Multi-location multi-subnet syslog back to central FortiAnalyzer

tanr · ‎12-06-2017

Hi all,

Our FortiAnalyzer at our main office gets logs and syslogs from both the main office and by IPsec VPN from a second location, which has its own FortiGate. We're also sending syslogs to a secondary syslog server at the main office location. Logs and syslogs may also come from a remote travelling office setup (IPsec from portable firewall and AP), and from dialup SSL VPN FortiClient users.

To collect more syslog data from two additional distinct subnets (old/insecure devices) at our second location I just added two separate phase 2's back to the FAZ at the main office. Then I decided that was silly, especially since there's at least one more subnet that needs to send syslog data over the VPN tunnel.

Suggestions on a better way to do this, taking into account that I can't merge the subnets or have an all-encompassing phase-2?

My thoughts were:

[ul]

Have something at the second location collect and forward syslogs. It doesn't appear that the FortiGate can do this (let me know if it can!) so that would mean something like Kiwi Syslog Server which can receive and forward syslogs.

NAT so in the second location each of those separate subnets sends their syslogs to a single IP which then goes through the tunnel. I haven't worked with NAT or VIP over IPsec yet, so please let me know if this seems feasible or not.[/ul]

Any pointers appreciated.

tanr · ‎12-06-2017

I played with this a bit to see what options might work for SNAT'd syslog over (route-based) IPsec VPN from multiple subnets.

I can have a single overloaded IP Pool with a single IP in the second location's logging subnet. One or more security policies from the reporting subnets going to the phase1 that contains the single phase2 that handles local-logging --> remote-logging set to NAT with that IP Pool works, kind of. However, the FAZ considers an IP as signifying a single device so it groups all the reporting devices as a single device and even sets the raw log's devname and device_id fields to be the same for logs from different devices. Yuck.

A one-to-one ip pool for each of the reporting devices gives me a unique IP for each. Doing it with multiple IP Pools means lots of separate security policies and IP Pools, but it works.

I can create a VIP for each of these mappings and use it for SNAT over VPN. In that case I have to set nat-source-vip enable on each VIP. I don't have to change outbound policies. However, to make the SNAT work "automatically" I need to put in a dummy inbound rule with the destination address being the VIP for every single VIP. At least I can include multiple VIPs as dstaddr for a single inbound rule for each destination intf.

Anybody have a suggestion for a simpler SNAT 1-to-1 mapping over VPN tunnel?

I'm only interested in outbound SNAT for SYSLOG.

chall_FTNT · ‎12-07-2017

It sounds like you are terminating the IPSec on FortiAnalyzer. Support for IPSec on FortiAnalyzer has been discotinued for some time. Instead by default in more recent FortiOS, logs are sent over TCP (reliable) and encrypted (SSL).

What version of FortiAnalyzer firmware are your running?

Chris Hall
Fortinet Technical Support

tanr · ‎12-07-2017

I'm not terminating the IPsec on the FortiAnalyzer at our main office. The IPsec is just between the FortiGates at our main office and second location. I'm already getting all the FortiOS logs from both FortiGates at the FortiAnalyzer.

I'm running FAZ 5.4.4. What I'm asking about isn't really about the FortiAnalyzer per se, it's about using SNAT or multiple phase2s to get syslog traffic from the remote site over IPsec. The FortiGates are handling the IPsec. The FortiAnalyzer is just where the syslogs go in the end.

What I've listed above is 4 different ways to do this, all of which seem overly complex or expensive. (I guess central nat could be a fifth way, but then I'd lose the automatic SNAT from security policies.)

What I'm asking is if anybody can suggest a better way, or explain to me why one of the methods outlined might be better than the others to use for this.

EDIT: For now I'm using multiple IP Pools with fixed port range for one-to-one mapping so multiple can be used in a single security policy. This seems the simplest method. But still interested in peoples' opinions on this.