DescriptionThis article describes a FortiAnalyzer unit which is located on a different site than the FortiGate unit. The task is to send logs from the FortiGate unit, located at one site, to a FortiAnalyzer unit, located at another site, as described on the diagram below:
SolutionSolution to this requirement is to send the FortiGate-Side-PC-or-Server logs to the FortiAnalyzer unit via an IPsec tunnel.
However, in some cases, the FortiGate-Side-PC-or-Server unit may be unable to send logs to the FortiAnalyzer unit on the other site, due to the fact that the FortiGate-Side-FAZ firewall on the other site may drop the log traffic.
To fix this issue, it may be necessary to specify the source IP address on the FortiGate-Side-PC-or-Server unit, which sends the logs to the FortiAnalyzer unit at the other site. This source IP would typically be from the private IP subnet scope, which is configured on the inside or internal LAN, network interface.
Following CLI command shows the configuration:
Version 4.0 - v5.2:
FortiGate-Side-PC-or-Server # config log fortianalyzer setting
FortiGate-Side-PC-or-Server # set source-ip '10.1.0.1'
FortiGate-Side-PC-or-Server # end
Version 5.4 - 6.0: FortiGate-Side-PC-or-Server # config log fortianalyzer override-setting
FortiGate-Side-PC-or-Server(override-setting) # show full
set override enable
set status enable
set ips-archive enable
set server '10.1.0.1'
set enc-algorithm high
set conn-timeout 10
set monitor-keepalive-period 5
set monitor-failure-retry-period 5
set certificate '10.1.0.1'
set source-ip '10.1.0.1'
set upload-option 5-minute
set reliable disable
end
After the CLI command above is configured, the FortiGate-Side-PC-or-Server unit will use the source IP address 10.1.0.1 to send logs. Then, the logs traffic would be forwarded via the IPsec tunnel from the internal network of one site (Server or PC site) to the internal network of the other site (site with the FortiAnalyzer unit).