FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aneshcheret
Staff
Staff
Article Id 198215
Description
While troubleshooting issues related to loss of packets and there is a need to use the sniffer capture, it could happen that the sniffer does not capture all the packets due to sessions being offloaded to the NP or SP Processors for acceleration.

For example: transfer a file from a FTP server to a workstation across the Internet.

Topology:

Station (10.129.16.8) <-----> (DMZ: 10.129.16.1) FGT (WAN1: 10.100.28.2) <-----> (10.100.28.1) Branch Office Router <-----> ISP Backbone <------> HQ Router <----->  FTP Server (172.16.1.83)

While capturing the transfer of 1MB (1048576 B), the trace will show just 5 packets:

# diagnose sniffer packet wan1 'host 172.16.1.83 and tcp port 20' 4 100 a
interfaces=[wan1]
filters=[host 172.16.1.83 and tcp port 20]
2015-03-13 18:18:17.096624 wan1 -- 172.16.1.83.20 -> 10.129.16.8.2718: syn 3004480850
2015-03-13 18:18:17.097134 wan1 -- 10.129.16.8.2718 -> 172.16.1.83.20: syn 4187059629 ack 3004480851
2015-03-13 18:18:17.102473 wan1 -- 172.16.1.83.20 -> 10.129.16.8.2718: ack 4187059630
2015-03-13 18:18:25.994937 wan1 -- 172.16.1.83.20 -> 10.129.16.8.2718: psh fin 3005528135 ack 4187059630
2015-03-13 18:18:25.998128 wan1 -- 10.129.16.8.2718 -> 172.16.1.83.20: fin 4187059630 ack 3005529428

These are the packets that are typical for a TCP connection: Syn - Syn ACK - ACK for establishment and Fin - ACK for the session termination.
All such packets change the state of the TCP session.

The rest of the packets related to this session are not captured.

This article describes how to capture sniffer packet.

Scope
All FortiGates with NP or SP Processors.

Solution
The reason why only few packets are seen is that only a few packets are processed by the kernel before they are offloaded to the NP/ SP.
As the packet capture is a kernel-based feature the packet must be processed by CPU and the kernel in order to be seen in the capture.


In case an offloaded session need to be captured with packet sniffer, most common practice is to disable the offloading in the policy such session is matching:
# config firewall policy
  edit <policy_id>
    set auto-asic-offload disable
  next
end
Disabling oflloading will not terminate the current sessions.

Note:
This should be used only for troubleshooting purposes and after the packet capture is collected the setting should be reverted:
# config firewall policy
  edit <policy_id>
    set auto-asic-offload enable
  next
end

Contributors