Wednesday, April 8, 2009

FortiAnalyzer Funkiness

When you configure your FortiAnalyzer and you have firewalls reporting to it that are not in the same subnet, make sure you configure the correct default gateway under "System -> Network -> Routing". This might seem pretty obvious but has caught me off guard a couple of times.

Fortigate firewalls use UDP port 514 (a connectionless protocol) to send log data to the FortiAnalyzer. The FA can receive those logs without knowing how to route back to the firewalls, therefore the correct default gateway is not required.
In addition the firewalls also use TCP port 514 (a protocol requiring a three-way handshake). If the correct default gateway is not set on the FA strange things happen. With a large number of reporting devices some will show up under "Device -> All", some will not. In our most recent incarnation after rolling out a new FA we had about half our firewalls listed, the other systems were attempting to connect but could not.

So, if you are missing firewall devices after a new FA rollout or rebuild make sure you verify that default gateway setting.

No comments: