Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Troubleshooter_73
New Contributor III

Don't get logs from Fortigate at IPSEC Remote Site

Hi to all,

 

I have a FAZ 400B with Firmware 5.0.10 at our central site deployed.

I capture logs from the Fortigate 60C at the same site successfully.

Now I have about 6 Remote Sites that are connected by IPSEC to my central site.

I configured the remote FGTs to log to FAZ in central site, by using it's private IP as target.

I added the devices in FAZ successfully, but I received no logs from Remote Sites.

 

Interesting: In one site I have a Fortimail 200D Cluster and I receive logs from this device,

but not from the Fortigates...

 

Log Settings Fortigates (all at Firmware Version 5.2.x):

-> Send Logs to FortiAnalyzer

-> IP is the the private IP of FAZ at central site (i.e. 10.1.1.253)

-> Realtime

-> Untick "Encrypt Log Transmission"

-> Event Logging all

-> Local Traffic Logging All

-> Policies from central to remote site and revert are open at all for testing purposes

-> can ping the fortigate from FAZ successfully

-> but I can't ping the FAZ from Fortigate, but from a System at remote site (also interesting)

 

Any Ideas?



FCNSA 5, FCNSP 5, NSE 4

1 Solution
FortiAdam
Contributor II

I would suggest setting the source-ip option in the FortiAnalyzer config section of the CLI.  I'm guessing what is happening is that your remote fortigate is sending logs from a source IP that isn't allowed to go over your VPN.

 

config log fortianalyzer settings

set source-ip x.x.x.x

end

 

Let us know if that helps!

View solution in original post

3 REPLIES 3
FortiAdam
Contributor II

I would suggest setting the source-ip option in the FortiAnalyzer config section of the CLI.  I'm guessing what is happening is that your remote fortigate is sending logs from a source IP that isn't allowed to go over your VPN.

 

config log fortianalyzer settings

set source-ip x.x.x.x

end

 

Let us know if that helps!

Troubleshooter_73
New Contributor III

Great, that was the solution!

 

 At the remote fortigate unit:

config log fortianalyzer Setting

set source-ip <ip of remote fgt>

end

 

Thanks, you saved my day!

 



FCNSA 5, FCNSP 5, NSE 4

FortiAdam
Contributor II

You would make that change of the source-ip configuration remote FortiGate.  I would suggest setting the source-ip to the local interface IP of your remote FortiGate.  Optionally, you could create a loopback interface on your remote firewall to source the traffic from, but that could complicate things further as it might require additional routing and VPN re-config.

 

In the Phase-2 settings of your VPN, are you allowing any source or did you specify only certain hosts or networks?

 

You want the source-ip setting to coincide with what you have configured for your VPN.

 

EDIT: Looks like you got it figured out.  Glad I could help!