Creating a Fortianalyzer to Fortigate IPSEC Secure connection

The Fortianalyzer is a great product. It can give very deep analysis of exactly what is going through the network and allow you to create/schedule reports to show this data. You also have very quick detailed monitoring at hand with the Fortiview. By default the Fortigates connect to the FAZ  via SSL, all logs are encrypted. Recently, and I am not sure what the issue is, I have been having issues with certain FGTs connecting to the FAZ via SSL (I think its a cert issue..but still checking). So, we have a different option, to use IPSEC to create a tunnel and allow everything to be encrypted that way. This works great.

What we need to do

FAZ: add the device manually in the FAZ, enable “Security”, change the Local ID, Set the PSK.

FGT: Go in through CLI, disable SSL encryption, enable IPSEC, set the PSK.

So lets go to step one – adding the the device in the FAZ.

Log into the device, and select whatever Adom you want to add the FGT into. Then select to add a device, once this pops up fill in the needed info, you will need an admin account.

device-add

Select “Next” and fill in the needed info, you will need the S/N for this.

device-add2

Once that is added you will be able to edit the device. Right click on the device name and select Edit.

From here you will need to enable IPSEC by checking “Secure Connection” and change the PSK. Notice Local ID this is what will identify the FGT. By default its the S/N but you can change it to anything. In this case I am using FGT1.

Device-add-3

Now you should see something like this, notice that “Secure connection” is red.

Device-status

Great, now its time for the device settings. I am going to do this through the CLI, its the only way to set the PSK as far as I know.

The commands are listed below. One thing to note is that once you select “Encrypt” you disable SSL and enable IPSEC.

fgt-1

After all the commands are entered, you should be able to go to Log-Log Config-and test the connection to the FAZ. It should pop up that everything is working as listed below:

testing-1

Lets check on the FAZ, to make sure everything looks correct.

faz-status

Ok, this all looks great. That’s it, now we are using IPSEC to encrypt the logs. Its a good alternative to SSL if you find your self in the situation that the FGTs will not connect do to cert issues.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: