Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tana
Staff
Staff

Created on ‎09-09-2025 02:05 AM

Article Id 409178

Troubleshooting Tip: How to troubleshoot packet drops issue on FortiGate when IPS profile is enabled

Description

This article describes the steps to collect troubleshooting data for packet drop issues on FortiGate firewalls, particularly when using IPS profiles.
Scope FortiGate with IPS Engine build version 1040 or 1148.
Solution

To troubleshoot packet drops on FortiGate firewalls, open up 3 CLI windows in the FortiGate and follow these steps:

 

CLI Window 1: Collect debug logs: Run the debug flow and IPS debug to collect debug logs for the specific port and protocol.

 

To reset the debug:

 

diagnose debug reset
diagnose debug disable

 

To enable the debug:

 

diagnose debug flow filter address x.x.x.x -> Input the client IP that is having an issue.
diagnose debug flow filter port x -> Input the specific port that is having an issue.
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug flow trace start 999
diagnose ips filter set host x.x.x.x and tcp port x -> Input the specific client IP and port that is having an issue.
diagnose ips debug enable all

diagnose debug enable

 

To stop the debug:

 

diagnose debug disable

 

For more details on additional filtering options on the debug flow, refer to this article : 

Technical Tip: How to filter for IP addresses and address ranges in debug flow

 

For more details on additional filtering options on IPS debug, refer to this article :

Troubleshooting Tip: Collecting IPS engine related debugs

 

CLI Window 2: Capture the traffic flows: Use the sniffer command to capture traffic flows and identify any packet drops or anomalies.

 

diagnose sniffer packet any "host x.x.x.x and port x" 6 0 l -> Input the specific client IP and port that is having an issue.

 

Note: If no traffic is seen on the capture, ensure that acceleration is disabled to appreciate the traffic on the sniffer:

 

config firewall policy

    edit 1

        set auto-asic-offload disable
    next

end

 

CLI Window 3: Collect IPS engine information, interface statistics, and attempt to find the client session in the session table.

 

fnsysctl date
diagnose autoupdate versions | grep -A5 "IPS"
diagnose netlink interface list


diagnose sys session filter dst x.x.x.x -> Input the specific client IP.
diagnose sys session filter dport x -> Input the specific port that is having an issue.
diagnose sys session list -> Repeat this command 2-3 times when the issue is presenting.

 

Clear the session when it ends:

 
diagnose sys session filter clear

 

Other troubleshooting considerations to narrow down the issue further : 

  1. Ensure that the FortiGate firewall is configured correctly, and the IPS and AV profiles are properly set up.
  2. Narrow down other enabled existing features that may cause the issue by temporarily turning them off. 

 

Example(s) :

  • Other UTM security profiles, including the antivirus profile.
  • Traffic shaping policy.
  • DOS policy.
  • Local in policy.

 

  1. Update the FortiOS to the latest patch version to have the latest IPS engine version, or update the IPS engine manually to the latest version. 

     

If further assistance or inquiries are needed, contact Fortinet Technical Support.
75
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.