This article describes how to send FortiGate logs to a remote FortiAnalyzer connected through a VPN tunnel
FortiGate or VDOM in NAT mode
This article assumes that the VPN tunnel is created and there is communication between the Fortigate and Fortianalyzer but the logs are not reaching the Fortianalyzer.
In order to send the logs from a FortiGate to a remote FortiAnalyzer through a VPN tunnel it’s necessary to specify the source IP of the Internal network interface on the FortiGate.
This is because the FortiGate tries to reach the FortiAnalyzer by the WAN IP interface and this communication is not allowed for that IP over the VPN tunnel and the communication is dropped.
For example over a VPN tunnel is only allowed to communicate the networks 192.168.10.0/24 to 172.16.110.0/24.
IP FortiGate (internal interface) 192.168.10.1IP FortiAnalyzer (Internal) 172.16.110.21
By setting the source IP on the FortiGate log setting for the FortiAnalyzer, the communication between the devices is sourced from the internal interface of the FortiGate.
config log fortianalyzer setting
set status enable
set server 172.16.110.21
set source-ip 192.168.10.1
set upload-option realtime