On FortiGate that have NP2 interfaces (for example : FortiGate-310B, FortiGate-620B....),
some traffic is off-loaded at hardware level. That means that the
traffic should not go to the CPU ( unless it is traffic destined to
the FortiGate itself ) and therefore not seen by a debug flow
command or a sniffer trace.
However, what will be always seen are the first packets of any new
session establishment, for example the syn/syn-ack/ack. Once the
session is established, no further packets will be seen anymore as
they will use the fast-path.
FortiGate with NP2 ports
For troubleshooting purpose and when it is desired to capture
packets or check the flow on the FortiGate, you can bypass H/W
acceleration with the following command on a specific port.
Be aware that this might affect performance and should only be
used for troubleshooting purpose.
npu np2 fastpath-sniffer enable <port(s)_number>
==> this now shows all traffic for all sessions to/from this or
those port(s) when using the sniffer or the diag debug flow
The command below will re-enable H/W offloading :
npu np2 fastpath-sniffer disable
that this is not saved in the configuration and will be lost after
Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate wi...
Technical Tip: Verifying and troubleshooting FortiGuard updates status and versions
Technical Tip: Information about traffic log counters for NP2 or NP4 offloaded sessions