Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
delcampo
New Contributor

Virtual clusters and syslogs

Dear All,

 

Suppose we have two FGs in a-p HA with virtual clusters enabled. Each firewall is master for some VDOMs and standby for the others. If the global syslog settings are configured, which VDOM/IP/interface will send the syslog messages for each VDOM? Each firewall sends the syslogs from the VDOMs it is master of, or the firewall which is master for the administrative VDOM will send all the syslogs?

 

What happens if the administrative interface is reserved and hence not part of HA?

 

Thank you for your help.

 

Yours,

 

David

3 REPLIES 3
emnoc
Esteemed Contributor III

 

for#1:  In a vcluster1+2 the  management address of the cluster is what sends  the syslog  this will be vd-"root"  unless you change it. In the cfg you can define that address  if required  i.e like use a loopback 

 

e.g

config log syslogd setting

    set status enable

    set source-ip  1.1.1.1

    set server 10.0.0.1

end

 

for#2 and the rest,you can set syslog per-vdom if required by using the override and set the src-ip and the destination syslog server

 

e.g

 

config log syslogd override-setting

    set override enable

    set status enable   

    set source-ip  192.0.2.1 <address in that vdom>

    set server 10.0.0.1   < syslog target>

end

 

 

And if it's not obvious, in cluster with override the "ACTIVE" unit  generates the log. Basically where ever the  RIB is locate at for that vdom would generate the syslog for the src-ip defined or not defined

 

I hope that helps.

 

 

 

 

PCNSE 

NSE 

StrongSwan  

delcampo
New Contributor

Dear emnoc,

 

Thank you for your help.

 

emnoc wrote:

for#1:  In a vcluster1+2 the  management address of the cluster is what sends  the syslog  this will be vd-"root"  unless you change it.

 

If that is so, then how do the syslog messages reach from the VDOMs on the unit without the management address, to the unit with the management address? Through the HA heartbeat links?

 

emnoc wrote:

for#2 and the rest,you can set syslog per-vdom if required by using the override and set the src-ip and the destination syslog server

 

But if I do not configure the syslogs per VDOM, which firewall sends them if the management interface is outside HA?

 

emnoc wrote:
 

And if it's not obvious, in cluster with override the "ACTIVE" unit  generates the log. Basically where ever the  RIB is locate at for that vdom would generate the syslog for the src-ip defined or not defined

 

RIB?

 

Yours,

 

David

emnoc
Esteemed Contributor III

In a cluster the ACTIVE units is always sending logs to the device that sends the logs regardless if your using syslog or FAZ.

 

 

On the last part, I don't quite understand outside of HA, if your using a dedicate HA interface the logs are still by the root-vd or whatever you have set as management and not per-se the management address by default.

 

 

 

 

FWIW if you try to source from a mgmt interface you will always get the  

 

referenc:

 

VISACHIIL01 (global) $ show sys interface  mgmt 

config system interface

    edit "mgmt"

        set ip 172.17.9.11 255.255.255.0

        set allowaccess ping https ssh snmp fgfm

        set type physical

        set dedicated-to management

        set description "MGMT LAN "

        set device-identification enable

        set lldp-transmission enable

        set listen-forticlient-connection enable

        set snmp-index 88

node_check_object fail! for source-ip 172.17.9.11

 

Ken

PCNSE 

NSE 

StrongSwan