Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

FG not sending logs to FAZ

Hi there

I have several FGs already sending logs to a FAZ, over ipsec connections, but I am having issues adding a new FW.

The logging is configured using the correct source-ip address, I have successfully checked sending pings from the FG to the FAZ using the source-ip option, and diag sniffer shows the flow of packets, albeit with RSTs in the flow. The FG definition is added to the FAZ, still, the FG reports it can't communicate with the FAZ.


config log fortianalyzer setting set status enable set source-ip set server set reliable enable end

MIN-FW-001 # exec log fortianalyzer test-connectivity Failed to get FAZ's status.

The sniffer flow from the test-connectivity command:

MIN-FW-001 # diag sniffer packet any "host" 4 interfaces=[any] filters=[host] 1303.708288 ipsec_CT out -> syn 4266655446 1303.724212 ipsec_CT in -> syn 1201754132 ack 4266655447 1303.724493 ipsec_CT out -> ack 1201754133 1303.726584 ipsec_CT out -> psh 4266655447 ack 1201754133 1303.742509 ipsec_CT in -> ack 4266655740 1303.745975 ipsec_CT in -> psh 1201756905 ack 4266655740 1303.746874 ipsec_CT out -> ack 1201754133 1313.722355 ipsec_CT out -> fin 4266655740 ack 1201754133 1313.738176 ipsec_CT in -> fin 1201756914 ack 4266655741 1313.738539 ipsec_CT out -> rst 4266655741


Any ideas? Why the RST packets?

As the RST breaks the session, diag debug flow shows 'no session matched' messages after the RSTs appear.




Kind regards, Jaap
Esteemed Contributor III


Things to check


1: Are you going out the right interface ( check  route, route-table )


2: Any FAZ limits or capacity ( review systems logs )


3: can you reboot the FAZ


4: can you run a packet capture on  at the FAZ






New Contributor III

Thanks for the help emnoc.


  • Routing seems to be ok, as indicated by the handshake and exchange in the sniffer trace above, and as per routing table.
  • Checked for FAZ limits, no problem there.
  • Tried to reboot the FAZ to no avail, as the problem persists after the reboot.
  • I'll try that packet capture on the FAZ. I'll also run a sniffer trace on the peer firewall.[/ol]



  • Kind regards, Jaap

    You could try the following debugging on the fortigate to see if there are errors in the communication between the FG and the FAZ:


    # diagnose debug enable # diagnose debug application miglogd -1


    Thanks MrSinners, that helped. An error message appeared related to the SSL connection:


    miglog_faz_connect()-371: oftp_connect(global-faz) failed: ssl_connect() failed: 5


    Turns out there's an issue with the SSL certs on the FAZ, when I disabled the encryption on the FG it started to work:


    set enc-algorithm disable


    However, the other FGs still use SSL so I guess they use a different but valid certificate. I am not even sure where the certificate is specified for the FG logging.


    Thanks, you guys are great.

    Kind regards, Jaap
    Esteemed Contributor III

    You can set the  local system cert from the cli



    config  system  certificate local



    but did you try setting  the ssl protocol or types in the config global setup


    config system global

     set enc-algorithm  low ( not ideal but )

      ssl-low-encryption enable






    Valued Contributor

    Hello JaapHoetmer,


    Could you post here the FAZ and the FGT version? In your first post you wrote: "I have several FGs already sending logs to a FAZ, over ipsec connections,..." This FortiGate should also send logs over IPSec? If yes, your settings in the first post is for SSL.

    For IPSec you need to disable enc-alogrithm: # config log fortianalyzer setting # set enc-algorithm disable

    then you need enable IPsec encryption: # set encrypt enable

    and also set the local ID and PSK according to the FortiAnalyzer settings: # set localid <set_the_ID> # set psksecret <set_the_PSK>

    But probably you mean that you have IPSec connection established to somewhere and sending logs over this IPSec. Your FGT is usig default encryption for OFTP set enc-algorithm default as not shown in your config under config log fortianalyzer setting.

    Could you check the FAZ settings what encryption level is allowed? Use the get sys global on the FAZ and check the encryption algorithm: enc-algorithm : low


    The enc-algorithm on the FGT should be the same or higher than on the FAZ.


    NSE 8, CCNP R+S

    Valued Contributor

    Do what AtiT recommends and you should be golden. I always set mine up this way and it seems to work better than using the default algorithm settings.