Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sha-1_FTNT
Staff
Staff

Created on ‎05-10-2009 09:47 AM

Article Id 193786

Technical Note: Restricting the built-in Sniffer to a GRE interface

Description
Restricting the built-in Sniffer to a GRE interface is not supported prior to FortiOS v5.4.5 and FortiOS v5.6.

The CLI returns to the prompt:
config system gre-tunnel
    edit "toFG1"
        set interface "port1"
        set remote-gw 198.51.100.1
        set local-gw 203.0.113.2
    next
end

FG2 # diagnose sniffer packet toFG1 'icmp' 4
interfaces=[toFG1]
filters=[icmp]

FG2 #

Scope
This restriction no longer applies as of FortiOS 5.4.5 and FortiOS 5.6

Starting from the above FortiOS versions, it is possible to restrict the built-in sniffer to GRE interfaces.

Solution
The packet capture must be done on interface "any":
FG2 # diagnose sniffer packet any 'ip proto 47 or icmp' 4
interfaces=[any]
filters=[ip proto 47 or icmp]
6.885829 port1 in 198.51.100.1 -> 203.0.113.2: gre: length 88 proto-800
6.885841 toFG1 in 10.1.1.254 -> 10.2.2.254: icmp: echo request
6.885926 toFG1 out 10.2.2.254 -> 10.1.1.254: icmp: echo reply
6.885931 port1 out 203.0.113.2 -> 198.51.100.1: gre: length 88 proto-800
7.896868 port1 in 198.51.100.1 -> 203.0.113.2: gre: length 88 proto-800
7.896878 toFG1 in 10.1.1.254 -> 10.2.2.254: icmp: echo request
7.896906 toFG1 out 10.2.2.254 -> 10.1.1.254: icmp: echo reply
7.896910 port1 out 203.0.113.2 -> 198.51.100.1: gre: length 88 proto-800
8.906681 port1 in 198.51.100.1 -> 203.0.113.2: gre: length 88 proto-800
8.906693 toFG1 in 10.1.1.254 -> 10.2.2.254: icmp: echo request
8.906728 toFG1 out 10.2.2.254 -> 10.1.1.254: icmp: echo reply
8.906732 port1 out 203.0.113.2 -> 198.51.100.1: gre: length 88 proto-800
9.916754 port1 in 198.51.100.1 -> 203.0.113.2: gre: length 88 proto-800
9.916764 toFG1 in 10.1.1.254 -> 10.2.2.254: icmp: echo request
9.916790 toFG1 out 10.2.2.254 -> 10.1.1.254: icmp: echo reply
9.916794 port1 out 203.0.113.2 -> 198.51.100.1: gre: length 88 proto-800
10.926697 port1 in 198.51.100.1 -> 203.0.113.2: gre: length 88 proto-800
10.926709 toFG1 in 10.1.1.254 -> 10.2.2.254: icmp: echo request
10.926743 toFG1 out 10.2.2.254 -> 10.1.1.254: icmp: echo reply
10.926748 port1 out 203.0.113.2 -> 198.51.100.1: gre: length 88 proto-800

20 packets received by filter
0 packets dropped by kernel

Related Articles

Technical Note : Configuring and verifying a GRE tunnel between two FortiGates (static routing)

Labels:
3819
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.