To check if a packet was dropped by the Qdisc in FortiGate, use the following command. The use case of this command is to troubleshoot latency and packet drop issues. Also, to monitor the interface under high load.

diagnose netlink intf-qdisc list <string>   <--- <string> specifies the interface to be used.

This command can be used in conjunction with interface statistics to get more context.

diagnose hardware deviceinfo nic <string>   <--- <string> specifies the interface to be used.

The above commands should be run multiple times during peak hours and monitored over time to verify if the counters are increasing.

Example:

Sample of checking for Qdisc drops on Port1:

diagnose netlink intf-qdisc lis port1
qdisc pfifo_fast 0: root refcnt 2
Sent 292249758584 bytes 200721020 pkt (dropped 5264012, overlimits 0 requeues 106646)
backlog 0B 0p   <--- The 'dropped 5264012' indicates that the dropped packets are counted.

Warning:

Just because a drop is confirmed by Qdisc does not necessarily mean that there is a problem with the actual communication.

If the command output stats are not updating, disable offloading in the profile:

config firewall policy

    edit <id>

        set auto-asic-offload disable

end