Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sjoshi
Staff
Staff

Created on ‎08-05-2025 03:06 AM

Article Id 404988

Troubleshooting Tip: How to automate FortiGate CLI sniffers with TTL scripts in Tera Term

Description

 

This article describes how to automate the execution of packet sniffer commands on FortiGate firewalls using Tera Term TTL scripting. It covers common syntax pitfalls, shows how to properly format sniffer filters, and provides a working example to streamline CLI-based diagnostics.

 

Scope

 

FortiGate

 

Solution

 

Troubleshooting network issues on FortiGate firewalls often involves running packet captures using CLI-based sniffer commands.
There are situations where automating packet capture on a FortiGate firewall becomes essential, particularly when dealing with intermittent issues that occur unpredictably or last only a few seconds. Manual execution may not be fast or consistent enough to capture the necessary data at the right moment
To streamline this process, Tera Term’s TTL scripting can be used to automate sniffer execution with predefined filters.

 

Let’s take an example where FortiGate heartbeat packet loss is occurring intermittently, resulting in a split-brain scenario in a high availability (HA) cluster.

 

To determine whether heartbeat packets sent from FortiGate A are successfully reaching FortiGate B (and vice versa), it is essential to perform a packet capture using the appropriate interface and filters, as shown below:

 

diagnose sniffer packet any 'ether proto 0x8890' 4 0 l | grep ha1 --> Here ha1 is the heartbeat port.

 

While automating this process using a TTL script, the following error might be encountered:

 

TTL Script used:

 

1.PNG

 

Error snapshot:

 

1.PNG

 

The 'Variable not initialized' error in Tera Term's TTL script typically indicates that the script is referencing a variable that has not been defined. In this case, the error is caused by improper quoting in the sendln command; TTL misinterprets parts of the string (such as ether proto 0x8890) as undeclared variables due to incorrect use of nested quotes.

 

To fix the quoting issue and eliminate the error, the following adjustments need to be made on the TTL script.

 

1.PNG

 

In this version, double quotes are used around the sniffer filter expression ('ether proto 0x8890'), allowing the entire command to be correctly interpreted as a single string. This avoids conflicts with TTL’s handling of single quotes and prevents the Variable not initialized error.

 

Related articles:
Troubleshooting Tip: How to troubleshoot HA 'Heartbeat packet lost' issues in a FortiGate HA Cluster
Troubleshooting Tip: High memory and High CPU general script using Tera Term

240
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.