Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

How can I undestand IDS work or not


I configure FG1500 as a IDS.

Port36 mode is one-arm (sniffer)

FG create policy (ourself)

    config firewall sniffer         edit 4             set interface "port36"             set ips-sensor-status enable             set ips-sensor "sniffer-profile"         next     end

FG# get     id : 4     status : enable     logtraffic : utm     ipv6 : disable     non-ip : disable     interface : port36     host :     port :     protocol :     vlan :     application-list-status: disable     ips-sensor-status : enable     ips-sensor : sniffer-profile     dsri : disable     ips-dos-status : disable     scan-botnet-connections: disable     max-packet-count : 4000


does sniffer work or not, when number of packet become more 4000?

do i should configure  max-packet-count to 1 000 000?


max-packet-count is only used for gui sniffer capture feature, which may not be available if no harddisk is present. It generates pcap file that are stored in disk logs partition and output that can be downloaded from gui.

For the 'config firewall sniffer policy', max-packet-count isn't used or applicable.  For this feature, all packets are forwarded to ipsengine to simulate fortigate utm features like fortiview, application control statistics, security utm, logging, etc..  This is for previewing/demo fortigate features by just plugging a cable from the network.


Note this is different from another debug feature, 'diagnose sniffer packet', which also don't use the 'config firewall sniffer' or max-packet-count settings.  This is helpful debug command to verify fortigate is receiving network traffic in the first place during troubleshooting. Some related options for 'config firewall sniffer' feature is the sniffer buffer queue size which is 'config ips global --> socket-size' which specifies in MB the sniffer buffer size.  Also 'diagnose ips raw status' gives the sniffer L2 packets received, dropped due to full buffer, or skipped processing by ips due to full buffer.  Either checking this stats or looking at ips debug output should indicate any sniffer packet processing done.


New Contributor

Thank you so much for this. I was into this issue and tired to tinker around to check if its possible but couldnt get it done. Now that i have seen the way you did it, thanks guys with regards


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors