For FortiGate devices with log disks available, it is possible to keep a record of the packets matching a specific firewall policy by enabling Log Allowed Traffic and enabling the Capture Packets setting. There is a maximum file size (default 10 MB) on policy-based packet captures and once it reaches the limit, packet captures on the policy will stop.
When this setting is enabled, packet capture files are accessed as follows:
a) In Log & Report > Forward Traffic, click on a log entry corresponding to a policy with packet capture enabled (For example: In FortiOS 5.4, notice a paperclip icon in the @ column which identifies this type of log entry).
There is a quota (default 10MB) on policy-based packet captures and once it reaches the limit packet captures will stop.
b) At the bottom half of the split screen, there are two tabs Log Details and Archive. Click on the Archive tab.
c) On the bottom line of the Archive tab there is a Download Capture File (it may be necessary to adjust the window size to see it). Click on this file to download the packet capture file in PCAP format, which can be opened in Wireshark.
The packet capture quota can be extended by the CLI commands:
config log disk setting
set max-policy-packet-capture-size <size in MB>
When policy-based packet captures stop, currently captured packets and the quota can be cleared by the CLI command:
exec policy-packet-capture delete-all