Does anyone know how to improve the completeness of the diagnostic sniffer? Is there some system type setting that impacts this functionality?
I have noticed the output of the diagnostic sniffer often seems to only include session establishment type traffic, or perhaps it deliberately excludes in-session traffic (TCP obviously). I noticed this more often using capture level 4 (header and interface). Level 6 (bytes and interface) seems to more often include in-session traffic, but not in my current scenario.
The diagnose doco site does not mention anything about this although I'm sure I've seen disclaimers somewhere.
Currently I am fault-finding an application issue and packets I know are traversing a firewall are not being logged. I do see arp, session establishment and teardown, but not session traffic, and in this case I need to see that.
I am using commands of the form:
diagnose sniffer packet internal1 'host a.b.c.d' 6 0 aThe hardware is 60C, the unit is very lightly loaded (CPU usage is not an issue) and the traffic I'm trying to log is of the order of less than a packet per second.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Are you sure you disabled asic offloading at the policy?
set auto-asic-offload disable
A FGT60C has no ASIC out of a SOC ( SystemOnChip ) so I don't think you can disable that but give the commands a try.
I would 1st run a diag debug flow and look at the flow statistics.
PCNSE
NSE
StrongSwan
Are you sure you disabled asic offloading at the policy?
set auto-asic-offload disable
A FGT60C has no ASIC out of a SOC ( SystemOnChip ) so I don't think you can disable that but give the commands a try.
I would 1st run a diag debug flow and look at the flow statistics.
PCNSE
NSE
StrongSwan
Thankyou! Like emnoc I wasn't expecting this to work but it did.
set auto-asic-offload disable in the policy results in full traffic logging in the sniffer (effective immediately the policy is changed). This setting was default enable and not visible without show full.
Very, very useful to know.
Question - should I leave the policy running auto-asic-offload disable, or only change that when logging is required?
FWIW, the trace only shows the same packets as the sniffer when the policy has the default setting of auto-asic-offload enable.
I would never leave it disabled due to performance concern unless it's just doing hiding packets from sniffing.
What are you wanting ? pkt capture or flow-info? I Never use pkt-capture when insecting fwpolicy and flow statistics
PCNSE
NSE
StrongSwan
As mentioned and as set by default, 'auto-asic-offload' should normally be enabled. Otherwise, even a couple of Mbps can place a heavy load on the CPU in a desktop FGT. (just look at other vendors' equipment, not featuring ASICs...)
If you need to debug, turn offloading off and look into the traffic. Don't forget to enable offloading again, and maybe stop logging traffic for that policy. YMMV.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.