Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
caunon
Staff
Staff

Created on ‎10-27-2012 11:05 AM Edited on ‎09-12-2024 05:21 AM By Moderator

Article Id 194733

Technical Tip: How to send FortiGate logs to the FortiAnalyzer unit via an IPsec tunnel

Description

 
This article describes a FortiAnalyzer unit which is located on a different site than the FortiGate unit. The task is to send logs from the FortiGate unit, located at one site, to a FortiAnalyzer unit, located at another site, as described in the diagram below:
  send FGT log to FAZv2.jpg
 
Scope
 
FortiGate, FortiAnalyzer.
 
Solution
 
The solution to this requirement is to send the FortiGate-Side-PC-or-Server logs to the FortiAnalyzer unit via an IPsec tunnel.
 
However, in some cases, the FortiGate-Side-PC-or-Server unit may be unable to send logs to the FortiAnalyzer unit on the other site, because the FortiGate-Side-FortiAnalyzer firewall on the other site may drop the log traffic.

To fix this issue, it may be necessary to specify the source IP address on the FortiGate-Side-PC-or-Server unit, which sends the logs to the FortiAnalyzer unit at the other site. This source IP would typically be from the private IP subnet scope, which is configured on the inside or internal LAN, network interface.
 
The following CLI command shows the configuration:
 
Version 4.0 - v5.2:
 
FortiGate-Side-PC-or-Server # config log fortianalyzer setting
FortiGate-Side-PC-or-Server # set source-ip '10.1.0.1'
FortiGate-Side-PC-or-Server # end

Version 5.4 - 6.0:
 
FortiGate-Side-PC-or-Server # config log fortianalyzer override-setting
FortiGate-Side-PC-or-Server(override-setting) # show full

    set override enable
    set status enable
    set ips-archive enable
    set server '10.1.0.1'
    set enc-algorithm high
    set conn-timeout 10
    set monitor-keepalive-period 5
    set monitor-failure-retry-period 5
    set certificate '10.1.0.1'
    set source-ip '10.1.0.1'
    set upload-option 5-minute
    set reliable disable
end 

 
Once the above CLI command is configured, the FortiGate-side PC or server will use the source IP address 10.1.0.1 to send logs. The log traffic will then be routed through the IPsec tunnel from the internal network of one site (the PC or server site) to the internal network of the other site, where the FortiAnalyzer unit is located.

 

42243
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.