Tag Archives: capture

Fortigate packet sniffing

After working with a Fortigate for a while, I noticed that the Fortianalyzer tool can become very slow,  mostly this is cause to the disk usage on the box. And when you are troubleshooting priority connections, you just don’t have the time to wait for the box.


So, luckily Fortinet has also implemented a packet sniffer in CLI.
To make use of it, log on to the required VDOM:

FG620B # config vdom
FG620B (vdom) # edit VdomNAME
current vf=VdomNAME:1
FG620B (VdomNAME) # diagnose sniffer packet port5 'src host and port 22 and dst host'
filters=[src host and port 22 and dst host]
6.667023 -> syn 2622767143 
6.679312 -> ack 1157725779 

As you can see, Fortigate requires the command “diagnose sniffer packet” followed by an interface on which to capture (port5).
Finally you can add a filter in the form of a regular tcpdump syntax. In this example I am trying to find traffic from my source host to the destination host on its SSH port (22).