This article describes how to troubleshoot connection issues with the Fortinet/FortiGate application in Splunk.
Scope
Splunk, FortiGate.
Solution
Topology:
User <-> FortiGate <-> Splunk
Note: Splunk uses port 514 by default.
For instructions on how to add FortiGate to Splunk, see the deployment guide.
Link to the Splunk Fortinet app.
If Splunk is not able to view the logs, take the following troubleshooting steps:
Step 1:
Try to ping the Splunk server using the following command:
exe ping 10.10.10.10
If Ping responses are failing, it is possible ICMP is blocked in the network path.
Step 2:
Run the packet sniffer:
In this example, traffic is going out but there no response to the ICMP request.
Verify traffic on port 514 is going out from the Fortigate. It may be necessary to capture traffic on the server side for further traffic verification.