I have purcased a Fortigate 40F that I have put at a small office.
I want to send syslogs to a Syslog Server with TCP. I managed to send syslog using UDP protocol, however when I switch to TCP protocol it stops working (with no error message).
The setup:
Config for syslogd settings:
config log syslogd setting set status enable set server "81.164.196.77" set mode reliable set facility syslog end
Google Cloud Platform compute engine:
I have created a compute engine VM instance with Ubuntu 24.04.
I have tagged the compute engine with network tag "collector".
Google Clout Platform firewall:
I have created a Firewall rule named "collector-allow-ingest" with
This rule applies to the compute engine "collector".
Log receiving software at Compute Engine Instance
The compute engine runs LimaCharlie Adapter (https://downloads.limacharlie.io/adapter/linux/64) to receive syslog.
I start it with the following:
chmod +x ./lc_adapter
./lc_adapter syslog client_options.identity.installation_key=a-b-c-d-e client_options.identity.oid=f-g-h-i-j client_options.platform=text client_options.hostname=fortigate-40f client_options.sensor_seed_key=fortigate-40f port=514 iface=0.0.00 is_udp=false
Please help me debug this issue
I am a bit lost on how to debug this issue. Especially since it works with UDP. I have the same setup for a Palo Alto PA-440 firewall, and that works fine with TCP.
Hi @solo1,
You can run packet sniffer to see if FortiGate is communicating with syslog server:
diagnose sniffer packet any 'port 514' 6 0 l
Regards,
Thank you for the tip with packet sniffing. I did this and for me it looks like the firewall is sending communication on protocol RSH (?) to the server. The server sends ACK back on TCP?
I ran this command in Ubuntu:
sudo tcpdump -c 100 -w /opt/ladapter/514.pcap -i ens4 port 514
I downloaded the file from the server and opened in Wireshark on my Windows computer:
Client > Server Data
<45>date=2024-06-27 time=10:40:57 devname="my-fortigate" devid="FGT40FTK2209B06Q" eventtime=1719477657419235659 tz="+0200" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=fe80::c13:848b:a999:17b srcport=5353 srcintf="wan" srcintfrole="wan" dstip=ff02::fb dstport=5353 dstintf="unknown-0" dstintfrole="undefined" replysrcintf="root" sessionid=31439361 proto=17 action="deny" policyid=0 policytype="local-in-policy6" service="udp/5353" trandisp="noop" app="udp/5353" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" msg="Connection Failed"
514 > 31976 [ACK] Seq=1 Ack=1199 Win=1571 Len=0
At first blush it looks like this is yet another case of the Fortinet maybe not picking the appropriate origin interface. Assuming you have a private network address assigned to an "internal" interface of your FTG, fix this by adding "set interface portn" to the config log syslogd setting stanza so that it will send using that interface and address.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1071 | |
889 | |
529 | |
441 | |
152 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.