This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote syslog Source IP

I want to configure remote syslog, but syslog messages source IP is taken on every Firewall from WLAN Interface or public interface. How can I change this behaviour? Syslog server resides in HQ and HQ doesnt have any idea about WLAN networks on spoke Firewalls, so it must me LAN Network address from spoke Firewall.


This thread was automatically locked due to age.
Parents
  • That's a general problem.

    If traffic source ist UTM internal (access to authentication servers, ..to syslog server, proxy, ...) and destination is not avaialble via a local interface but via IPSec vpn, the UTM does not know what source IP to use and chooses any local interface - and may be another after reboot.

    I put all my local (Address) interfaces into a host group Localinterfaces and have a SNAT rule like

    Localinterfaces/Any ports -> HQ network (via IPSec):Source to an Interface(Address) known by IPSec/HQ
  • Any 2017 solution to this issue??? can we force the local syslog daemon to be bound to the main UTM ip ??
    Thanks

  • Or in 2020 have control of which ip to use? E.g. by honoring the route metric on interfaces for ipsec too?

  • As the source IP of connections originated in the UTM, the IP of the outgoing interface to the destination is used.

    IPSec has no own "interface", so the interface bound to the IPSec connection is used (usually the WAN interface).

     

    So, if the destination network is reached via an IPSec connection, make a SNAT

     

    WAN (address) -> Destination LAN --> LAN(address)

     

    Connections originating in the UTM are AD authentication, SUM connection, syslog, proxy, mail notification  ...

Reply
  • As the source IP of connections originated in the UTM, the IP of the outgoing interface to the destination is used.

    IPSec has no own "interface", so the interface bound to the IPSec connection is used (usually the WAN interface).

     

    So, if the destination network is reached via an IPSec connection, make a SNAT

     

    WAN (address) -> Destination LAN --> LAN(address)

     

    Connections originating in the UTM are AD authentication, SUM connection, syslog, proxy, mail notification  ...

Children
  • Not all ipsec connections go through a WAN connection, we are running it through a dark-fiber in a private vlan. What we are seeing is the connection of the remote UTM originating from 1 of the defined VLAN's, not sure if it is random selected, last one created or based on internal identifier, but it tends to change when a VLAN is added (and maybe on reboots).

    So SNAT would be a nice option, but just like the firewall rules we currently use, the SNAT would also break on the change of the source address. This is why it would be nice to have the function that creates the route for the ipsec would use the route metric of the vlan interfaces to determine which one to use....