cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

FortiGate - NPM topology

Good morning.  I have used SolarWinds with NPM in the past.  However, I am not a network expert.      

I have an issue for NPM topology not getting populated between my FortiGate firewalls that are connected over IPSEC VPN.  When I look at the Fortigate nodes in NPM, they should NPM connections for the switches only.  All connections are between a site's local FortiGate to a virtual Fortigate in an Azure VNet.  Each of our remote site firewalls can see their locally connected HPE Aruba switches and can populate topology.  However, sites connected using IPSEC VPN are not being connected.  Trying to narrow down what the possible causes could be:

1. Fortigate not configured correctly in NPM.  Anything special that needs to be done for FortiGates?  

2. Issue with NPM Topology and IPSEC VPN.    

3. Issue with the virtual FortiGate in Azure.  As this is is where all the IPSEC connections between all firewalls terminate.

I have a case opened with support, and they have reviewed my configuration.  However, they have found nothing obvious with the configuration.  The case number is  00501684.

Anybody having the same issue, or could point me in the write direction?  Greatly appreciate all responses!  I hope everyone is staying save.  

Below, you will see an example Topology for a remote site, and the NPM connections showing in node properties.

 

 

0 Kudos
2 Replies

It's been awhile since I worked with Fortinet products, and unfortunately the experience wasn't a good one.  Its a very difficult platform to actually work with, they tend to obfuscate getting to a lot of information, simple things like debugging something tend to be very cryptic both in how to do it, and the results it gives.   And, at least when I would ask their support for help, they would usually say that Fortimanager did it or would it the future, but weren't any help in getting their products to work with other management platforms.   

But, the first thing I would ask is what type of IPSEC connection are you building?   Is it a basic IPSEC connection, or are you running some sort of tunneling, such as a GRE tunnel over the IPSEC?   A basic IPSEC connection without a tunneling protocol over it is somewhat restricted, its difficult to get quite a few things working over it, such as routing protocols that rely on multicast.  That's why most folks throw a GRE tunnel over it, to allow all traffic to transit and get protocols like LLDP working.  

That would bring up, how is routing handled between your sites, and is Solarwinds picking up on the routing in the device details?   Have you tried seeing if you can get something like LLDP or CDP working over the links?    If I remember right, the basic model that Fortigate wants you to use just uses a plain IPSEC connection without doing anything like GRE, and the way it handled routing was not really clear, maybe it was static routes?   But I can't remember if any of that was divulged to our SW implementation via SNMP or not, I'm thinking it wasn't.

The problem is that SW can only work with the information its given.  Things like routing protocols, or protocols like CDP or LLDP, allow it to figure out the topology a bit.   If the devices aren't divulging this information to SW, there is no way it can build up its topology tables and you see a disconnect.   Unless the devices are willing to give up some information Solarwinds can't leverage it and build the topology.    Sometimes how you build things can make a difference...

0 Kudos

Hi:

I appreciate the response to my question.

 

Fortigates do seem to be a very odd platform to enable something like LLDP.  I was on a call with me firewall resource and even he had to check on what setting to use (VDOM setting, enable, disable for both send and receive).  It also changed depending on whether or not it was a LAN or WAN port.  Even then, the instructions were for their secure fabric implementation.  Anyway, we implemented based on FortiGate instructions with no luck.

The physical firewalls at our remote sites can see the topology to their local switches at that site in NPM,  At least, the LAN ports seem to be working fine for LLDP. 

As the hub firewall is a Fortigate application in Azure, while the others are physical, a problem with this firewall could prevent all topology between firewalls to not populate.

 

Next steps:

1. As you mentioned, we are using a basic Site-to-Site IPSEC VPN for connections between our firewalls.  I am going to open a ticket with Fortigate to see if their is a way of allowing LLDP over them.  Also, to discuss if an implementation in Azure could be causing any problems.

I will update this thread when I get more information.

 

    

 

   

 

  

0 Kudos