Clik here to view.
As we have just set up a TLS capable syslog server, let’s configure a Fortinet FortiGate firewall to send syslog messages via an encrypted channel (TLS). Let’s go:
I am using a Fortinet FortiGate (FortiWiFi) FWF-61E with FortiOS v6.4.7 build1911 (GA) for this tutorial. My syslog-ng server with version 3.13.2 is running on Ubuntu 18.04.6 LTS.
You cannot configure any syslog server details (rather than the address itself) via the GUI on this so-called “Next Generation Firewall”. Log & Report -> Log Settings -> Remote Logging and Archiving:
Image may be NSFW.
Clik here to view.
Hence we have to use the CLI:
config log syslogd setting
set status enable
set server "syslog2.weberlab.de"
set mode reliable
set port 6514
set enc-algorithm high
endSome notes:
- You can’t “set enc-algorithm high” unless you have “set mode reliable”.
- You don’t have to “set port 6514” manually because it is set automatically by doing the “set enc-algorithm high” command.
- Using an FQDN as the server (as I did in the listing), the FortiGate will use legacy IP though an AAAA record is present. If you want to use IPv6 you must use an IPv6 address here.
- ;)
- Official Fortinet CLI reference
If your syslog server uses a self-signed or untrusted certificate it won’t work right now. This is good from a security point of view. You’ll see the following syslog messages on your syslog server: “tlsv1 alert unknown ca”:
weberjoh@nb17-lx2:~$ tail -f /var/log/syslog Oct 26 09:53:49 nb17-lx2 syslog-ng[901]: Syslog connection accepted; fd='96', client='AF_INET6([2001:470:1f0b:16b0::1]:15831)', local='AF_INET6([::]:6514)' Oct 26 09:53:49 nb17-lx2 syslog-ng[901]: Syslog connection accepted; fd='99', client='AF_INET6([2001:470:1f0b:16b0::1]:15830)', local='AF_INET6([::]:6514)' Oct 26 09:53:49 nb17-lx2 syslog-ng[901]: SSL error while reading stream; tls_error='SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca' Oct 26 09:53:49 nb17-lx2 syslog-ng[901]: I/O error occurred while reading; fd='96', error='Connection reset by peer (104)' Oct 26 09:53:49 nb17-lx2 syslog-ng[901]: Syslog connection closed; fd='96', client='AF_INET6([2001:470:1f0b:16b0::1]:15831)', local='AF_INET6([::]:6514)' Oct 26 09:53:49 nb17-lx2 syslog-ng[901]: SSL error while reading stream; tls_error='SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca' Oct 26 09:53:49 nb17-lx2 syslog-ng[901]: I/O error occurred while reading; fd='99', error='Connection reset by peer (104)' Oct 26 09:53:49 nb17-lx2 syslog-ng[901]: Syslog connection closed; fd='99', client='AF_INET6([2001:470:1f0b:16b0::1]:15830)', local='AF_INET6([::]:6514)'
Or looking at it with Wireshark you’ll see this “Alert Message”:
Image may be NSFW.
Clik here to view.
Import the syslog x.509 certificate at System -> Certificates -> Import -> CA Certificate:
Image may be NSFW.
Clik here to view.
Logging via TLS will immediately start after that. No further configuration is needed.
Confirmed with Wireshark again: “Change Cipher Spec” followed by Application Data. Nice!
Image may be NSFW.
Clik here to view.
Very good. Keep in mind that you should not use unencrypted management protocols at all. Hence this one here is a step in the right direction.
Photo by Robin Spielmann on Unsplash.