HI ALL,
I configured a site to site ipsec tunnel between two fortigates.
site A: 192.168.0.0/24 (fortigate is 192.168.0.1, and FortiAnalyzer is 192.168.0.2) and site B 192.168.1.0/24 (fortigate is 192.168.1.1).
Configured phase 2 presenting the two networks, created routes and firewall rules. Everything works fine. Clients from site B reach resources from site A and vice versa.
problem: the fortigate of site B does not reach the FortiAnalyzer present in site A (192.168.0.2) unless I create a source ip option in the fortigate of site B from cli:
FG70F-(setting) # show
config log fortianalyzer setting
set status enable
set server "192.168.0.1"
set serial "FAZ-VMTXXXXXXX"
set source-ip "192.168.1.1"
end
Same thing for the Fabric Connector
FG70F (csf) # show
config system csf
set status enable
set upstream "192.168.0.1"
set source-ip 192.168.1.1
set saml-configuration-sync local
end
Creating these two options the Forticonnecot and Analyzer work.
is this normal? did I do something wrong in the creation of the IPSEC?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Hakab,
This is quite normal in situations where the Fortianalyzer LAYER 3 is not local to that device which in this case is FGT B. Since FGT B intends to forward the logs to the FAZ across the tunnel, the kernel will use the lowest index number. Since every interface has a kernel index number predefined(not SNMP-index number), by default FGT B will use the interface with the lowest index number to forward this and there are chances that the interface that is bound to the lowest index has nothing to do with the tunnel and hence connection was failing when it comes to forwarding logs. Hence, it's best to define the source-ip.
I hope this is clear.
Thanks,
In addition to Atuls note, source IP in Fortigate is very important for management traffic. Where traffic may traverse over the IPSec tunnel or via WAN interfaces. In the case of multiple wan interfaces interface selection/ source IP matters.
by defining the source IP, you are guiding fortigate to find the best path for the management traffic. The following articles are as a reference.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Source-IP-for-self-originating-IPsec-tunne....
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-control-change-the-FortiGate-source...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1643 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.