DescriptionThis article describes how to send FortiGate logs to a remote FortiAnalyzer connected through a VPN tunnelScopeFortiGate or VDOM in NAT mode
This article assumes that the VPN tunnel is created and there is communication between the Fortigate and Fortianalyzer but the logs are not reaching the Fortianalyzer.
SolutionIn order to send the logs from a FortiGate to a remote FortiAnalyzer through a VPN tunnel it's necessary to specify the source IP of the Internal network interface on the FortiGate.
This is because the FortiGate tries to reach the FortiAnalyzer by the WAN IP interface and this communication is not allowed for that IP over the VPN tunnel and the communication is dropped.
For example over a VPN tunnel is only allowed to communicate the networks 192.168.10.0/24 to 172.16.110.0/24.
IP FortiGate (internal interface) 192.168.10.1
IP FortiAnalyzer (Internal) 172.16.110.21
By setting the source IP on the FortiGate log setting for the FortiAnalyzer, the communication between the devices is sourced from the internal interface of the FortiGate.
FortiGate
config log fortianalyzer setting
set status enable
set server 172.16.110.21
set source-ip 192.168.10.1
set upload-option realtime
end
With this configuration, the logs are sent to the FortiAnalyzer over the VPN tunnel.