Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jintrah_FTNT
Staff
Staff

Created on ‎09-04-2019 01:38 AM Edited on ‎06-09-2025 09:44 PM By Staff

Article Id 193036

Technical Tip: Sniffing traffic on a dedicated HA management interface

Description


This article describes how to run a packet capture/sniffer on a dedicated HA management interface for the FortiGate.

 

Scope

 

FortiGate, High Availability (HA).


Solution

 

When configured, reserved HA management interfaces allow administrators to connect directly to each FortiGate HA cluster member. Notably, the reserved HA management interface does not belong to any admin-created VDOMs (such as Global or root) and instead is assigned to a hidden VDOM named 'vsys_hamgmt'. Refer to the following KB article for more information: Technical Tip: HA Reserved Management Interface's hidden VDOM (vsys_hamgmt VDOM).

 

With that being said, it is still possible to run packet captures/sniffers on these reserved HA management interfaces from any non-Global VDOM, though it requires the administrator account to be assigned to the super_admin profile or another profile that has the Global scope (i.e. this cannot be done by a VDOM administrator account).

 

In the following example, port2 has been configured as a reserved HA management interface:

 

config system ha

set group-id 30
set group-name 'test123'
set mode a-p
set hbdev 'port33' 100 'port11' 50
set ha-mgmt-status enable
config ha-mgmt-interfaces

edit 1

set interface 'port2'
set gateway 10.5.63.254

next

end
set override disable
set monitor 'port5 'port6'

end

 

config system interface

edit 'port2'

set ip 10.5.51.190 255.255.0.0
set allowaccess ping https ssh http telnet fgfm

next

end

 

The following screenshot shows the Virtual Domain (VDOM) mapping of the interfaces. Note how port2 shows an empty VDOM entry:


 
The following shows an example sniffer output taken from the FortiGate. Note that the sniffer will work with both the 'any' interface and the direct name of the reserved HA management interface:
 
FG1K5D-9 # config vdom
FG1K5D-9 (vdom) # edit root
current vf=root:0
FG1K5D-9 (root) # diagnose sniffer packet any 'host 10.5.51.190 and icmp' 4
interfaces=[any]
filters=[host 10.5.51.190 and icmp]
15.917954 port2 in 10.5.63.254 -> 10.5.51.190: icmp: echo request
15.917975 port2 out 10.5.51.190 -> 10.5.63.254: icmp: echo reply
16.930631 port2 in 10.5.63.254 -> 10.5.51.190: icmp: echo request
16.930645 port2 out 10.5.51.190 -> 10.5.63.254: icmp: echo reply
^C
4 packets received by filter
0 packets dropped by kernel
 
FG1K5D-9 (root) # diagnose sniffer packet port2 'host 10.5.51.190 and icmp' 4
1.770701 port2 -- 10.5.63.254 -> 10.5.51.190: icmp: echo request
1.770791 port2 -- 10.5.51.190 -> 10.5.63.254: icmp: echo reply
2.347829 port2 -- 10.5.63.254 -> 10.5.51.190: icmp: echo request
2.347930 port2 -- 10.5.51.190 -> 10.5.63.254: icmp: echo reply
^C
4 packets received by filter
0 packets dropped by kernel

 

Related article:

Troubleshooting Tip: Using the FortiOS built-in packet sniffer for capturing packets

3023
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.