Technical Tip: Logging behavior when FortiGate is configured in active-passive HA mode

In an active-passive HA setup, only the primary (active) FortiGate is responsible for forwarding logs to external logging servers (for example, a syslog server or FortiAnalyzer). The secondary (passive) unit does not independently establish connectivity or routing to the syslog server.

On the primary FortiGate, a valid route to the syslog server IP address is present:

Primary: FG***********916, HA operating index = 0
Secondary: FG***********325, HA operating index = 1

get router info routing-table details 10.5.148.84
Routing table for VRF=0
Routing entry for 10.5.128.0/18
Known via "connected", distance 0, metric 0, best
* is directly connected, mgmt

On the secondary FortiGate, no route to the syslog server IP is displayed:

FG3H0E-4 # get router info routing-table details 10.5.148.84
FG3H0E-4 #

This behavior is expected and does not indicate a configuration or routing issue on the secondary unit.
Although the secondary FortiGate does not have a route to the syslog server, packet captures on the primary FortiGate will show that:

1. The primary unit forwards logs on behalf of both the primary and secondary FortiGate units.
2. All HA members’ logs are processed and sent externally by the active (primary) unit.

This is because, in active-passive HA mode:

1. The primary unit owns the active interfaces, routing table, and management plane.
2. The secondary unit synchronizes state and configuration but does not generate outbound management traffic such as syslog independently.
   
   

The following article can be referred to for configuring syslog on FortiGate: Technical Tip: How to configure syslog on FortiGate.

Example packet captures for the logs related to the primary and secondary units:

Logs related to the primary unit:

 
Logs related to the secondary unit: