When I check Fortianalyzer router events, I can see lots of "BGP neighbor status changed" events that my neighbors are down in for example last 4 hours. But when I do "get router info bgp neighbours" on Fortigate, I can see that my neighbours where up for 11 hours or so. is there any explanation for this?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Will fortianalyzer just reads the logs from your firewall it does not magically create a log ;)
Let's try this;
1st clear any filters on the said device via the cli
execute log filter reset
now set a filter for the following message;
execute log filter field logdesc "BGP neighbor status changed"
execute log filter category 1
and now display all logs;
execute log display
Do you show any log messages? What time ? What neighbor ? etc.... Also make sure your FGT clock is correct
get system status
Ken Felix
PCNSE
NSE
StrongSwan
thanks for this.
When I do 'execute log display' it only displays log for the last 30 minutes or so but on Fortianalyzer I do logs for the last 4 hours and I see bgp status changes, I cant see them on firewall.
Then something is wrong but your probably reading from memory.
Do the following from cli
execute log filter device ?
You should see a output similar;
FGTWPBHFLA # execute log filter device Available devices: 0: memory 1: fortianalyzer 2: fortianalyzer-cloud 3: forticloud
If you selected #1 and or whatever it is on your device and repeat the earlier commands you would read the logs from the FAZ. BUt back to your logs and the bgp status can you export the logs from the FAZ and confirm the neighbor and devid ( just thinking out loud ) . The logs had to be sent to the FAZ from the device.
The "get router info bgp summary" will show you how long the peer has been established and you go backwards to find the time range for the corresponding logs.
Or
FGTWPBHFLA # get router info bgp neighbors | grep Est BGP state = Established, up for 10:56:18
NOTE: the remote bgp-peer was rebooted 10+ hours ago for the above example
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.