Re: Syslog originating on FTD - send through site to site?

Mike_997 · ‎08-31-2024

I have a network with several remote sites that have a single FTD 1120 all with site to site VPNs connecting back to a central location. The FTD's are all managed via their public IP by the FMC at the central location. The site to site VPNs connect from the main site, to each spoke for the few things that are managed remotely that sit behind the FTD's. On the protected side of the central site there is a log server.

I now need to be able to send syslog messages from the FTD's to the syslog server that is back at the central site, basically I need traffic that originates on the FTD to get into the IPSEC tunnel that the FTD is establishing. I could send the syslog out the public side of the spoke FTD's point the syslog destination to the public interface of the central site and NAT to the syslog server but I really do not want the syslog going across the Internet in the clear.

All FTD's and the FMC are running 7.2.5.2, I see loopbacks became available in 7.3. Could a loopback be used in this case? Any other suggestions? Thanks!

balaji.bandi · ‎08-31-2024

This should be working if you select as Inside interface and inside traffic going via Tunnel interface.

you can configure SYSLOG Server select zone inside that should work.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html

example :

logging trap informational

logging host Inside 192.168.100.100 format emblem

as i have seen some issue on 7.2.3.X there is bug in VTI interface having issue. (don't remember the bug in hand)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Mike_997 · ‎09-02-2024

Here is a basic diagram to help. If on the spoke site FTD I point to the inside to get to the logging server it has nowhere to go. The logging server is on the "inside" of the main site. I need traffic that originates from the FTD, to get inside of the tunnel. Maybe a loopback available in 7.3 is the answer, or a VTI. I am not using VTI's with my site to site tunnels.

Rob Ingram · ‎09-02-2024

@Mike_997 loopback support for SYSLOG (and AAA, BGP, DNS, HTTP, ICMP, IPsec flow offload, NetFlow, SNMP, SSH) was introduced with 7.4, so you would need to upgrade.https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/roadmap/management-center-new-features-by-release.html

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/interfaces-settings-ifcs-firewall.html

MHM Cisco World · ‎09-02-2024

you use OUT interface as source ? if yes
then add new IPsec ACL permit host <outside IP> host <server IP>

try this and check

MHM

Mike_997 · ‎09-02-2024

No, the syslogs need to traverse the IPSEC VPN, I do not want to send syslog across the Internet in the clear.

MHM Cisco World · ‎09-02-2024

The traffic will pass through tunnel and encrypt.

This method I see it as workaround in cisco bug detail.

Try it and check.

MHM

Marius Gunnerud · ‎09-02-2024

Any reason why you are not using the management interface? If it is because you are not able to reach the management interface after enabling management via data interface then you need to add static route for the relevant IP or subnet via CLI.

configure network static-routes ipv4 add management0 1.2.3.0 255.255.255.0 10.1.1.1

where 1.2.3.0 255.255.255.0 are the subnet and network mask of the remote network, 10.1.1.1 is the default gateway for the management interface. Then, depending on if you are using policy based or route based VPN, be sure that the subnet is in the crypto ACL or advertised so it is reachable as well as have access rules in place to allow the traffic.

--
Please remember to select a correct answer and rate helpful posts

Mike_997 · ‎09-13-2024

These sites do not have anything connected to the mgmt interface, all of the management is done via the public interface from the FMC.

MHM Cisco World · ‎09-13-2024

Did you try what I suggest?

MHM