Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dwickramasinghe1
Staff
Staff

Created on ‎02-23-2025 04:27 AM

Article Id 378041

Technical Tip: Decoding TLS handshake between FortiGate and FortiAnalyzer using Wireshark

Description This article describes how to decode a TLS handshake between FortiGate and FortiAnalyzer using Wireshark.
Scope FortiAnalyzer, FortiGate, Wireshark.
Solution

FortiGate can form a security fabric connection with FortiAnalyzer using port 514(SYSLOG). In some cases, a TLS handshake is required to verify the authenticity of both devices to form the connection. However, from a packet capture perspective on Wireshark, the TLS handshake is not visible by default.

This article will go over on how to decode the TLS handshake with the use of Wireshark. This option can be useful for certain troubleshooting scenarios.

The screenshot below shows how the TLS handshake looks by default in Wireshark.

BadPCAP.jpg
Wireshark is interpreting the traffic as SYSLOG traffic, so the certificate handshake does not appear by default. 

 

To change this, adjust the Wireshark settings as shown below:

Wireshark -> Analyze -> Decode As -> *Select the '+' icon* -> Change the field  to TCP, the port value to '514' and the Current option to 'TLS'.

Wireshark.jpg
After saving the option, the packet capture should show the TLS handshake in Wireshark.

CleanWireShark.jpg
445
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.