Description
On FortiGate that have NP2 interfaces (for example : FortiGate-310B, FortiGate-620B....), some traffic is off-loaded at hardware level. That means that the traffic should not go to the CPU ( unless it is traffic destined to the FortiGate itself ) and therefore not seen by a debug flow command or a sniffer trace.

However, what will be always seen are the first packets of any new session establishment, for example the syn/syn-ack/ack. Once the session is established, no further packets will be seen anymore as they will use the fast-path.



Scope
FortiGate with NP2 ports

Solution
For troubleshooting purpose and when it is desired to capture packets or check the flow on the FortiGate, you can bypass H/W acceleration with the following command on a specific port.

Be aware that this might affect performance and should only be used for troubleshooting purpose.

 diagnose npu np2 fastpath-sniffer enable <port(s)_number>

==> this now shows all traffic for all sessions to/from this or those port(s) when using the sniffer or the diag debug flow commands

The command below will re-enable H/W offloading :

 diagnose npu np2 fastpath-sniffer disable <port(s)_number>


Note that this is not saved in the configuration and will be lost after a reboot.

Related Articles

Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate wi...

Technical Tip: Verifying and troubleshooting FortiGuard updates status and versions

Technical Tip: Information about traffic log counters for NP2 or NP4 offloaded sessions