|
The FortiGate integrated sniffer (Troubleshooting Tip: Using the FortiOS built-in packet sniffer for capturing packets) cannot capture packets that are offloaded to integrated ASICs (such as NP6 or NP7). While these packets are visible in a flow trace, they will not appear in a standard sniffer capture unless offloading is temporarily disabled.
- Run a Flow Trace:
Before disabling hardware acceleration, use a flow trace to visualize how the policy is evaluating packets.
diagnose debug console timestamp enable
diagnose debug flow filter addr <IP>
diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug enable
diagnose debug flow trace start 20
Note:
- This will capture 20 packets, identifiable by the trace_id=<number>.
- To stop the debug process afterward, press Ctrl+C and enter diagnose debug disable.
2. Disable ASIC offloading.
Before using the packet sniffer (diagnose sniffer packet), disable ASIC offloading for the specific firewall policy.
Command to disable offloading:
config firewall policy
edit <policy_id>
set auto-asic-offload disable
end
Note:
To prevent CPU overutilization, create a dedicated firewall policy for this task and disable offloading for that policy only.
3. Run packet capture:
Once offloading is disabled, run the sniffer command:
diagnose sniffer packet any 'host <IP>' 6 20 a
The packet capture on the FortiGate itself would be run as follows:
4. Re-enable ASIC offloading:
Once troubleshooting is complete, revert the changes to restore hardware acceleration performance.
config firewall policy
edit <policy_id>
set auto-asic-offload enable
end
Related documents:
Technical Tip: FortiGate Disable Hardware Acceleration
Disabling NP offloading for firewall policies
Checking that traffic is offloaded by NP processors
|
