Skip to main content
nevan
Staff
nevan
Staff
March 3, 2025

Technical Tip: Observing packets from other VDOMs on management VDOM interfaces while using sniffer

  • March 3, 2025
  • 0 replies
  • 841 views
Description

This article describes the possible reasons to observe the traffic from other interfaces from different VDOMs while capturing packets in the oot VDOM interface. Also, some of the packets may appear in the traffic log in management VDOM from other VDOMs.

 

In general, this scenario is being misunderstood as VDOM leaking or BUG related to traffic flow between VDOMs but there are several reasons to see this traffic from another VDOMs into root or management VDOM which will be explained in this article.
Scope FortiGate.
Solution

When analyzing network traffic on a FortiGate using a sniffer, it can be noticed that the packets appear on the root VDOM interface, even though the traffic is passing through a different VDOM.

 

This can happen due to several reasons stated below:

Inter-VDOM Links:

  • If traffic moves between different VDOMs through inter-VDOM links, it may be visible at the root VDOM depending on how the sniffer is applied.
  • These links operate as virtual interfaces that facilitate communication between separate VDOMs, making certain traffic appear at the system level.

 

Sniffer Filter Scope:

  • Running a command like 'diagnose sniffer packet any "" <level> <count> <tsformat>' captures packets across all interfaces, including those that are being processed at the inter-VDOM level.
  • This can make it seem like traffic is flowing through the root VDOM when it is just being displayed due to the wide capture scope.

 

System-Level Traffic:

  • Some types of traffic, such as FortiGuard updates, DNS queries, NTP synchronization, and logging, are typically handled by the root VDOM.
  • Even if a packet originates in another VDOM, if it requires system-wide services, it may be processed at the root level, causing it to appear in the sniffer.

 

Asymmetric Routing or Session:

  • If traffic enters one VDOM and exits another, certain responses like ICMP errors, TTL-expired messages, or TCP resets may be handled at the root VDOM before forwarding.
  • FortiGate may also inspect or reroute specific traffic at the global level if necessary, making it briefly visible in the root VDOM.

 

Shared Physical Interfaces:

  • When multiple VDOMs share a physical port (e.g., using VLAN tagging or aggregated links), packets may appear in the root VDOM sniffer before being assigned to their respective VDOMs.
  • Even if VDOM separation is enforced, the system may briefly capture traffic at a global level before routing it internally.


Note:

This traffic may not have actual flow through root VDOM but due to matching any condition can appear in the root VDOM. Once running the debug trace flow no packet flow can be observed. To determine the actual traffic in the correspondent VDOM debug flow trace and session list can be used.

 

Observing traffic in the sniffer on the root VDOM interface does not always mean it is being fully processed there. 

Using targeted sniffer filters and session analysis commands can provide clarity on the exact traffic flow.

 

    Terms & ConditionsAccessibility statement