Installed new Fortigate 61E’s, everything seemed to work as planned until I wanted to added Fortianalyzer for traffic analysis. Testing seemed to indicate that Fortianalyzer traffic was being sent out the WAN interface instead of the IPSEC tunnel. After searching around I found that a source ip needed to be set for traffic originating from the Fortigate for traffic like Fortianalyzer, syslog etc. The following config helped resolve.
config log fortianalyzer setting
set status enable
set server x.x.x.x
set source-ip x.x.x.x
end
config log syslogd setting
set status enable
set server x.x.x.x
set source-ip x.x.x.x
end