Tag Archives: capture

Fortigate packet sniffing

After working with a Fortigate for a while, I noticed that the Fortianalyzer tool can become very slow,  mostly this is cause to the disk usage on the box. And when you are troubleshooting priority connections, you just don’t have the time to wait for the box.

aintnobody

So, luckily Fortinet has also implemented a packet sniffer in CLI.
To make use of it, log on to the required VDOM:


FG620B # config vdom
FG620B (vdom) # edit VdomNAME
current vf=VdomNAME:1
FG620B (VdomNAME) # diagnose sniffer packet port5 'src host 10.150.120.150 and port 22 and dst host 203.0.113.1'
interfaces=[port5]
filters=[src host 10.150.120.150 and port 22 and dst host 203.0.113.1]
6.667023 10.150.120.150.46485 -> 203.0.113.1.22: syn 2622767143 
6.679312 10.150.120.150.46485 -> 203.0.113.1.22: ack 1157725779 
...

As you can see, Fortigate requires the command “diagnose sniffer packet” followed by an interface on which to capture (port5).
Finally you can add a filter in the form of a regular tcpdump syntax. In this example I am trying to find traffic from my source host 10.150.120.150 to the destination host 203.0.113.1 on its SSH port (22).