Description
This article describes how to change the source IP of FortiGate SYSLOG Traffic.
Scope
FortiGate running single VDOM or multi-vdom.
Solution
With the default settings, the FortiGate will use the source IP of one of the egress interfaces, according to the actual routing corresponding to the IP of the syslog server.
Note there is one exception: when FortiGate is part of a setup, and 'ha-direct' setting is enabled, the interface used to send the syslog traffic is the defined management interface. This is excluded from the regular routing table, therefore setting up a source-ip, in this case, it is not relevant, as the traffic must use the management interface as the source.
Also, note that the source-ip must be one of the FortiGate interfaces IP address. Otherwise, the following error will be shown:
In that case, it is possible to create a loopback interface with an IP address of 172.16.1.1 and use it as source-ip. To source the traffic from a loopback or a different interface, the following settings have to be enabled:
FortiGate with Single VDOM:
config log syslogd setting
set status enable
set server "x.x.x.x" <----- IP of Syslog server.
set source-ip y.y.y.y <----- Source IP to use (in newer versions, not available if ha-direct is enabled)
end
FortiGate with Multi-vdom:
Firewalls with multi-vdom can have a specific Syslog server for each VDOM.
To enable vdom-specific Syslog Server, the following feature has to be enabled:
config vdom
edit <vdom_name>
config log setting
set syslog-override enable <----- This enables VDOM specific syslog server.
end
To change the source-ip of vdom-specific syslog traffic:
config log syslogd override-setting
set server "x.x.x.x" <----- IP of Syslog server.
set source-ip y.y.y.y <-----source IP to use (in newer versions, not available if ha-direct is enabled).
end
Related article:
Technical Tip: How to force the syslog using specific IP address and interface to send to internet
