|
The FortiGate integrated sniffer will not capture packets that are offloaded with the integrated ASIC, so NP6 or NP7, including the 'lite' versions (NP6lite, for example). Packets can be seen normally with a flow trace, but the sniffer will not show these.
If necessary, run a flow trace, that visualizes the policy evaluation of any given packet, in the following way:
diag debug console timestamp enable
diag debug flow filter addr <IP>
diag debug flow show iprope enable
diag debug enable
diag debug flow trace start 20
This will capture 20 packets, identifiable with the 'trace_id=<number>'.
The packet capture itself on FortiGate would run as:
diag sniffer packet any 'host <IP>' 6 20 a
Which would also capture 20 packets, however, only the ones that are not offloading. To change the behavior, disable the ASIC offloading in the firewall policy.
Command to disable ASIC in policy:
config firewall policy
edit <policy_id>
set auto-asic-offload disable
end
Note:
Create a more specific firewall policy and then disable ASIC offloading just there, to prevent CPU overutilization. Remember to revert the changes once the troubleshooting is done.
Command to re-enable the ASIC in policy after testing:
config firewall policy
edit <policy_id>
set auto-asic-offload enable
end
|
