Dear All,
Suppose we have two FGs in a-p HA with virtual clusters enabled. Each firewall is master for some VDOMs and standby for the others. If the global syslog settings are configured, which VDOM/IP/interface will send the syslog messages for each VDOM? Each firewall sends the syslogs from the VDOMs it is master of, or the firewall which is master for the administrative VDOM will send all the syslogs?
What happens if the administrative interface is reserved and hence not part of HA?
Thank you for your help.
Yours,
David
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
for#1: In a vcluster1+2 the management address of the cluster is what sends the syslog this will be vd-"root" unless you change it. In the cfg you can define that address if required i.e like use a loopback
e.g
config log syslogd setting
set status enable
set source-ip 1.1.1.1
set server 10.0.0.1
end
for#2 and the rest,you can set syslog per-vdom if required by using the override and set the src-ip and the destination syslog server
e.g
config log syslogd override-setting
set override enable
set status enable
set source-ip 192.0.2.1 <address in that vdom>
set server 10.0.0.1 < syslog target>
end
And if it's not obvious, in cluster with override the "ACTIVE" unit generates the log. Basically where ever the RIB is locate at for that vdom would generate the syslog for the src-ip defined or not defined
I hope that helps.
PCNSE
NSE
StrongSwan
Dear emnoc,
Thank you for your help.
emnoc wrote:for#1: In a vcluster1+2 the management address of the cluster is what sends the syslog this will be vd-"root" unless you change it.
If that is so, then how do the syslog messages reach from the VDOMs on the unit without the management address, to the unit with the management address? Through the HA heartbeat links?
emnoc wrote:for#2 and the rest,you can set syslog per-vdom if required by using the override and set the src-ip and the destination syslog server
But if I do not configure the syslogs per VDOM, which firewall sends them if the management interface is outside HA?
emnoc wrote:
And if it's not obvious, in cluster with override the "ACTIVE" unit generates the log. Basically where ever the RIB is locate at for that vdom would generate the syslog for the src-ip defined or not defined
RIB?
Yours,
David
In a cluster the ACTIVE units is always sending logs to the device that sends the logs regardless if your using syslog or FAZ.
On the last part, I don't quite understand outside of HA, if your using a dedicate HA interface the logs are still by the root-vd or whatever you have set as management and not per-se the management address by default.
FWIW if you try to source from a mgmt interface you will always get the
referenc:
VISACHIIL01 (global) $ show sys interface mgmt
config system interface
edit "mgmt"
set ip 172.17.9.11 255.255.255.0
set allowaccess ping https ssh snmp fgfm
set type physical
set dedicated-to management
set description "MGMT LAN "
set device-identification enable
set lldp-transmission enable
set listen-forticlient-connection enable
set snmp-index 88
node_check_object fail! for source-ip 172.17.9.11
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.