Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hbh
Staff
Staff

Created on ‎11-17-2022 10:30 PM Edited on ‎11-30-2024 10:00 PM By Community Manager

Article Id 230218

Technical Tip: Change Source IP for SYSLOG

Description

 

This article describes how to change the source IP of FortiGate SYSLOG Traffic.

 

Scope

 

FortiGate running single VDOM or multi-vdom.


Solution

 

With the default settings, the FortiGate will use the source IP of one of the egress interfaces, according to the actual routing corresponding to the IP of the syslog server.
Note there is one exception: when FortiGate is part of a setup, and the 'ha-direct' setting is enabled, the interface used to send the syslog traffic is the defined management interface. This is excluded from the regular routing table, therefore setting up a source-ip, in this case, it is irrelevant, as the traffic must use the management interface as the source.

 

Note that the source-ip must be one of the FortiGate interfaces' IP addresses. Otherwise, the following error will be shown:

 

syslog.PNG

 

In that case, creating a loopback interface with an IP address of 172.16.1.1 is possible and using it as source-ip. To source the traffic from a loopback or a different interface, the following settings have to be enabled:

 

FortiGate with Single VDOM:

 

config log syslogd setting
    set status enable
    set server "x.x.x.x"  <----- IP of Syslog server.
    set source-ip y.y.y.y <----- Source IP to use (in newer versions, not available if ha-direct is enabled)
end

 

From v7.6.0 onwards, a new feature is introduced, source-interface can be directly selected as shown in the below command:
config log syslogd setting:


set status enable
set source-ip-interface <name>

end

FortiGate with Multi-vdom:
Firewalls with multi-vdom can have a specific Syslog server for each VDOM.

 

To enable vdom-specific Syslog Server, the following feature has to be enabled:


config vdom
    edit <vdom_name>

        config log setting

            set syslog-override enable  <----- This enables VDOM specific syslog server.

        end

 

To change the source-ip of vdom-specific syslog traffic:

 

config log syslogd override-setting
    set server "x.x.x.x"  <----- IP of Syslog server.
    set source-ip y.y.y.y <-----source IP to use (in newer versions, not available if ha-direct is enabled).
end

 

Related article: 

Technical Tip: How to force the syslog using specific IP address and interface to send to internet

15726
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.