FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rsingla
Staff
Staff
Description
This article describes how to Calculate Fragmented Packets per second hitting a FortiGate.

Scope
In the absence of a snmp monitoring solution or graphs that can display the number of Fragmented packets hitting the FortiGate, a simple process can be performed manually also.

Solution
On the FortiGate, run these 2 commands every 5 seconds, you can repeat the commands any number of times depending upon the requirements.
# get system status
# diagnose snmp ip frags
The sample output looks like this:
FortiGate-VM64-KVM # get system status
Version: FortiGate-VM64-KVM v6.2.5,build1142,200819 (GA)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 0.00000(2001-01-01 00:00)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
Serial-Number: FGVMEVUEKETZHND9
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
Botnet DB: 1.00000(2012-05-28 22:51)
License Status: Expired
Evaluation License Expires: Mon Nov  9 04:27:53 2020
VM Resources: 1 CPU/1 allowed, 2010 MB RAM/2048 MB allowed
Log hard disk: Available
Hostname: FortiGate-VM64-KVM
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 1
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 1142
Release Version Information: GA
FortiOS x86-64: Yes
System time: Tue Nov 10 03:55:12 2020


FortiGate-VM64-KVM # diagnose snmp ip frags
ReasmTimeout = 2167
ReasmReqds   = 26235863
ReasmOKs     = 13114634
ReasmFails   = 5083
FragOKs      = 13114634
FragFails    = 0
FragCreates  = 26229268
Repeat these commands multiple times and note down the below information

1) From the output of  "get system status" the last line shows the "System Time", we need to check the minutes & seconds from this output
2) From the output of "diagnose snmp ip frags" check the value of "ReasmReqds" 

The Formula to calculate the number of fragmented packets per second hitting Fortigate will be as below

Latest Output of ReasmReqds = X
Previous Output of ReasmReqds = Y

Latest Time stamp : T2
Previous Time stamp : T1

Formula : (X-Y)/(T2-T1) = Number of  fragmented packets per second hitting the Fortigate

So, For e,g,

If value of ReasmReqds at Time 03:55:12 is 100000 and at time 03:55:17 is 200000
The time difference between 2 output is 5 seconds

As per the formula : (200000-100000)/5 = 20000 fragmented packets per second.

This will give an average number, the same formula can be repeated for consecutive outputs to get a pattern of the fragmented packets numbers.

Contributors