FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
This article describes how to maintain the original source IP when the FortiAnalyzer log Forwarding feature is enabled. This setting allows sending log packets using the original log sender's IP address when forwarding logs to external devices, in this way, external devices can receive the original logs as if they received them directly from the originating device.
Scope
FortiAnalyzer.
Solution
On the FortiAnalyzer GUI, configure log forwarding by going to System Settings -> Log Forwarding.
Select Create New to create a new Log Forwarding setting.
Enter the values for the requested fields, and then select OK to save:
Name: Input a name. Status: On. Remote Server Type: <FortiAnalyzer/Syslog>. Server IP: External server IP.
Execute these commands on the CLI:
config system log-forward edit <id>
set fwd-log-source-ip original_ip
next
end
Note: Replace <id> with the ID for the log forwarding setting created in Step 3.
Note: This option can only be used with UDP 'fwd-reliable disable'.
By default setting set fwd-log-source-ip is set to 'local_ip'.
Design-Level Comparison: fwd-log-source-ip Options on FortiAnalyzer.
Mode
Description
When to Use
Network Impact
original_ip (Preserve log source IP).
FortiAnalyzer forwards logs using the original IP address of the FortiGate that generated the log. FortiAnalyzer acts as a transparent relay.
When the external SIEM or log collector needs to identify which FortiGate sent the original log.
Environments requiring accurate source attribution, such as multi-tenant, audit/compliance-driven setups.
Preserves full source visibility (SIEM sees real FortiGate IPs).
Firewall policies must allow traffic from multiple source IPs (i.e., all FortiGates managed by FortiAnalyzer ).
May complicate routing or NAT, especially when forwarding logs over IPSec VPNs.
VPN Phase 2 selectors and SNAT policies may need to account for many potential source IPs.
Useful for environments where FortiAnalyzer is deployed centrally and must not mask original sources.
local_ip (Use FortiAnalyzer interface IP).
FortiAnalyzer rewrites the source IP to the IP of its egress interface (i.e., acts as the sender).
When the collector accepts logs only from known/trusted IPs (for example, FortiAnalyzer IP).
Environments that prefer simplified firewall rules and routing setups.
Simplifies firewall configuration; the collector only needs to allow traffic from FortiAnalyzer.
Helps in NAT environments or across VPNs where only FortiAnalyzer’s IP is routable.
Breaks original source attribution; the collector cannot distinguish which FortiGate sent the original log.
It may hinder forensic analysis or per-device log filtering on the collector.
Ideal when log integrity is less important than network simplicity and access control.
