Send logs to fortianalyzer from a VDOM except itself and the management

mhdganji · ‎03-21-2023

Hi,

This is the scenario

A VDOM named Mycompany is the main traffic VDOM

A VDOM named MGMTFGD is responsible for connecting to Fortiguard (It's marked as the management VDOM)

A VDOM named OOB is going to be used for Admins interaction and also sending logs to Fortianalyzer

The Global VDOM is also present

I want all the VDOMs (specially the MGMTFGD and Mycompany) logs to be sent to Fortianalyzer which is reachable via OOB VDOM

When configuring FAZ-Override settings in Mycompany VDOM, I just have two options:

1- Sending logs through the VDOM itself

2- Sending logs through the management VDOM which is MGMTFGD

In the command line, I cannot find any command to dictate the firewall sending logs neither through itself or the Management vdom (Here MGMTFGD) but using a third VDOM which is OOB

And for security reasons I'm not going to change (Switch management) the Fortiguard VDOM to OOB.

Hope its all clear

Regards,

M. Ganji, Network & Security Expert.

srajeswaran · ‎03-21-2023

We can use inter-VDOM links - https://docs.fortinet.com/document/fortigate/6.2.13/cookbook/335646/inter-vdom-routing

For example, create a VDOM link between MGMTFGD and OOB and then add a route on MGMTFGD towards FortiAnalyzer pointing to the VDOM Link towards OOB. Same need to be done of the other VDOMS as well.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

srajeswaran · ‎03-21-2023

We can use inter-VDOM links - https://docs.fortinet.com/document/fortigate/6.2.13/cookbook/335646/inter-vdom-routing

For example, create a VDOM link between MGMTFGD and OOB and then add a route on MGMTFGD towards FortiAnalyzer pointing to the VDOM Link towards OOB. Same need to be done of the other VDOMS as well.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

mhdganji · ‎03-21-2023

Hi,

You're totally right but isn't there an easier way for accomplishing this? This needs Intervdom links, Routing definitions and opening a path between the secure Fortiguard VDOM to the internal management OOB interface which in turn brings some security considerations in between.

I mean, an option or command to define in config log fortianalyzer settings just to say:

set vdom OOB

If not, do you think this can be put as a feature request?

Regards,

M. Ganji, Network & Security Expert.

srajeswaran · ‎03-21-2023

This is how I see it.

The idea of VDOM is to separate one FW into multiple logical firewalls. Lets say VDOM1 is for customer1 and VDOM2 is for customer 2, ideally customer 1 won't be using customer2 's setup to send their logs. If they still wanna do it, they can create a connection between them (physical links or the vlinks).
Feel free to share your thoughts.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

mhdganji · ‎03-21-2023

Hmm...

I always have looked into the concept of VDOM's for another goal too and that is separating some routes, traffics and policies within a big organization.

Anyway I think putting a simple set vdom command for FAZ logs would not be a bad idea.

For now, I'll go with the Inter-VDOM link for doing the job.

Regards,

M. Ganji, Network & Security Expert.

Send logs to fortianalyzer from a VDOM except itself and the management

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website