Troubleshooting Tip: FortiAnalyzer Packet Capture

FortiAnalyzer

FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.

Article Id 419757

Description

This article describes how to perform packet capture using the FortiAnalyzer Web interface. The advantage of this way is that the capture can be downloaded as a ready file. pcap format.

Scope

FortiAnalyzer.

Solution

FortiGate and other Fortinet products use the OFTPD protocol to transfer logging data through secure or insecure protocols over port 514.

To track the traffic, first confirm the protocol used, for example, on a FortiGate device, run the following command:

To be executed on FortiGate:

get log fortianalyzer setting

set status enable

set certificate-verification enable

set reliable enable -> Disabled by default.

The setting of reliable enables TCP, together with certificate verification establish a secure connection. If the setting is disabled, then UDP will be used to forward logging data.

For testing purposes, capture the inbound traffic from a FortiGate to the FortiAnalyzer port1.

From the GUI -> System Settings -> Network -> Packet Capture, + Create New.

Select OK and start capturing from the Actions column.

Start Capture.png

Once the sample is taken, select stop and download in the Actions column.

Open the resulting file with the desired network analyzer.

235

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Troubleshooting Tip: FortiAnalyzer Packet Capture

You are leaving our website