do this, taking into account that I can't merge the subnets or have an all-encompassing phase-2?
My thoughts were:
[ul]Any pointers appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I played with this a bit to see what options might work for SNAT'd syslog over (route-based) IPsec VPN from multiple subnets.
I can have a single overloaded IP Pool with a single IP in the second location's logging subnet. One or more security policies from the reporting subnets going to the phase1 that contains the single phase2 that handles local-logging --> remote-logging set to NAT with that IP Pool works, kind of. However, the FAZ considers an IP as signifying a single device so it groups all the reporting devices as a single device and even sets the raw log's devname and device_id fields to be the same for logs from different devices. Yuck.
A one-to-one ip pool for each of the reporting devices gives me a unique IP for each. Doing it with multiple IP Pools means lots of separate security policies and IP Pools, but it works.
I can create a VIP for each of these mappings and use it for SNAT over VPN. In that case I have to set nat-source-vip enable on each VIP. I don't have to change outbound policies. However, to make the SNAT work "automatically" I need to put in a dummy inbound rule with the destination address being the VIP for every single VIP. At least I can include multiple VIPs as dstaddr for a single inbound rule for each destination intf.
Anybody have a suggestion for a simpler SNAT 1-to-1 mapping over VPN tunnel?
I'm only interested in outbound SNAT for SYSLOG.
It sounds like you are terminating the IPSec on FortiAnalyzer. Support for IPSec on FortiAnalyzer has been discotinued for some time. Instead by default in more recent FortiOS, logs are sent over TCP (reliable) and encrypted (SSL).
What version of FortiAnalyzer firmware are your running?
I'm not terminating the IPsec on the FortiAnalyzer at our main office. The IPsec is just between the FortiGates at our main office and second location. I'm already getting all the FortiOS logs from both FortiGates at the FortiAnalyzer.
I'm running FAZ 5.4.4. What I'm asking about isn't really about the FortiAnalyzer per se, it's about using SNAT or multiple phase2s to get syslog traffic from the remote site over IPsec. The FortiGates are handling the IPsec. The FortiAnalyzer is just where the syslogs go in the end.
What I've listed above is 4 different ways to do this, all of which seem overly complex or expensive. (I guess central nat could be a fifth way, but then I'd lose the automatic SNAT from security policies.)
What I'm asking is if anybody can suggest a better way, or explain to me why one of the methods outlined might be better than the others to use for this.
EDIT: For now I'm using multiple IP Pools with fixed port range for one-to-one mapping so multiple can be used in a single security policy. This seems the simplest method. But still interested in peoples' opinions on this.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.