Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
GJPSTI
New Contributor

Packets do not show while using "Diagnose Debug Flow Filter Addr x.x.x.x"

Hello everyone!

 

I'm trying to trace packets from one client. I've done it in the past successfully using the following command:

diagnose debug flow filter addr x.x.x.x

diagnose debug flow trace start x

diagnose debug enable

 

However, it seems like I am unable to trace packets from a host located on a wifi vlan, from an SSID in tunnel mode. We have a fortigate 101F. Any idea how I can make it work? Is there another CLI command I can use to track packets from such host? I read something about hardware-accelerated packets not being captured by this command, but I don't really know how to see whether these are considered hardware accelerated packets or not.

 

Wishing you a good day!

5 REPLIES 5
tpatel
Staff
Staff

Hello, 

Can you please try to use saddr in flow filter and try to capture traffic. 
diagnose debug flow filter saddr xxxx

please click on below link and reference document.

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/54688/debugging-the-packet-flow 

Mrinmoy
Staff
Staff

You can also try to disable NPU by following the below article to see the debug log

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Ensuring-IPSec-traffic-is-offloaded-for-im...

Mrinmoy Purkayastha
hbac
Staff
Staff

Hi @GJPSTI,

 

It could be a wrong filter. Please try to clear the filter by running the following commands: 

 

di deb disable
di deb res
diagnose debug flow filter clear

diagnose debug flow filter addr x.x.x.x

diagnose debug flow trace start x

diagnose debug enable

 

Also, it could be that the traffic doesn't reach the FortiGate. You can try running packet captures by running:

 

di sniffer packet any 'host x.x.x.x' 4 0 l 

 

Regards, 

GJPSTI
New Contributor

Hi everyone,

 

Thank you for your numerous replies. 

 

I can see packets being exchanged with my host. I am assuming from this command that packets are indeed reaching the fortigate.

Using the "saddr" filter option during "diag debug flow filter" command did not generate any results unfortunately. Even reaching a normal webpage like Google does not generate any result (even after resetting / clearing diag debug feature and filter parameters, as suggested by tpatel.)

 

I guess it is because the NPU is taking care of handling the traffic, making it invisible to the fortigate's CPU. Is the NPU related to the firewall rule, or related to the interface? In other word, can I prevent the NPU from handling traffic for a specific firewall rule, or do I need to disable the NPU for the entire interface? (In that case, the entire SSID?)

hbac
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors