Packet Capture & Troubleshooting Guide: Resolving FortiGate Log Delivery Issues on Athena XDR
  

Newbie267391 Lv1Posted 2026-Jul-02 16:03

1. Problem Description & Root Cause
During the integration of FortiGate firewalls with SaaS XDR, a common issue arises post-HA deployment (or due to other routing factors) where the FortiGate unexpected changes its syslog source IP. Instead of using the dedicated Management IP configured on the XDR platform, the device automatically selects a business/traffic interface IP based on the routing table. As a result, the SaaS XDR cannot match the incoming logs with the registered asset profile, causing log delivery failures and preventing the device from showing as "Online" in the XDR console.

2.  Troubleshooting: Packet Capture on FortiGate
When syslog logs are missing, the first step is to perform a packet capture on the FortiGate side to verify if the actual source IP matches your expectations. Run the following sniffer command (replace 10.10.10.10 with your actual Broker/Syslog Server IP):

diagnose sniffer packet any 'host 10.10.10.10 and udp port 514' 4 50 a


3. Resolution Options
If the packet capture confirms that the source IP does not match your expectations (due to HA clustering or routing factors), you can resolve it using one of the following two options:

Option 1: Fix it on the FortiGate side via CLI (Recommended)
Force the FortiGate to use a specific Management IP as the syslog source via the CLI:

config log syslogd setting
    set source-ip "10.10.10.10"  # Replace with your actual FortiGate Management IP
end
Once modified, check the expected results as pictured below.

Option 2: Modify the configuration on the XDR side
Leave the FortiGate configuration as is, and update the configured FortiGate IP within the XDR platform to match the actual source IP observed in the packet capture.

444066a46174143f80.png (254.01 KB, Downloads: 16)

444066a46174143f80.png

Like this topic? Like it or reward the author.

Creating a topic earns you 5 coins. A featured or excellent topic earns you more coins. What is Coin?

Enter your mobile phone number and company name for better service. Go

Muhammad Shiraz Lv2Posted 2026-Jul-03 12:57
  
Thanks for sharing this info...
Humayun Ahmed Lv4Posted 2026-Jul-03 12:01
  
Thanks to share!

Moderator on This Board

1038
215
99

Started Topics

Followers

Follow

Trending Topics

Board Leaders

Snagfor...

Weekly Sharers

Newbie3...

Weekly Questioners