FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
dbabic
Staff
Staff
Article Id 196764

Description


This article describes the options available for packet capture in FortiAuthenticator.

 

Scope

 

FortiAuthenticator.

Solution

 

  1. GUI packet capture
  • Go to System -> Network -> Packet Capture
  • Start a capture on a specific interface, stop it, and download the results.

 

122.png

 

  • Pros: Easily available in GUI. Useful if only HTTPS access to the unit is available.
    Cons: It is not possible to configure any host/protocol/port filters, everything is captured. The only filtering options are: maximum number of packets, IPv6 on/off, non-IP packet on/off

123.png

 

  1. SSH: tcpdump

#> execute tcpdump <arguments> <filter>

 

 

124.png

 

Below is a selection of useful options:

 

  • -i <interface name> : specify the interface on which to run packet capture
  • -c <number> : specify maximum number of packets to display before stopping
  • -v : increase verbosity when attempting to parse the packet (Default output logs a single line per packet received)
  • -x : include hex dump of payload (minus ethernet header)
  • -xx : same as -x + the ethernet header
  • -n : do not convert hostnames and ports to names

 

  • To stop the packet capture manually, press CTRL + C

Example usage and output:

 

#> execute tcpdump -c2 -v -i port1 host 172.16.16.254 and port 1812

 

125.png

 

Options used in the example:

 

  • -c2 : capture two packets, then stop
  • -v : verbose output (notice how the packets were interpreted as RADIUS communication and the individual attributes printed out)
  • -i port1 : capture only on interface named "port1"
  • host 172.16.16.254 and port 1812 : capture filter (capture only packets with host IP 172.16.16.254 and TCP/UDP port 1812)
  • Pros: Allows detailed filtering to show only the packets relevant for troubleshooting.
  • Cons: Does not easily allow conversion to a capture file.

 

  1. SSH: tcpdumpfile

 

#> execute tcpdumpfile <arguments> <filter>

 

126.png

 

  • This command is similar to tcpdump above, with the difference that the captured packets are not displayed in the SSH console (it is normal to see no packets displayed while the capture is running).

 

127.png

 

  • To stop Capture: 'Ctrol+C'

 

128.png

 

  • Instead, once the packet capture ends (either after manually stopping it or after reaching the set packet count), a converted pcap file will become available for download in GUI.
  • Note: Since the captured packets are not displayed, it is not necessary to use any options that affect verbosity or other visuals of the output (-v -x -n etc.).
  • The most recent packet capture file is available in GUI on the following path:

https://<fortiauthenticator-fqdn-or-ip>/debug/

 

  • In the top-left corner, in the Service drop-down menu, select the option "CLI packet capture (tcpdumpfile)" to download the most recent capture.
    It is also possible to get to the download directly by opening:

https://<fortiauthenticator-fqdn-or-ip>/debug/pcap-dump/

 

129.png

 

  • The file is in pcap format, ready to be opened for further analysis in Wireshark, for example.
  • Pros: Allows detailed filtering and provides automatic conversion to a pcap file.
  • Cons: Both SSH and GUI access needed.

To know more about FortiAuthenticator

To know more about FortiAuthenticator / Packet Capture