It is possible to run a sniffer on the FortiGate to capture packets as explained here: Troubleshooting Tip: Using the FortiOS built-in packet sniffer for capturing packets.

On NP7 platforms, it is possible to run a sniffer for packets offloaded to NP: 

• Technical Tip: Capture Bidirectional traffic using NP7 sniffer
• Technical Tip: How to packet sniffer on Firewall NP7 hyperscale

In certain cases, it may be necessary to capture packets on the Integrated Switch Fabric of these platforms to identify any packet drops that occur. 

This is possible on the FortiGate, and this would be similar to capturing packets on a hardware switch, where we would have to configure port mirroring. 

1. Run the command to identify the SW_port_name associated with the physical port on FortiGate:

diagnose npu np7 port-list
diagnose npu np7 port-list 1

In a multi-VDOM environment, this command must be run on the Global VDOM.

Example output:

• ge0 is the ISF port for port2.
• ge8 is the ISF port for port10.

Note: The SW_port_name varies on each FortiGate device and therefore needs to be identified individually. 

2. Configure mirroring on FortiGate according to SW_port_name. 

config global
diagnose sys bcm_intf cli 'dmirror ge8 mode=all destport=ge0'
diagnose sys bcm_intf cli 'dmirror show'

With the above command, all the traffic on port10 will be mirrored on port2 and hence can be collected similarly as it is done on a port mirroring on a switch.

3. Once traffic is captured via mirroring, this can be disabled:

config global
diagnose sys bcm_intf cli 'dmirror ge8 mode=off'