The FortiGate integrated sniffer will not capture packets that are offloaded with the integrated ASIC, so NP6 or NP7, including the 'lite' versions (NP6lite, for example). Packets can be seen normally with a flow trace, but the sniffer will not show these.

If necessary, run a flow trace, that visualizes the policy evaluation of any given packet, in the following way:

diagnose debug console timestamp enable
diagnose debug flow filter addr <IP>
diagnose debug flow show iprope enable
diagnose debug enable
diagnose debug flow trace start 20

This will capture 20 packets, identifiable with the 'trace_id=<number>'. To stop the debug processes in the end, press 'Ctrl+C' and enter 'diagnose debug disable'.

The packet capture itself on FortiGate would run as:

diagnose sniffer packet any 'host <IP>' 6 20 a

To stop the sniffer in the end, press 'Ctrl+C'.

Which would also capture 20 packets, however, only the ones that are not offloading. To change the behavior, disable the ASIC offloading in the firewall policy.

Command to disable ASIC in policy:

config firewall policy
    edit <policy_id>

        set auto-asic-offload disable
end

Note:

Create a more specific firewall policy and then disable ASIC offloading just there, to prevent CPU overutilization. Remember to revert the changes once the troubleshooting is done.

Command to re-enable the ASIC in policy after testing:

config firewall policy

    edit <policy_id>

        set auto-asic-offload enable

end