The Fortianalyzer is a great product. It can give very deep analysis of exactly what is going through the network and allow you to create/schedule reports to show this data. You also have very quick detailed monitoring at hand with the Fortiview. By default the Fortigates connect to the FAZ via SSL, all logs are encrypted. Recently, and I am not sure what the issue is, I have been having issues with certain FGTs connecting to the FAZ via SSL (I think its a cert issue..but still checking). So, we have a different option, to use IPSEC to create a tunnel and allow everything to be encrypted that way. This works great.
What we need to do
FAZ: add the device manually in the FAZ, enable “Security”, change the Local ID, Set the PSK.
FGT: Go in through CLI, disable SSL encryption, enable IPSEC, set the PSK.
So lets go to step one – adding the the device in the FAZ.
Log into the device, and select whatever Adom you want to add the FGT into. Then select to add a device, once this pops up fill in the needed info, you will need an admin account.
Select “Next” and fill in the needed info, you will need the S/N for this.
Once that is added you will be able to edit the device. Right click on the device name and select Edit.
From here you will need to enable IPSEC by checking “Secure Connection” and change the PSK. Notice Local ID this is what will identify the FGT. By default its the S/N but you can change it to anything. In this case I am using FGT1.
Now you should see something like this, notice that “Secure connection” is red.
Great, now its time for the device settings. I am going to do this through the CLI, its the only way to set the PSK as far as I know.
The commands are listed below. One thing to note is that once you select “Encrypt” you disable SSL and enable IPSEC.
After all the commands are entered, you should be able to go to Log-Log Config-and test the connection to the FAZ. It should pop up that everything is working as listed below:
Lets check on the FAZ, to make sure everything looks correct.
Ok, this all looks great. That’s it, now we are using IPSEC to encrypt the logs. Its a good alternative to SSL if you find your self in the situation that the FGTs will not connect do to cert issues.