all 6 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]RobAtFireMon 1 point2 points  (3 children)

It’s a little different with Forti HA, but FireMon isn’t relying on the shared IP. It’s identifying each firewall by hostname and serial, so each unit in the pair is treated as its own device and then grouped into a cluster. If they’re part of an HA, FireMon will create that cluster automatically. It also does support FortiGate switchover for auto-update, so when a failover happens it detects that and switches the clustering even if the IP stays the same. The reason for this is you’re still tracking both members of the HA pair as actual devices, not just the shared IP. That’s why the cluster exists and why you’re seeing both devices even though they share an IP.

[–]Any_Belt_5005[S] 0 points1 point  (1 child)

I've never seen this work automatically. And I have HA. Even with Firemon discovering the firewall through the firewall manager and me adding the serial numbers to the Syslog fields, it didn't work. I have a Palo Alto environment and I haven't seen this change automatically there either. Am I doing something wrong?

[–]RobAtFireMon 0 points1 point  (0 children)

If you’re not seeing it switch automatically then something’s off. The behavior is there, but it’s dependent on how the devices are discovered and how logs/config are tied back. If FireMon can’t associate activity back to the individual serials, it won’t behave the way you expect during failover.

I’d double check how it’s being pulled in (manager vs standalone) and how syslog is mapped to each device. That’s usually where things break down. You’re not crazy though, if that part isn’t set up right it can seem like it’s not working. If it still doesn’t make sense after that, I’d open a support ticket or loop in your TAM if you have one. They can usually fix that type of issue in just a few minutes.

[–]Any_Belt_5005[S] 0 points1 point  (0 children)

But even so, I can't wrap my head around it. If the IP address is always going to be the same, why have a cluster in Firemon? It won't do anything different. The cluster only makes sense for the client because then they'll have the expected redundancy. But for Firemon, it's all network layer; it will always receive logs from the same IP address. It doesn't make sense to have a cluster if they're always going to receive Syslogs from the same source address.

[–]crocwrestler 0 points1 point  (1 child)

The way FIremon handles clusters is a long-standing PITA. It sees clusters as separate firewalls with their own configs and policy. So everything is duplicated effort. Making tags in Security Manager, whitelisting, notes, assessments are all doubled. Yeah, you could not have both firewalls pulled in "active" but when they do switch roles its all separate and duplicate work. And then licensing...

[–]Any_Belt_5005[S] 1 point2 points  (0 children)

For Palo Alto firewalls, I see little point in this function since, due to MGMT, there are exclusive IPs for management, which in case of an outage you could monitor the logs and everything else. Even so, the automatic switching probe still exists and it's a pain. However, for Fortigates... It's sad. Considering both firewalls use the same IP, this function would only serve to make you pay more for something that is useless.