Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff

Created on ‎08-03-2021 10:43 PM Edited on ‎01-31-2024 05:12 AM By Moderator

Article Id 192644

Troubleshooting Tip: Using the FortiOS policy based packet capture

Description


This article describes how to capture the packets of the client during communication across multiple IPs at the policy level.

 

Scope

 

FortiGate. See the bottom of the article for a list of situations in which this feature is not available.

Solution

 

In FortiOS 6.2 and above, policies have a 'Capture Packets' option under Logging Options.

To analyze or troubleshoot the issues, it is possible to use FortiOS' built-in packet sniffer or packet capture option available for the specific interface.

In the above cases, it is necessary to have specific filters to capture the traffic. Otherwise, all traffic passing through the respective interfaces will be captured.

 

In some scenarios, an application is trying to reach the actual destination IPs to identify communication issues of real time applications like Skype, Teams, Outlook, or any non-functioning websites.

Follow the steps below to capture the traffic flow through FortiGate of a specific source while it is trying to reach an application server or a non-functioning website: 

 

  1. Create a test policy for a single source IP and place it on top of a regular policy.


  1. Under logging options, set the allowed traffic to 'All session', and enable 'Generate Logs when Session Starts' and 'Capture Packets'.

  2. Enable Disk logging or set the log location as FortiAnalyzer or the Disk. (It is possible to capture the packet capture with memory for lower amounts of traffic.)

  3. Send the traffic to the non-functioning app or website.

  4. Filter the forward traffic log with policy ID. It is possible to see all of the traffic logs of the PC.
 
 
Select the log and, under Log Details, select 'Achieved Data' to download the packet capture of specific session.
 
 
From the PCAP, it is possible to analyze the communication issue between the source and client.
 
 
Note:
 
  • Keep 'Capture Packets' disabled after testing to avoid high disk usage from logs.
  • To perform packet capture using a policy, keep the policy inspection in flow mode.
  • When a firewall policy’s inspection mode is set to proxy, traffic flowing through the policy will be buffered by the FortiGate for inspection and capture will not be accurate.

 

Feature unavailability:

 

This feature may be unavailable in some cases. This feature is not available when the device does not have internal storage. For example: 60E, 60F and FortiWiFi 60F do not have this feature.

 

To check whether the device has internal storage, run the following command:

 

exe disk list

 

If the output appears blank, the device does not have internal storage. The following output is expected if the device has internal storage:

 

Disk HDD1            ref: 255 447.1GiB    type: SSD [ATA ADATA SX1000L] dev: /dev/sda

  partition ref:   1 440.1GiB, 439.0GiB free  mounted: Y  label: LOGUSEDX61BA3018 dev: /dev/sda1 start: 2048

Maximum policy packet capture-size can be altered with the following CLI configuration:

 

config log disk setting

set max-policy-packet-capture-size ?

<integer> please input integer value, range: 0-120186

 

Related article:

9632
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.