| Description | This article describes how asymmetric traffic handling in FortiGate deployments using Fortinet FGSP relies on UDP-encapsulated packet forwarding between peers, often obscuring the original traffic in packet captures. The Wireshark Lua dissector decodes and strips FGSP headers to reveal the internal packets forwarded between FortiGate units. |
| Scope | FortiGate, Azure, AWS, Google Cloud. |
| Solution |
In a scenario with asymmetric traffic with UTM like the one in the above diagram, the FGSP peer who received the traffic will encapsulate it in UDP and forward back to the session owner. If this traffic is captured between them (in the peer link interface) and opened in the Wireshark the following is visible:
To ensure Wireshark loads the Lua dissector plugin at startup, place the file attached to this article in the following directory: %appdata%\Wireshark\plugins or ~/.local/lib/wireshark/plugins.
The same file can then be opened in Wireshark and the result will be the following:
The frame 159 (seen in the previous screenshot) with length 98 is decapsulated. The FGSP headers were stripped and the inner packet is shown on Wireshark. In this example, it is an ICMP echo reply.
This is an easy way to reveal the inner packets in this scenario. It is also possible to do it manually by following the steps in Technical Tip: Understanding FGSP in Cloud Networks with UTM Firewall Policies.
Note: if encapsulation is being used on config system standalone-cluster, this plugin will not show the inner packet as visible here. |
