Does a equalivant Packet-tracer exists in the fortigate world? Somebody out of the blue as me about this. They are a heavy cisco shop and I' m doing some consulting with them on various features and improvements with going to fortigate model.
Right now they spend alot of time debugging and diagnostic of various portions of their firewall. The fortigate is much better but requires a re-programming of your way of going about doing this and for the love of god, I can' t readily think of the most exact or closet command to emulate with a packet-tracer would do.
any ideals or suggestions?
Your best two friends:
# diag sniffer packet
(Also watch out the Perl Script to convert the verbose-3 Trace to PCAP)
#diag debug flow
I' m familiar with theses commands, they really don' t compare or match up to what packet-trace does for cisco
if your not familiar with the difference a diag debug flow traces " active" flow, while packet tracer models a made up flow and show how it' s process.
They need the latter or they think they need the latter. They are very strong and locked down to a cisco mentality which I need to break
to emnoc: people are not locked to cisco approach, just want to use good inventions if its possible. Imagine i have remote site, like datacenter , and no users can help me to generate traffic but i want to test web filters and app filters under policy , i have report that access to box.com and dropbox are passing trough although i see web filter block is applied for file sharing and storage category. How can i test at this situation? Where i'd get "active" traffic in datacenter with no users there?
Actually fortios has added a packet tracer like function to fortios "diag firewall iprope lookup" it can do protocol and port traffic flows and show you want policy is matched. you do not need active traffic per-se
# my policyid #10 is at the top of policy stack and is a deny and has quad9 as an address objects in it
/* cli-cmd ATLDWNPEACHTRFGT1500CORE1 # diag firewall iprope lookup 192.168.19.11 1111 22.214.171.124 80 6 internal<src [192.168.19.11-1111] dst [126.96.36.199-80] proto 6 dev internal> matches policy id: 10 Ken Felix