Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
slautenschlager
Staff
Staff

Created on ‎08-29-2019 01:13 AM Edited on ‎01-31-2024 05:11 AM By Moderator

Article Id 194444

Troubleshooting Tip: Packet Capture on FortiOS GUI

Description


This article describes how to use the built-in packet capture feature in FortiOS from the GUI interface.

Solution


On the 5.6 firmware branch, the unit needs a disk and logging to disk has to be enabled.
Since the firmware version 6.0.2, this restriction has been removed.

Here is the Step-by-Step guide to capturing packets from GUI:

  • Go to Network -> Packet Capture and create a new filter.
  •  It is possible to use the following URL to access the packet capture page: https://[management-IP]/ng/page/p/firewall/sniffer/
    Substitute the management-IP with the correct IP to access the FortiGate.
  •  Below shows the Packet Capture interface:

 

 

The option to capture the packet based on interface and filter by hosts, ports or VLANs will be proposed.
In the example above 100 packets would be captured based on the selected filters:

IP address 10.205.1.206 and port 80,443 on interface port 3.
If 'Enable Filters' is not selected, all packets on the selected interface will be captured.

Results.

 
The capture will stop automatically once it reaches the maximum packet size defined in the settings.
Download the PCAP file and view it with a suitable viewer, Wireshark, for example.
 
 
 
Notes.

Packet capture can tell what is happening on the network at a low level. This can be very useful for troubleshooting problems, such as:

  • Finding missing or lost traffic/packets.
  • Locating ARP problems such as broadcast storm sources and sources.
  • Confirm which address a computer is using on the network if there are multiple addresses or are on multiple networks.
  • Confirm that routing is working as expected.
  •  A particular type of packet is having problems, such as UDP, which is commonly used for streaming video.

Limitations:

  • Can not select interface as 'any' at the time of packet capture. 
  • Less than or equal to 10,000 packets can be captured in one packet capture filter.
  • From FortiOS 7.2 onwards, this limit is increased to 50,000.

 

msanjaypadma_0-1646763493505.png

 

On FortiGate Version 7.2+ this option can be found under Network -> Diagnostics.

 

ethomollari_0-1662633861516.png

 

  • Select Start Capture and it is possible to see the live flow of packets
  • It is possible to stop the capture and save the file in PCAP format, readable by Wireshark.

 

ethomollari_1-1662634118311.png

 

Related documents:
https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-networking/Troubleshooting/Packet%20...
Packet capture

149394
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.