Hello everyone!
I'm trying to trace packets from one client. I've done it in the past successfully using the following command:
diagnose debug flow filter addr x.x.x.x
diagnose debug flow trace start x
diagnose debug enable
However, it seems like I am unable to trace packets from a host located on a wifi vlan, from an SSID in tunnel mode. We have a fortigate 101F. Any idea how I can make it work? Is there another CLI command I can use to track packets from such host? I read something about hardware-accelerated packets not being captured by this command, but I don't really know how to see whether these are considered hardware accelerated packets or not.
Wishing you a good day!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Can you please try to use saddr in flow filter and try to capture traffic.
diagnose debug flow filter saddr xxxx
please click on below link and reference document.
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/54688/debugging-the-packet-flow
You can also try to disable NPU by following the below article to see the debug log
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Ensuring-IPSec-traffic-is-offloaded-for-im...
Hi @GJPSTI,
It could be a wrong filter. Please try to clear the filter by running the following commands:
di deb disable
di deb res
diagnose debug flow filter clear
diagnose debug flow filter addr x.x.x.x
diagnose debug flow trace start x
diagnose debug enable
Also, it could be that the traffic doesn't reach the FortiGate. You can try running packet captures by running:
di sniffer packet any 'host x.x.x.x' 4 0 l
Regards,
Hi everyone,
Thank you for your numerous replies.
I can see packets being exchanged with my host. I am assuming from this command that packets are indeed reaching the fortigate.
Using the "saddr" filter option during "diag debug flow filter" command did not generate any results unfortunately. Even reaching a normal webpage like Google does not generate any result (even after resetting / clearing diag debug feature and filter parameters, as suggested by tpatel.)
I guess it is because the NPU is taking care of handling the traffic, making it invisible to the fortigate's CPU. Is the NPU related to the firewall rule, or related to the interface? In other word, can I prevent the NPU from handling traffic for a specific firewall rule, or do I need to disable the NPU for the entire interface? (In that case, the entire SSID?)
Hi @GJPSTI,
You can disable it per policy. Please refer to https://docs.fortinet.com/document/fortigate/7.4.4/hardware-acceleration/392369/disabling-np-offload...
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.