Strange HA Log Behaviour
Posted 29 January 2019 - 04:44 AM
Bit of a strange one that keeps happening in our setup. We've got 2 Azure-based NGFWs running in high availability mode. They are sending logs to our SIEM.
When the primary firewall is active it also sends logs detailing the IPS Blocks that it's made (as well as sending us an email alert). However when the firewalls failover and the secondary one becomes active, the secondary firewall doesn't forward these IPS Block logs to the SIEM. It forwards every other log and we still get an alert email when it's blocked something, but we just don't see any of these blocks in our SIEM. Is there something we may have missed in our config?
Posted 29 January 2019 - 05:46 AM
A bit difficult to tell by the description: Depending on if this is a standalone or a managed HA cluster there could be different things causing this behavior. Can you please open a support ticket to check this with an support agent? They can have a look and get to get bottom of this quickly!
Posted 18 March 2019 - 07:25 AM Best Answer
For future reference, it was because we were using an "explicit source IP address" in the settings on the firewalls to send the logs from, and this was set to the primary firewall. Removed this and they both now send logs correctly.