Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 5 subscribers
  • Views 9958 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote syslog Source IP

skm
I want to configure remote syslog, but syslog messages source IP is taken on every Firewall from WLAN Interface or public interface. How can I change this behaviour? Syslog server resides in HQ and HQ doesnt have any idea about WLAN networks on spoke Firewalls, so it must me LAN Network address from spoke Firewall.


This thread was automatically locked due to age.
  • 0
    If I understand correctly, your topology is as follows, and there's no masquerading of WLAN traffic to HQ, nor has the WLAN subnet been added to the VPN tunnel: 

    Syslog server in HQ  Branch UTM  Spoke UTM --- WLAN-1


    If so, then the easiest solution would be a NAT rule in the Spoke UTM:

    SNAT : WLAN-1 (Network) -> SYSLOG -> {Syslog Server in HQ} : from External (Address)


    Did I understand the situation?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    That's a general problem.

    If traffic source ist UTM internal (access to authentication servers, ..to syslog server, proxy, ...) and destination is not avaialble via a local interface but via IPSec vpn, the UTM does not know what source IP to use and chooses any local interface - and may be another after reboot.

    I put all my local (Address) interfaces into a host group Localinterfaces and have a SNAT rule like

    Localinterfaces/Any ports -> HQ network (via IPSec):Source to an Interface(Address) known by IPSec/HQ
  • 0
    Yes BAlfson you have understand and I will try this solution with NAT. Thanks
  • 0 in reply to papa__01

    Any 2017 solution to this issue??? can we force the local syslog daemon to be bound to the main UTM ip ??
    Thanks

  • 0 in reply to Mokaz

    Or in 2020 have control of which ip to use? E.g. by honoring the route metric on interfaces for ipsec too?

  • 0 in reply to M.D. Klapwijk

    As the source IP of connections originated in the UTM, the IP of the outgoing interface to the destination is used.

    IPSec has no own "interface", so the interface bound to the IPSec connection is used (usually the WAN interface).

     

    So, if the destination network is reached via an IPSec connection, make a SNAT

     

    WAN (address) -> Destination LAN --> LAN(address)

     

    Connections originating in the UTM are AD authentication, SUM connection, syslog, proxy, mail notification  ...

  • 0 in reply to papa_

    Not all ipsec connections go through a WAN connection, we are running it through a dark-fiber in a private vlan. What we are seeing is the connection of the remote UTM originating from 1 of the defined VLAN's, not sure if it is random selected, last one created or based on internal identifier, but it tends to change when a VLAN is added (and maybe on reboots).

    So SNAT would be a nice option, but just like the firewall rules we currently use, the SNAT would also break on the change of the source address. This is why it would be nice to have the function that creates the route for the ipsec would use the route metric of the vlan interfaces to determine which one to use....

Unfiltered HTML