FortiGate can form a security fabric connection with FortiAnalyzer using port 514(SYSLOG). In some cases, a TLS handshake is required to verify the authenticity of both devices to form the connection. However, from a packet capture perspective on Wireshark, the TLS handshake is not visible by default.

This article will go over on how to decode the TLS handshake with the use of Wireshark. This option can be useful for certain troubleshooting scenarios.

The screenshot below shows how the TLS handshake looks by default in Wireshark.


Wireshark is interpreting the traffic as SYSLOG traffic, so the certificate handshake does not appear by default. 

To change this, adjust the Wireshark settings as shown below:

Wireshark -> Analyze -> Decode As -> *Select the '+' icon* -> Change the field  to TCP, the port value to '514' and the Current option to 'TLS'.


After saving the option, the packet capture should show the TLS handshake in Wireshark.