Re: Multi-location multi-subnet syslog back to central FortiAnalyzer
I played with this a bit to see what options might work for SNAT'd syslog over (route-based) IPsec VPN from multiple subnets.
I can have a single overloaded IP Pool with a single IP in the second location's logging subnet. One or more security policies from the reporting subnets going to the phase1 that contains the single phase2 that handles local-logging --> remote-logging set to NAT with that IP Pool works, kind of. However, the FAZ considers an IP as signifying a single device so it groups all the reporting devices as a single device and even sets the raw log's devname and device_id fields to be the same for logs from different devices. Yuck.
A one-to-one ip pool for each of the reporting devices gives me a unique IP for each. Doing it with multiple IP Pools means lots of separate security policies and IP Pools, but it works.
I can create a VIP for each of these mappings and use it for SNAT over VPN. In that case I have to set nat-source-vip enable on each VIP. I don't have to change outbound policies. However, to make the SNAT work "automatically" I need to put in a dummy inbound rule with the destination address being the VIP for every single VIP. At least I can include multiple VIPs as dstaddr for a single inbound rule for each destination intf.
Anybody have a suggestion for a simpler SNAT 1-to-1 mapping over VPN tunnel?
I'm only interested in outbound SNAT for SYSLOG.