Cisco has "Packet Tracer" tool to verify/Troubleshooting policy issues.Does Fortinet has equivalent tool ? I used Sniffer but in there we have no option to verify policy preview/Simulate using sniffer.
there are two ways I use to verify the ACL has been hit. you can:
enable "bytes" for throughput and "hitcount" for well, the hitcount. this is GUI stuff.
if you want to get more into detail, the packet sniffer on the CLI is the way to go ;
diag sniff packet any "host x.x.x.x and host x.x.x.x and port xxx" 4 0 a
The last detail in this line is crucial "4 0 a". It lets you see the complete flow in detail and which vdom / vlan is affected.
However the ACL hit won't be named. the combination of the two should satisfy your verification needs.
Hope this helps, good luck!
The bottom line "No". Cisco Packet-Tracer allows you to mimic the traffic-flow and disposition and FortiOS has no function similar to packet-tracer.
But, at best you have a few diagnostic that relies on "active" traffic to find the action
( cli-cmds )
diag debug flow
diag sys session
Both of the above allows you to set filters ( i.e src / dst address, protocol, etc....)
And then you counters via the webgui or better yet the cli-cmd;
diag firewall iprope show 100004 < policy-id or IDs >
FWCLUSTERCH4EQCHIL (ILSB01) $ diag firewall iprope show 100004 1 2 3 4 5
idx=1 pkts/bytes=49934705/3046442010 asic_pkts/asic_bytes=0/0 flag=0x0
idx=2 pkts/bytes=2078012/126249415 asic_pkts/asic_bytes=0/0 flag=0x0
idx=4 pkts/bytes=3316940/184412199 asic_pkts/asic_bytes=0/0 flag=0x0
idx=5 pkts/bytes=142843/8416017 asic_pkts/asic_bytes=0/0 flag=0x0
you might these above methods from the cli are much quick and easier than the WebGUI imho
Thanks guys !