Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
fgallardo1
Staff
Staff

Created on ‎11-20-2025 10:10 PM Edited on ‎11-26-2025 12:34 AM By Moderator

Article Id 419757

Troubleshooting Tip: FortiAnalyzer Packet Capture

Description

This article describes how to packet capture using the FortiAnalyzer Web interface. The advantage of this way is that the capture can be downloaded as a ready. pcap format.
Scope FortiAnalyzer.
Solution

FortiGate and other Fortinet products use the OFTPD protocol to transfer logging data through secure or insecure protocols over port 514.

To track the traffic, first confirm the protocol used, for example, on a FortiGate device, run the following command:

 

show log fortianalyzer setting

    set status enable

    set certificate-verification enable

    set reliable enable

 

The setting of reliable enables TCP, together with certificate verification establish a secure connection. If the setting is disabled, then UDP will be used to forward logging data.

 

For testing purposes, capture the inbound traffic from a FortiGate to the FortiAnalyzer port1.

 

  • From the GUI -> System Settings -> Network -> Packet Capture, + Create New.

 

FAZCAP1.jpg

 

  • Select OK and start capturing from the Actions column.

 

Start Capture.png

 

  • Once the sample is taken, select stop and download in the Actions column.

 

FAZCAP2.jpg

 

  • Open the resulting file with the desired network analyzer.

 

FAZCAP3.jpg
111
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.