Professional Documents
Culture Documents
Troubleshooting Tip Using The FortiOS Built-In Pa... - Fortinet Community
Troubleshooting Tip Using The FortiOS Built-In Pa... - Fortinet Community
Troubleshooting Tip Using The FortiOS Built-In Pa... - Fortinet Community
Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security
processors and threat intelligence security services from FortiGuard
labs to deliver top-rated protection and high performance, including
encrypted traffic.
Fortinet Community Knowledge Base FortiGate Troubleshooting Tip: Using the FortiOS built-in pa...
pkungatti_FTNT
Staff
Created on Edited on By
This article describes one of the troubleshooting options available in FortiGate CLI to
check the traffic flow, by capturing packets reaching the FortiGate unit.
The CLI offers in addition to the GUI packet capture methods the possibility to capture on
multiple interfaces and mark these per packets. This can be useful if suspecting a packet
leaving on the wrong interface and being dropped by FortiGate.
1 of 13 2/3/2023, 12:10 PM
Troubleshooting Tip: Using the FortiOS built-in pa... - Fortinet Community https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using...
Scope
Solution
Filter Functionality:
- Example 3: Trace with filters.
- Uncommon scenarios.
Sniffer Basics:
The packet sniffer 'sits' in the FortiGate and can display the traffic on a specific interface
or on all interfaces.
There are three different levels of Information, also known as Verbose Levels 1 to 3,
where verbose 1 shows less information and verbose 3 shows the most.
Verbose Levels 4, 5, and 6 would additionally provide the interface details.
2 of 13 2/3/2023, 12:10 PM
Troubleshooting Tip: Using the FortiOS built-in pa... - Fortinet Community https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using...
This article walks through some examples and different levels of verbosity to show the
different possibilities for debugging.
Note: for parallel captures on multiple interfaces/SSH sessions on FortiGate, use 'a' or 'l',
do not leave it blank.
Note: in certain cases, where the unit has the capability and the session can be handled
by a dedicated processor, the session is offloaded from the kernel, making it impossible
to capture these packets. In this case, turn off the offloading in the policy that matches
the traffic with 'set auto-asic-offload disable' for troubleshooting purposes only, and
revert to the initial state after the capture.
The 'none' variable means 'no filter applied', '1' means 'verbose 1' and '3' means 'catch 3
packets and stop'.
Note that there is no timestamp switch at the end, therefore the first packet was
received after 0.996031 seconds since the command was issued.
3 of 13 2/3/2023, 12:10 PM
Troubleshooting Tip: Using the FortiOS built-in pa... - Fortinet Community https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using...
Sniff 3 packets of all traffic with verbose Level 4 on the wan1 interface.
There is some more interesting information, just when a TCP session was being set up
(TCP handshake).
172.26.48.21 tries to connect to 10.109.16.137 on Port 80 with a SYN and gets a SYN
ACK back.
Finally, the session is acknowledged and established after the 3-way TCP handshake.
With the information level set to Verbose 4, additionally summary of the Source and
Destination IP Addresses are visible.
If there is no <count> value (or count=0), the Sniffer runs forever until you stop it with
<CTRL-C>.
Hint: For further investigation, it is always a good idea to log the SSH output to a file. If
Putty is used (a free SSH client for Windows) it is possible to easily log all output to a file
which to search/sort/process.
4 of 13 2/3/2023, 12:10 PM
Troubleshooting Tip: Using the FortiOS built-in pa... - Fortinet Community https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using...
Notice the in/out parameter after the wan1 interface that will confirm the direction of
the packet entering or leaving the interface.
Use of absolute time stamp in sniffer trace will report the absolute system time (no time
zone) in packet summary:
Hint: Below is the format that Technical Support will usually request when attempting to
analyze a problem as it includes full packet content, as well as absolute time stamp, in
order to correlate packets with other system events.
Filter functionality:
As already mentioned, diag sniffer includes a powerful filter functionality that will be
described here.
If a second host is specified, only the traffic between the 2 hosts will be displayed.
To see what's going on between two PCs (or a PC and a FortiGate), do not forget the
5 of 13 2/3/2023, 12:10 PM
Troubleshooting Tip: Using the FortiOS built-in pa... - Fortinet Community https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using...
# diag sniffer packet wan1 'src host 10.109.16.137 and dst host
172.26.48.21' 1 3
interfaces=[wan1]
filters=[src host 10.109.16.137 and dst host 172.26.48.21]
1.453488 10.109.16.137.80 -> 172.26.48.21.61776: syn 3263501252 ack
507821611
1.454138 10.109.16.137.80 -> 172.26.48.21.61776: ack 507822560
1.457612 10.109.16.137 -> 172.26.48.21: icmp: echo reply
Assuming there is a lot of traffic on the wire, this filter command will only display traffic
(but all traffic) from Source 10.109.16.137 to Destination 172.26.48.21.
It will NOT show traffic to 10.109.16.137 (for example the ICMP reply) because it is
asked for 'src host' and 'dst host'.
Note.
When 'src' and 'dst' are used, 'host' word is optional, and is applied by default.
It is also possible to use 'net' as keyword for a broader result:
However, when filtering for bidirectional traffic, either use 'host' or CIDR notated 'host'
arguments:
To have only a specific type of traffic (for example TCP Traffic only) it is necessary to
change the filter slightly:
Though ICMP (ping) was also running and probably some DNS requests too, the trace
only shows the TCP part.
The Source is: 10.109.16.137.80 which is IP 10.109.16.137 on Port 80. Apparently, there
is an HTTP session to 10.109.16.137.
The same the other way around (using here ‘host’, it shows the traffic both ways):
6 of 13 2/3/2023, 12:10 PM
Troubleshooting Tip: Using the FortiOS built-in pa... - Fortinet Community https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using...
5
interfaces=[any]
filters=[host 10.109.16.137 and host 172.26.48.21]
1.182532 172.26.48.21.55585 -> 10.109.16.137.80: syn 3194317969
1.182598 10.109.16.137.80 -> 172.26.48.21.55585: syn 2863972551 ack
3194317970
1.183166 172.26.48.21.55585 -> 10.109.16.137.80: ack 2863972552
1.183360 172.26.48.21.55585 -> 10.109.16.137.80: psh 3194317970 ack
2863972552
1.183406 10.109.16.137.80 -> 172.26.48.21.55585: ack 3194318935
7 of 13 2/3/2023, 12:10 PM
Troubleshooting Tip: Using the FortiOS built-in pa... - Fortinet Community https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using...
A logical 'AND' is used in this command between 10.109.16.137 and 172.26.48.21 such
that only packets containing both these host addresses will be seen.
Even if telnet and ssh traffic was transferred between the two hosts, it only shows port
80 TCP traffic.
Uncommon scenarios:
Filters can also be used to display packets based on their content, using a hexadecimal
byte position.
Match TTL = 1
diagnose sniffer packet any "ip[8:1] = 0x01"
8 of 13 2/3/2023, 12:10 PM
Troubleshooting Tip: Using the FortiOS built-in pa... - Fortinet Community https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using...
This is a common scenario, where the VLAN interface is used instead of the interface
name in the command line.
For example, sniffing the traffic for host 11.11.11.9 in the VLAN interface 'vlan206', the
command would be:
Note that when the vlan206 interface is used as a filter, the underlying physical interface
is not shown in the capture.
In some cases, when sniffing traffic for host address by default underlying physical
interface is not displayed for incoming traffic, however, associated VLANs and physical
interface for outbound traffic are displayed.
For example:
From the above capture, it is possible to see DMZ is a physical interface and vlan206 is
an associated VLAN when traffic ingress DMZ is not visible in, and only VLAN 206 in, but
when traffic goes out we see VLAN 206 out and DMZ out.
This is because when a filter with host x.x.x.x is set in sniffer, FortiGate has to strip out
the VLAN ID and frames first to know the host address to capture the traffic, hence it is
not sure if the traffic is coming via the DMZ interface.
However, for outgoing traffic, FortiGate will retag the packets, so it knows it goes out via
the DMZ interface.
If the sniffer filter is changed like below, a DMZ should be visible in the interface as well
for incoming packets.
9 of 13 2/3/2023, 12:10 PM
Troubleshooting Tip: Using the FortiOS built-in pa... - Fortinet Community https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using...
Also, when capturing the traffic with Verbose 6 (to see the contents of the packet), the
VLAN tag is stripped when the filter is run on the VLAN interface or 'any' interface.
To capture the VLAN tag in a packet capture, the sniffer must be run on the underlying
physical interface.
1) Also attached is the fgt2eth.pl script that will convert a verbose level 3 or 6 sniffer
output, into a file readable and decodable by Ethereal/Wireshark PCAP file. In case the
traffic is sniffed without an interface filter ('diagnose sniffer packet any ''6 0 a'), by
default the script will create a single file with traffic sniffed on all interfaces. However, it
is possible to create a per-interface PCAP file by adding a '-demux' argument while
converting text to pcap file (pcap.exe -in <input file> -out <output file> -demux).
2) The fgt2eth.exe file is also attached to this article, this file is outdated and is not
supported but may provide some guidance.
3) The attached scripts are provided 'as is' and are not supported by Technical Support.
Another conversion script that provides similar functionality is available for download
here. The above terms apply to this script as well. In addition to 'fgt2eth.pl', sniftran also
adds to the pcap file the interface labels as comments for each packet, making it easier
to identify incoming/outgoing traffic.
Related Articles:
10 of 13 2/3/2023, 12:10 PM
Troubleshooting Tip: Using the FortiOS built-in pa... - Fortinet Community https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using...
fgt2eth.exe
explanation_on_how_to_packet_capture_for_only_certain_TCP_flags_v2.txt
10 KB
fgt2eth.pl
12 KB
595629 4
Share
Contributors
pkungatti_FTNT
AlexC�FTNT
Madhu_G
Anthony_E
11 of 13 2/3/2023, 12:10 PM
Troubleshooting Tip: Using the FortiOS built-in pa... - Fortinet Community https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using...
Markus_M
abarushka
Jean-Philippe_P
Anonymous
The Fortinet Security Fabric brings together the concepts of convergence and
consolidation to provide comprehensive cybersecurity protection for all users, devices,
and applications and across all network edges.
Social Media
SECURITY RESEARCH
Threat Research
FortiGuard Labs
Threat Map
Threat Briefs
Ransomware
COMPANY
12 of 13 2/3/2023, 12:10 PM
Troubleshooting Tip: Using the FortiOS built-in pa... - Fortinet Community https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using...
About Us
Security Fabric
Exec. Mgmt
Careers
Certifications
Events
Industry Awards
Social Responsibility
News Releases
News Articles
Trademarks
CONTACT US
Corporate
Community
13 of 13 2/3/2023, 12:10 PM