Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Sanktus
New Contributor

Azure Fortigate A/A with LBA front and back communication to Fortianalyzer

Setup: 2x PAYGO Fortigate in Azure.
Front LBA and Back LBA from Azure.
Fortianalyzer VM in a VNET Behind the Back LBA.

Problem im not able to communicate with the Anayzer. i.E. 192.168.1.100
The Fortis have the Adresses 192.168.10.69 and 192.168.10.70
The LBA Backend IP 192.168.10.68
The VNET of all is 192.168.0.0/16

The Route Tables are showing to 192.168.10.69 on the VNet and Subnets.

If i do a debug on the forti i can see that SYSLOG Sessions are incomming on the 192.168.10.69 for the Forti 192.168.10.70 and they are not send through the IPSEC Autoscale Tunnel and will be dropped.

I have a Fortigate Connected to the FortiAnalyser throught a Azure VPN Gateway. So the Fortianalyzer is basicly working.

Any Suggestions?

Your help is appriciated

1 Solution
Sanktus
New Contributor

Hi all 
Thanks for your Interest and all your replys.
I had / have a wilde ride with this setup ATM.

There where some challanges with the A/A Conifguration.
But in that specific Case the solution hits for all Configurations. Standalone, A/P, A/A.

The Solution was to set an IP on the Site 2 Site VPN Interface (Virtual not the NIC) 
This is required on both sites. Then you have to add this ips in the Routing and if Required in the Second Phase Selectors of the VPN.
Here the Solution LINK: Re: Azure Fortigate A/A with LBA front and back communication to Fortianalyzer

Thanks again for your help!

View solution in original post

4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Hello Sanktus,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Sanktus,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
Debbie_FTNT
Staff
Staff

Hey Sanktus,

I'm a little confused by your description (but I'm not terribly familiar with Azure environments and what components they consist of), but in general:

- if there is an IPSec VPN involved, ensure you have a source IP set in the FortiAnalyzer logging settings on FortiGate

config log fortianalyzer setting

set source-ip <x.x.x.x> <--- this should be an interface IP on the FortiGate; the connection to Analyzer would still be routed out of the appropriate interface based on routing table

- ensure that the configured source IP and the FortiAnalyzer destination IP match into the IPSec P2 selectors

- ensure FortiAnalyzer has a route back to the source IP

- check if you can ping FortiAnalyzer from the FortiGates in question

-> treat it as a network issue; where does the traffic originate, what interface/route should it take, does it make it, where does it get dropped, etc.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Sanktus
New Contributor

Hi all 
Thanks for your Interest and all your replys.
I had / have a wilde ride with this setup ATM.

There where some challanges with the A/A Conifguration.
But in that specific Case the solution hits for all Configurations. Standalone, A/P, A/A.

The Solution was to set an IP on the Site 2 Site VPN Interface (Virtual not the NIC) 
This is required on both sites. Then you have to add this ips in the Routing and if Required in the Second Phase Selectors of the VPN.
Here the Solution LINK: Re: Azure Fortigate A/A with LBA front and back communication to Fortianalyzer

Thanks again for your help!

Labels
Top Kudoed Authors