FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hrahuman_FTNT
Article Id 244412
Description This article describes how to enable logging for one-arm filter traffic.
Scope FortiGate.
Solution

Basically, with one-arm sniffer mode, it will examine, and log packets based on the configured IPS sensor and application control list.

 

So, if the UTM features are not enabled in one arm sniffer interface, it will not log anything in FortiGate or forward it to FortiAnalyzer/memory. 

 

Enable the UTM features (IPS, Application Control) on the sniffer policy (it is not possible to use one one-arm interface in the firewall policy).

Traffic sent to the interface is examined for matches to the configured IPS sensor and application control list and will be logged to FortiAnalyzer/memory.

 

config firewall sniffer
    edit 2
        set interface "wan2"
        set application-list-status enable
        set application-list "sniffer-profile"
        set ips-sensor-status enable
        set ips-sensor "sniffer-profile"
        set av-profile-status enable
        set av-profile "sniffer-profile"
        set webfilter-profile-status enable
        set webfilter-profile "sniffer-profile"
        set file-filter-profile-status enable
        set file-filter-profile "sniffer-profile"
    next
end

 

Check sniffer log-in log and report.


image (11).png