Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
emnoc
Esteemed Contributor III

packet-tracer Equalivant

Does a equalivant Packet-tracer exists in the fortigate world? Somebody out of the blue as me about this. They are a heavy cisco shop and I' m doing some consulting with them on various features and improvements with going to fortigate model. Right now they spend alot of time debugging and diagnostic of various portions of their firewall. The fortigate is much better but requires a re-programming of your way of going about doing this and for the love of god, I can' t readily think of the most exact or closet command to emulate with a packet-tracer would do. any ideals or suggestions?

PCNSE 

NSE 

StrongSwan  

5 REPLIES 5
red_adair
New Contributor III

Your best two friends: # diag sniffer packet http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=11186&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=586497&stateId=0%200%20584742 (Also watch out the Perl Script to convert the verbose-3 Trace to PCAP) #diag debug flow http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30038&sliceId=2&docTypeID=DT_KCARTICLE_1_1&dialogID=586506&stateId=0%200%20584751 -R.
emnoc
Esteemed Contributor III

I' m familiar with theses commands, they really don' t compare or match up to what packet-trace does for cisco if your not familiar with the difference a diag debug flow traces " active" flow, while packet tracer models a made up flow and show how it' s process. They need the latter or they think they need the latter. They are very strong and locked down to a cisco mentality which I need to break

PCNSE 

NSE 

StrongSwan  

Geom
New Contributor III

Daig debug flow is pretty darn close to packet-trace. See this document section 2.10.3 kc.forticare.com/redirfile.asp?id=2281&SID=
bfakhriddi

to emnoc: people are not locked to cisco approach, just want to use good inventions if its possible. Imagine i have remote site, like datacenter ,  and no users can help me to generate traffic but i want to test web filters and app filters under policy , i have report that access to box.com and dropbox are passing trough although i see web filter block is applied for file sharing and storage category. How can i test  at this situation? Where i'd get "active" traffic in datacenter with no users there?  

emnoc
Esteemed Contributor III

Man this thread is old ;) 

 

Actually fortios has added a packet tracer like function to fortios "diag firewall iprope lookup" it can do protocol and port traffic flows and show you want policy is matched. you do not need active traffic per-se

 

 

e.g

 

# my policyid #10 is at the top of policy stack and is a deny  and has quad9 as an address objects in it

 

  /* cli-cmd ATLDWNPEACHTRFGT1500CORE1 # diag firewall iprope lookup 192.168.19.11 1111 9.9.9.9 80 6 internal<src [192.168.19.11-1111] dst [9.9.9.9-80] proto 6 dev internal> matches policy id: 10  Ken Felix

PCNSE 

NSE 

StrongSwan