Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Debbie_FTNT
Staff
Staff

Created on ‎11-08-2019 03:13 AM Edited on ‎09-27-2023 08:33 AM By Moderator

Article Id 197189

Technical Tip: How to specify an outgoing interface for logging to external devices in a FortiGate cluster with ha-direct enabled

Description

 

This article describes how to specify an HA-mgmt interface for logging when ha-direct is enabled in a FortiGate cluster.

Reserved HA Management interface configuration.

 

Scope

 

FortiGate in HA.


Solution


This article explains how to configure a FortiGate cluster to send logs to FortiAnalyzer or another logging device when ha-direct is enabled while keeping logging traffic  outside of the management network.

 

The interface logs are sent out and are specified under the following circumstances:

Setup:

 

FortiGate cluster with ha-mgmt interfaces configured and ha-direct enabled:

 

config system ha

set group-name "HA-test"

set mode a-p

set password ENC

set hbdev "port3" 0

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "port2"

set gateway 10.5.63.254

next

end

set override disable

set ha-direct enable

end

 

Logging to FortiAnalyzer enabled:

 

config log fortianalyzer setting

set status enable

set server "10.0.12.89"

end

 

By default, FortiGate will send the logs out of port2 with such a configuration, as ha-direct is enabled (each FortiGate in the cluster sends its own logs via the ha-mgmt-interface).
To specify a different interface, the following actions need to be taken:

 

  • The desired interface needs to be added as a second ha-mgmt-interface.
  • A route towards FortiAnalyzer needs to be added to the ha-mgmt-interface configuration.

 

config system interface

edit port4

set ip 10.0.0.1 255.255.255.0

end

config system ha

config ha-mgmt-interfaces

edit 2

set interface port4

set gateway 10.0.0.254

set dst 10.0.12.89 255.255.255.255

next

end

end

 

Check that a second interface has been added on each cluster node to ha-mgmt-interfaces and the destination has been properly set. Once this is done, FortiGate will use the second ha-mgmt-interface to send logs.

 

diag sniff packet any ‘host 10.0.12.89 and port 514’ 4
port4 out 10.0.0.1.15530 -> 10.0.12.89.514: syn 694192021
port4 in 10.0.12.89.514 -> 10.0.0.1.15530: syn 3337122392 ack 694192022
port4 out 10.0.0.1.15530 -> 10.0.12.89.514: ack 3337122393
port4 out 10.0.0.1.15530 -> 10.0.12.89.514: psh 694192022 ack 3337122393
port4 in 10.0.12.89.514 -> 10.0.0.1.15530: ack 694192298

 

Related article:

Technical Tip: Sending messages (logs, SNMP, RADIUS) directly from the HA management interface.

19212
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.